...
Currently the coverage and the features of the national and European IdP federation are not entirely fulfilling the needs of the education sector. Besides the campuses not yet federated there are other categories of users who would be left out anyway: for example the high school students not yet registered in a university but who need to access some tools, and the citizen users in the university library.
...
Requirements: Attribute release policies
When service providers and user communities have the need to get attributes (e.g. institution, email address, name,…) from the IdP of the user, the bureaucracy involved can be an unacceptable overhead. If the users use many different IdPs, coming from different institutions, the service providers supporting the community need to access these attributes, therefore there could be need for a set of policies that make scalable the negotiation between SPs and IdPs.
BioVel
BioVel will very likely make use of the attributes released from the IdP, if available, and the community would benefit from scalable processes and policies between IdPs and SPs.
DARIAH
DARIAH users will use either homeless IdP or one and only one campus IdP, with authorization and additional attributes provided by the VO via SAML attribute queries.
Having campus IdPs releasing ePPN is critical for DARIAH AAI. The community hasbeen working with a number of initiatives (notably CoCo) to improve the current situation. Thus more efforts should be made to scalably a) increase the number of such IdPs and b) find some way for to know whether a given IdP will release ePPN to DARIAH services (e.g. by respective entity categories of IdPs), still before the first user is affected and perhaps disappointed.
As an attempt to solve the, DARIAH decided that a) SPs must express eduPersonPrincipalName as required (via SAML metadata) and b) users' campus IdPs should honor this If not user will have to aplly for An DARIAH homeless account.
PSNC
The release of the attributes has not been an issue based on the PSNC experience.
Photon and Neutron
Not relevant for the use case.
EGI
EGI is a highly distributed infrastructure, whith hundreds of service providers, hundreds of communities, and tens of thousands users. In this scenario is critical that the policies and the procedures are scalable with the number of actors involved.
Attributes are important to reduce the effort for user management on the communities or the service providers. If trusted IDPs can release easily information to the service providers, the credentials can be used to access the most complex workflows in the infrastructure without the need of additional vetting of the user identity.
But even in a scenario where the IdP releases a minimal set of attributes, policies must scale. For example services must be able to store and to share with other services the unique identifier of the user provided by the IdP.
Service provider federations should be seen by the IdPs as trusted entities, once policies are agreed with the federation should be valid for all the service providers within the federation.
EUDAT
The more information that is provided by the user’s IdP, the more streamlined the process of creating the users identity in the EUDAT infrastructure will be. If the users IdP is not providing enough of the required attributes, we will prompt the user to provide these. Currently EUDAT aims to a minimum set of attributes a name and email address.
D4Science
Yes, the infrastructure would benefit from a simpler way to access attributes released from the IdPs.
CLARIN
The CLARIN use cases would benefit by scalable policies for attribute release, this is one of the main issue while integrating new IdP with the research infrastructure. One example of actions towards this direction is the GEANT Data Protection Code of Conduct, which is a requirement to become a CLARIN B centre.
Education
Having scalable policies for attribute release is relevant for the community.
Requirements: LoA management