Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title

Discovery for Attribute Authorities (AAs)

Description

Users can select their IdP via discovery, therefore the SP can potentially receive users from thousands of IdPs.

There is no such facility for AA-s however, meaning that SP-s need to hard-configure which AAs they query. Also, query all the configured AAs for all users all the time.

In GN4-1-JRA3-T1 it has been established that this is a serious bottleneck, as maximum 2-3 AAs can be queried without breaking the entire login session.

A better approach is needed. The SPs need to query AAs selectively, based on either user input or some alternative means, like some VO lookup service. Otherwise all SPs will just stick with the biggest AAs like eduTEAMS basic membership service or hexaa.eduid.hu and not query alternative entities, making single-tenant AAs very unattractive.

ProposerMihály Héder
Resource requirements

This is a hard one. Currently there is no support for any elements of this whatsoever

  • Standardization
  • SAML Stack development
  • blood and sweat
+1'sConstantin Sclifos, RENAM
-1'sWolfgang Pempe, DFN: Such a dynamic approach would raise issues concerning trust and privacy. An attribute authority must be in control of the list of SPs that are entitled to perform attribute queries and (possibly) recieve PII.


StepUp

TitleTwo Factor (something)
Description
  • Drive two factor towards ubiquity with low cost - create an eduToken (for the users that do not have a phone; critical mass can bring down the price even more. It can be implemented as a kickstarter campaign).

    • Challenges in deploying multi-factor in EU, partially due to the costs and partially due to the cost involved. A cost-effective approach would help.

    • An edu-token  as  a separate ‘token’ may reintroduce token management aspects (losing the token etc)

    • management is (will be even more) a non issue as the majority of people will use phones. We should strike for that.

    • Technically this problem can be solved, taking the above considerations into account.
      The real problem is how to scale the token vetting over EU. This is especially challenging for research collaborations.
ProposerFrom data gathering exercise
Resource requirements<money? effort? coordination? infrastructure?>
+1's<for others to voice their support - add your name here>
-1'sWolfgang Pempe, DFN: I believe this is out of scope for GÉANT, you would need a dedicated organization for that purpose


TitleeduTEAMS and guest IdPs (actually Identity Assurance)
DescriptioneduTEAMS and guest IdPs - use-cases: need to support social IDs and guest IdP, but it need additional LoA. Step up authN as a service is in the plan
Proposerfrom data gathering exercise
Resource requirements<money? effort? coordination? infrastructure?>
+1's

isn't this the work being done in IoLR +REFEDS?

Some of it is - implementation in service contexts is not. It is expected any work in GEANT would do this, leaning on results from the above

...