Versions Compared

Old Version 5

changes.mady.by.user Mehdi Hached

Saved on

compared with

New Version Current

changes.mady.by.user Wolfgang Pempe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Using the latter tool, we can easily extract the entities that have endorsed the R&S category or the GÉANT CoCo. The figures are edifying, only 190 (without sorting out the duplications) entities on 2385 entities announce the Category/Policy support.

 

GÉANT (EU/EEA) Data Protection Code of Conduct:

  • 105 entities in total
    • 42 IdP
    • 63 SP

REFEDS Research & Scholarship Category:

  • 85 entities in total
    • 39 IdP
    • 47 SP

...

  • Advertise them toward the SPs;
  • Possibly translate them in the country's language;
  • Implement a way of tagging the entities that support categories during the entity's recording (federation registry).

 

In practice, the IdPs have to technically be able to release the necessary attributes to the categorized SPs, when these have to be legally reliable on processing those attributes.

...

Remark: Other feedbacks from the academic federations running categories for a significant time would be enlightening.

The DFN-AAI Experience (DE)

The Identity Federation operated by the German Research and Education Network (DFN) introduced Entity Categories (both for SPs and IdPs) in 2012 in order to support so-called "Virtual Sub-Federations". The setup is based on a whitelist maintained by a specific project or community and which is hooked up with the metadata registry. The project-specific EC is only available for entities listed on such a whitelist - a nightly check removes the EC automatically if an entity disappears from the respective whitelist. Using such an EC, (Shibboleth) SPs are able to select all project-related IdPs from the federation metadata and ignore the rest, while IdPs only have to set up one Attribute Filter Policy in order to release Attributes to a dynamic number of project-related SPs. This concept turned out to be quite popular, meanwhile (2015) three of these ECs are in use, a fourth one has been requested recently.

The CoCo EC was introduced in July 2013, R&S in 2015.  While many SPs registered with the DFN-AAI committed especially to the Code of Conduct, the acceptance by German IdPs is still improvable. One reason for the reluctance of German IdP admins to support the CoCo and R&S ECs is the strictness and complexity of data protection laws and regulations in Germany, cf. http://dariah-aai.daasi.de/attribute-release_and_legal-stuff_wp.pdf

The Greek Federation experience (GR)

The Greek Federation, operated by GRNET has introduced Entity Groups in the published metadata, utilizing multiple EntitiesDescriptor elements. The groups match SPs with different trust levels in the federation ( GRNET's own Services SPs, Microsoft services for higher educational institutes, others ) but are not formally defined. Since GRNET operates the majority of the IdPs of the Universities participating in the federation, respective attribute release policies have been deployed in the Identity Providers, utilizing AttributeRequesterInEntityGroup type rules for matching the SP and releasing the necessary attributes.

As this set up is neither optimal nor well maintainable, the Greek federation is in the process of introducing a number of national Entity Categories (both for SPs and IdPs) in the federation. The main drivers for the change are:

  • Simplicity in the federation metadata aggregation and publication
  • Formal definition of Trust Levels
  • Enhanced granularity
  • The introduction of new Identity Providers ( Hospitals ) in the federation that have stricter requirements for attribute release. 

The work is ongoing and the preliminary plan is to introduce the Entity Categories in 2016. No decision has been made yet as to whether eduGAIN defined Entity Categories ( GÉANT CoCo , R&S ) will be used. 

The attributes values issue

...