Versions Compared

Old Version 6

changes.mady.by.user Mehdi Hached

Saved on

compared with

New Version Current

changes.mady.by.user Wolfgang Pempe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Remark: Other feedbacks from the academic federations running categories for a significant time would be enlightening.

The DFN-AAI Experience (DE)

The Identity Federation operated by the German Research and Education Network (DFN) introduced Entity Categories (both for SPs and IdPs) in 2012 in order to support so-called "Virtual Sub-Federations". The setup is based on a whitelist maintained by a specific project or community and which is hooked up with the metadata registry. The project-specific EC is only available for entities listed on such a whitelist - a nightly check removes the EC automatically if an entity disappears from the respective whitelist. Using such an EC, (Shibboleth) SPs are able to select all project-related IdPs from the federation metadata and ignore the rest, while IdPs only have to set up one Attribute Filter Policy in order to release Attributes to a dynamic number of project-related SPs. This concept turned out to be quite popular, meanwhile (2015) three of these ECs are in use, a fourth one has been requested recently.

The CoCo EC was introduced in July 2013, R&S in 2015.  While many SPs registered with the DFN-AAI committed especially to the Code of Conduct, the acceptance by German IdPs is still improvable. One reason for the reluctance of German IdP admins to support the CoCo and R&S ECs is the strictness and complexity of data protection laws and regulations in Germany, cf. http://dariah-aai.daasi.de/attribute-release_and_legal-stuff_wp.pdf

The Greek Federation experience (GR)

The Greek Federation, operated by GRNET has introduced Entity Groups in the published metadata, utilizing multiple EntitiesDescriptor elements. The groups match SPs with different trust levels in the federation ( GRNET's own Services SPs, Microsoft services for higher educational institutes, others ) but are not formally defined. Since GRNET operates the majority of the IdPs of the Universities participating in the federation, respective attribute release policies have been deployed in the Identity Providers, utilizing AttributeRequesterInEntityGroup type rules for matching the SP and releasing the necessary attributes.

As this set up is neither optimal nor well maintainable, the Greek federation is in the process of introducing a number of national Entity Categories (both for SPs and IdPs) in the federation. The main drivers for the change are:

  • Simplicity in the federation metadata aggregation and publication
  • Formal definition of Trust Levels
  • Enhanced granularity
  • The introduction of new Identity Providers ( Hospitals ) in the federation that have stricter requirements for attribute release. 

The work is ongoing and the preliminary plan is to introduce the Entity Categories in 2016. No decision has been made yet as to whether eduGAIN defined Entity Categories ( GÉANT CoCo , R&S ) will be used. 

The attributes values issue

Some community SPs, like libraries or research communities[4], need the provision (release) of a certain attribute (e.g. affiliation, entitlement, isMemberOf...) plus a certain value often tailored to those SPs. This scenario is the most complex. Indeed, it forces the IdP manager to intervene and update the values in the IdP back-end (affiliations) or to dynamically generate a new value (entitlements) for a given new SP.

...