Versions Compared

Old Version 82

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version 83

changes.mady.by.user Wolfgang Pempe

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Title

Discovery for Attribute Authorities (AAs)

Description

Users can select their IdP via discovery, therefore the SP can potentially receive users from thousands of IdPs.

There is no such facility for AA-s however, meaning that SP-s need to hard-configure which AAs they query. Also, query all the configured AAs for all users all the time.

In GN4-1-JRA3-T1 it has been established that this is a serious bottleneck, as maximum 2-3 AAs can be queried without breaking the entire login session.

A better approach is needed. The SPs need to query AAs selectively, based on either user input or some alternative means, like some VO lookup service. Otherwise all SPs will just stick with the biggest AAs like eduTEAMS basic membership service or hexaa.eduid.hu and not query alternative entities, making single-tenant AAs very unattractive.

ProposerMihály Héder
Resource requirements

This is a hard one. Currently there is no support for any elements of this whatsoever

  • Standardization
  • SAML Stack development
  • blood and sweat
+1'sConstantin Sclifos, RENAM
-1'sWolfgang Pempe, DFN: Such a dynamic approach would raise issues concerning trust and privacy. An attribute authority must be in control auf the list of SPs that are entitled to perform attribute queries and (possibly) recieve PII.


Title

Attribute Authority scoping information in Metadata

DescriptionIt seems that AARC-JRA1.4A will propose "scoping of group membership information". However, there is no element in the SAML metadata that contains the scope of an AA, therefore, there is nothing to verify the scoped membership information against. The only way today is to learn about the scopes used by an AA entity via word-of-mouth and then apply those scopes in attribute value level filtering and access control rules, maintained manually in the SP config. Obviously this does not scale.
ProposerMihály Héder
Resource requirements
  • Standardization
  • SAML stack development
+1's

...

Title

Attribute Authority Metadata policy development for eduGAIN

Description

While for IdPs and SPs eduGAIN metadata requirements are well described, no such requirements exist for AAs. We have however already 5 of these entities in eduGAIN.

It would also be a good idea to consider/define what it would mean for an AA to claim CoCo, R&S and Sirtifi support

ProposerNiels van Dijk
Resource requirements
  • Standardization
  • Probably a no-brainer as much can likely be derived from IdP requirements (?)
+1's

Constantin Sclifos, RENAM

Nick Roy, InCommon

SURFnet

Rhys Smith, UKf: I think AAs will become more important as we move forward, and there is a gap here in policy that needs thinking about.

Wolfgang Pempe, DFN