[Tf-aai] Attribute Checker ready for testing
Jozef Misutka
misutka at ufal.mff.cuni.cz
Mon Apr 4 17:03:40 CEST 2016
Dear Martin and all,
first of all, I think that it is great that (inter)federating becomes more
user friendly and that the improvements come from the right organisations.
It is a pitty that that I missed the last telco so I will write my comments
here.
Almost a year ago, we did a proof of concept for CLARIN+ showing how
collecting the names of released user attributes can be done in an
automated way (the approach below uses the same approach).
The idea in CLARIN+ was to have a small web application that would collect
idp+released attributes transparently either using the hooks in shibboleth
or using javascript + /Session.
The attribute release check *could* still be done on the application level
[1] but in case of a failure, it could be redirected to a common error page
in the web application.
For those who want to wait a bit more, we should decide if we want solo
approaches for every SP or a unified CLARIN wide approach. Both have
advantages.
We should also ask the SPF members if anyone has non shibboleth SP in which
case we could still do a javascript attribute polling.
Best,
Jozef
[1] If a SP (like ours) serves multiple web applications that rely on a
different set of mandatory attributes, the check must be done on the
application level.
On 4 April 2016 at 16:22, Martin Matthiesen <martin.matthiesen at csc.fi>
wrote:
> Hello again,
>
> To end the day on a brighter note: In out last taskforce meeting I
> mentioned an Attribute Checker that makes use of a build in feature of the
> Shibboleth Apache module (for SPs). (It does not work with SimpleSaml PHP).
>
> Here's the documentation:
>
> https://wiki.edugain.org/How_to_configure_Shibboleth_SP_attribute_checker
>
> The tool was developed by Sami Silén (cc), comments are welcome. Keep in
> mind though, that we kept it deliberately quite simple, so it can easily be
> adopted to local needs.
>
> There is a test implementation available:
>
> https://devsp.funet.fi/secure
> credentials teppo/testaaja from testidp.
>
> This page will not solve everything but I do hope that Clarin SPs deploy
> it widely. At least the SP has a better chance of potential users
> complaining to their home organisations with a qualified email. At the
> moment they most likely stay quiet or complain in a way ("does not work")
> that does not necessarily help even a benevolent IdP to locate the problem.
>
> Regards from Finland,
> Martin
>
>
> --
> Martin Matthiesen
> CSC - Tieteen tietotekniikan keskus
> CSC - IT Center for Science
> PL 405, 02101 Espoo, Finland
> +358 9 457 2376, martin.matthiesen at csc.fi
> Public key :
> https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
> Fingerprint: AA25 6F56 5C9A 8B42 009F BA70 74B1 2876 FD89 0704
> _______________________________________________
> Tf-aai mailing list
> Tf-aai at lists.clarin.eu
> https://lists.clarin.eu/cgi-bin/mailman/listinfo/tf-aai
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20160404/d417825d/attachment.htm>
More information about the Tf-aai
mailing list