[Tf-aai] Attribute Checker ready for testing

Martin Matthiesen martin.matthiesen at csc.fi
Tue Apr 5 16:33:06 CEST 2016 

Hi Jozef and all,

A quick comment:

> The attribute release check *could* still be done on the application level
> [1] but in case of a failure, it could be redirected to a common error page
> in the web application.

I think the beauty of the Shibboleth ready-made attribute check lies in the "ready-made" part. Even if you have attribute checking on the application level you might want to put the Attribute Checker in front to enable the user to bother their IdPs in a meaningful way, if the absolute minimum set is not released.
Alternatively you can always take the html template and customize it as an endpoint for application level errors, I think you refer to that above.

Cheers,
Martin


-- 
Martin Matthiesen
CSC - Tieteen tietotekniikan keskus
CSC - IT Center for Science
PL 405, 02101 Espoo, Finland
+358 9 457 2376, martin.matthiesen at csc.fi
Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704

----- Original Message -----
> From: "Jozef Misutka" <misutka at ufal.mff.cuni.cz>
> To: "Martin" <martin.matthiesen at csc.fi>
> Cc: "tf-aai" <tf-aai at lists.clarin.eu>, "Sami Silén" <sami.silen at csc.fi>
> Sent: Monday, 4 April, 2016 18:03:40
> Subject: Re: [Tf-aai] Attribute Checker ready for testing

> Dear Martin and all,
> 
> first of all, I think that it is great that (inter)federating becomes more
> user friendly and that the improvements come from the right organisations.
> 
> It is a pitty that that I missed the last telco so I will write my comments
> here.
> 
> Almost a year ago, we did a proof of concept for CLARIN+ showing how
> collecting the names of released user attributes can be done in an
> automated way (the approach below uses the same approach).
> The idea in CLARIN+ was to have a small web application that would collect
> idp+released attributes transparently either using the hooks in shibboleth
> or using javascript + /Session.
> The attribute release check *could* still be done on the application level
> [1] but in case of a failure, it could be redirected to a common error page
> in the web application.
> 
> For those who want to wait a bit more, we should decide if we want solo
> approaches for every SP or a unified CLARIN wide approach. Both have
> advantages.
> We should also ask the SPF members if anyone has non shibboleth SP in which
> case we could still do a javascript attribute polling.
> 
> Best,
> Jozef
> 
> [1] If a SP (like ours) serves multiple web applications that rely on a
> different set of mandatory attributes, the check must be done on the
> application level.
> 
> 
> 
> 
> On 4 April 2016 at 16:22, Martin Matthiesen <martin.matthiesen at csc.fi>
> wrote:
> 
>> Hello again,
>>
>> To end the day on a brighter note: In out last taskforce meeting I
>> mentioned an Attribute Checker that makes use of a build in feature of the
>> Shibboleth Apache module (for SPs). (It does not work with SimpleSaml PHP).
>>
>> Here's the documentation:
>>
>> https://wiki.edugain.org/How_to_configure_Shibboleth_SP_attribute_checker
>>
>> The tool was developed by Sami Silén (cc), comments are welcome. Keep in
>> mind though, that we kept it deliberately quite simple, so it can easily be
>> adopted to local needs.
>>
>> There is a test implementation available:
>>
>> https://devsp.funet.fi/secure
>> credentials teppo/testaaja from testidp.
>>
>> This page will not solve everything but I do hope that Clarin SPs deploy
>> it widely. At least the SP has a better chance of potential users
>> complaining to their home organisations with a qualified email. At the
>> moment they most likely stay quiet or complain in a way ("does not work")
>> that does not necessarily help even a benevolent IdP to locate the problem.
>>
>> Regards from Finland,
>> Martin
>>
>>
>> --
>> Martin Matthiesen
>> CSC - Tieteen tietotekniikan keskus
>> CSC - IT Center for Science
>> PL 405, 02101 Espoo, Finland
>> +358 9 457 2376, martin.matthiesen at csc.fi
>> Public key :
>> https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
>> Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704
>> _______________________________________________
>> Tf-aai mailing list
>> Tf-aai at lists.clarin.eu
>> https://lists.clarin.eu/cgi-bin/mailman/listinfo/tf-aai

More information about the Tf-aai mailing list