[Tf-aai] Fwd: [refeds] How to deal with the Insufficient-Attributes problem at the Shibboleth SP

Fri May 20 16:12:44 CEST 2016

FWDing nice words about CLARIN thanks to Martin.

---------- Forwarded message ----------
From: Lukas Hämmerle <lukas.haemmerle at switch.ch>
Date: 20 May 2016 at 15:30
Subject: [refeds] How to deal with the Insufficient-Attributes problem at
the Shibboleth SP
To: refeds at lists.refeds.org

Dear colleagues

In the past months a subgroup of my GÉANT task (mostly Sami Silén from
CSC/HAKA, Wolfgang Pempe from DFN/DFN-AAI) have been working with and
for the CLARIN community to find ways how to mitigate the
"Insufficient-Attributes" problem. That is when a user's Identity
Provider releases too few attributes to a Service Provider, which then
cannot grant access to the user.

While there is work done on the IdP/federation operator side of things
(REFEDS Research & Scholarship, GÉANT Data Protection Code of Conduct,
Attribute Release Training at TNC [1]), we tried together with Martin
Matthiesen from CLARIN to find out what can be done about this on the SP
side of things.

One result of our work with CLARIN is a small guide and a little bit of
code that can be quite useful on the Service Provider side. It makes use
of the Shibboleth AttributeChecker feature [2], which sends the user to
a predefined error page in case his attributes don't meet some (boolean)
criteria like "either displayName must be present or givenName+surname".

Why is the approach described in the guide useful?
--------------------------------------------------
* It shows the user nice and meaningful error messages.
* It allows to inform the user's IdP admin about the
  insufficient release for this SP with two clicks
* It allows the SP administrator to easily collect data about
  attribute release issues of one or many Service Providers

Where do I find the guide?
--------------------------
The instructions are available on the eduGAIN wiki:
https://wiki.edugain.org/How_to_configure_Shibboleth_SP_attribute_checker

Comments and feedback still very welcome.

Can I try this myself?
----------------------
Sure, Sami set up an example SP that is deployed according to
instructions above. You can access it here:
https://devsp.funet.fi/secure/
Use username/password: teppo/testaaja on the IdP.

I'm too lazy to do the demo myself, can you show me how this works?
-------------------------------------------------------------------
For those that prefer to get a demo, I just created a screen cast that
shows you the basics and gives a demo in a few minutes:
https://tube.switch.ch/videos/185ae1dd

Thanks to Martin and the CLARIN community, Sami and Wolfgang who worked
together with us on this. Martin has already and intends to deploy the
instructions on several CLARIN SPs. We will have a follow-up meeting in
a few months to analyze the results and feedback.

Best Regards
Lukas

[1] https://tnc16.geant.org/core/event/39
[2]
https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPHandler#NativeSPHandler-AttributeCheckerHandler%28Version2.5andAbove%29

--
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader of
"eduGAIN Service Development - Research and Service Providers"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle at switch.ch, http://www.switch.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20160520/ace24415/attachment.htm>