[Tf-aai] Filtering suspicious IdPs in CLARIN SPF

Mon May 1 17:20:04 CEST 2017

Hi Jozef,

 My apologies for the late answer.
 I must admit I am a bit out of context here; is your idea to streamline a workflow for the detection and blacklisting of suspicious IdPs, or just the later?

>> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be notified about it
>>    QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?

My preference is via a trac ticket, so we could have both: an immediate notification sent by email, plus the status and history of the actions taken.
Furthermore, I think it is also important to keep an inventory of the all the blacklisted IdPs and the respective reasoning for their blacklisting. So I suggest we create a trac page for the 'IdPs blacklist status’, but that the initial reports of misbehaving IdPs are done with the creation of trac tickets. Then the operator handling one of these tickets, would be responsible for updating the 'IdPs blacklist status’ page.

>> 4. SPF will add this IdP into the filters
>>   QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml and if so then where?
>>   ACTION POINT: make filtered IdPs public (will be decided what is the best way [1])

Yes, filtering happens before publishing. You can see the PyFF code we are using here: https://github.com/clarin-eric/pyFF_config/blob/master/job_c.fd (see ’select’ XPath expressions).

But again, I feel like I am not fully contextualised here, so I might not be giving you the answers you were looking for. In that case, if it suits you, we could schedule a skype call so we can have a more agile discussion?

Anyhow I hope this helps,
Kind regards,
----
André Moreira
CLARIN ERIC
https://www.clarin.eu

> On 18 Apr 2017, at 12:29, Jozef Misutka <misutka at ufal.mff.cuni.cz> wrote:
> 
> Hi Andre,
> 
> (cc-ing tf-aai@ too for comments)
> 
> we should have a more formal and public way how to blacklist IdPs from CLARIN SPF. We have the tools, so we really need only minor changes and better documentation. In reality, this will be very rare but should be documented nevertheless.
> 
> The flow is like this:
> 
> 1. User authenticates to one of CLARIN SPF SPs
>    a) we have information about the IdP in https://lindat.mff.cuni.cz/services/aaggreg/ so we can check if it looks suspicious or not;
>    b) different web applications inform about new users (e.g., clarin-dspace sends an email) so we can even check if the attributes seem ok.
>    ACTION POINT (optional): email new IdPs from attribute aggregator
> 
> 2. In 1a) or 1b) someone finds a suspicious IdP and CLARIN SPF should be notified about it
>    QUESTION: what is the best/preferred way to notify CLARIN SPF - trac? email?
> 
> 3. CLARIN evaluates if that IdP is really problematic or not
>    ACTION POINT: define a problematic/non problematic IdP e.g., problematic IdP is the one that does not validate its users more that by sending emails
>    ACTION POINT: make this definition public (will be decided what is the best way [1])
> 
> 4. SPF will add this IdP into the filters
>   QUESTION: is filtering (blacklisting) of IdPs in CLARIN SPF happening before they are published to https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml and if so then where?
>   ACTION POINT: make filtered IdPs public (will be decided what is the best way [1])
> 
> 
> To all, please feel free to comment, share practices etc. At LINDAT, we have the following page
> https://lindat.mff.cuni.cz/en/how-do-i-sign-up (see section Supported Organisations)
> 
> Best,
> Jozef
> 
> 
> [1] In my todo list is still to prepare a short CLARIN AAI requirements document where we could add it and publish that document.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20170501/5ec0088d/attachment.sig>