[Tf-aai] Blacklisting IdPs: A proposal

Martin Matthiesen martin.matthiesen at csc.fi
Tue Nov 5 18:36:19 CET 2019 

Hi,

Here's my suggestion for blacklisting IdPs. Some details need to be discussed, for example what happens if an IdP provides eppn to SPs, but not mail and another SP needs mail and the IdP does not react? Should that be a reason for blacklisting?

I wonder whether we should mark IdPs as "blacklisted" in the Discovery Service, but still make login via them possible for those SPs that work with the Attribute Set provided.

Concretely, the blacklisting should be accessible from:

https://discovery.clarin.eu

Change the "If you cannot find..." text as follows:

"If you cannot find your organisation in the list below, this maybe for two reasons: Your home organisation does not provide a login option or we have blacklisted your home organisation, because your home organisation does not provide CLARIN member services with sufficient information about users that try to log in, for example the user's email adress. Please check our list of blacklisted IdPs for more information about the blacklisting process.

If you cannot login for reasons stated above, please select the clarin.eu website account and use your CLARIN website credentials. If you don't have such credentials you can register an account here."


The "list of blacklisted IdPs"

---+ IdPs currently blacklisted by CLARIN

 * IdP One
 * IdP Two

(maybe searchable)

---+ CLARIN's blacklisting process

The CLARIN Service Provider Federation was created to ensure cross-border login to CLARIN services. If an IdP after repeated requests refuses the release of attributes to CLARIN services this IdP is blacklisted, since it is effectively not usable with CLARIN services. CLARIN also considers considerable administrative hurdles, like filling out complex paperwork which is not in English as a reason to blacklist and IdP.

---++ The process in detail

1. An SP operator requests Attribute Release from an IdP on behalf of CLARIN and states CLARIN's support for the Data Protection Code of Conduct as well as Research and Scholarship and cc's spf at clarin.eu.
2. The IdP either
 2.1. does not react or
 2.2. demands a complex application procedure to allow Attribute Release
3. The SP operator waits a week and
 2.1. sends a reminder or
 2.2. requests a simpler application procedure.
4. The SP operator requests that clarin.eu contacts the IdP directly and informs about a possible blacklisting if the issue is not resolved within 2 weeks.
5. If no resolution is found after 2 weeks the IdP is blacklisted.

Comments?

Martin

-- 
Martin Matthiesen
CSC - Tieteen tietotekniikan keskus
CSC - IT Center for Science
PL 405, 02101 Espoo, Finland
+358 9 457 2376, martin.matthiesen at csc.fi
Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704

More information about the Tf-aai mailing list