[Tf-aai] Blacklisting IdPs: A proposal

Tue Nov 19 17:10:49 CET 2019

Dear Taskforce,

I'd like some feedback on the proposal, also positive comments are appreciated. This issue will be discussed on the next SCCTC VC 11.12.

Regards,
Martin

-- 
Martin Matthiesen
CSC - Tieteen tietotekniikan keskus
CSC - IT Center for Science
PL 405, 02101 Espoo, Finland
+358 9 457 2376, martin.matthiesen at csc.fi
Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704

----- Original Message -----
> From: "Martin Matthiesen" <martin.matthiesen at csc.fi>
> To: "tf-aai" <tf-aai at lists.clarin.eu>
> Sent: Tuesday, 5 November, 2019 19:36:19
> Subject: [Tf-aai] Blacklisting IdPs: A proposal

> Hi,
> 
> Here's my suggestion for blacklisting IdPs. Some details need to be discussed,
> for example what happens if an IdP provides eppn to SPs, but not mail and
> another SP needs mail and the IdP does not react? Should that be a reason for
> blacklisting?
> 
> I wonder whether we should mark IdPs as "blacklisted" in the Discovery Service,
> but still make login via them possible for those SPs that work with the
> Attribute Set provided.
> 
> Concretely, the blacklisting should be accessible from:
> 
> https://discovery.clarin.eu
> 
> Change the "If you cannot find..." text as follows:
> 
> "If you cannot find your organisation in the list below, this maybe for two
> reasons: Your home organisation does not provide a login option or we have
> blacklisted your home organisation, because your home organisation does not
> provide CLARIN member services with sufficient information about users that try
> to log in, for example the user's email adress. Please check our list of
> blacklisted IdPs for more information about the blacklisting process.
> 
> If you cannot login for reasons stated above, please select the clarin.eu
> website account and use your CLARIN website credentials. If you don't have such
> credentials you can register an account here."
> 
> 
> The "list of blacklisted IdPs"
> 
> ---+ IdPs currently blacklisted by CLARIN
> 
> * IdP One
> * IdP Two
> 
> (maybe searchable)
> 
> ---+ CLARIN's blacklisting process
> 
> The CLARIN Service Provider Federation was created to ensure cross-border login
> to CLARIN services. If an IdP after repeated requests refuses the release of
> attributes to CLARIN services this IdP is blacklisted, since it is effectively
> not usable with CLARIN services. CLARIN also considers considerable
> administrative hurdles, like filling out complex paperwork which is not in
> English as a reason to blacklist and IdP.
> 
> ---++ The process in detail
> 
> 1. An SP operator requests Attribute Release from an IdP on behalf of CLARIN and
> states CLARIN's support for the Data Protection Code of Conduct as well as
> Research and Scholarship and cc's spf at clarin.eu.
> 2. The IdP either
> 2.1. does not react or
> 2.2. demands a complex application procedure to allow Attribute Release
> 3. The SP operator waits a week and
> 2.1. sends a reminder or
> 2.2. requests a simpler application procedure.
> 4. The SP operator requests that clarin.eu contacts the IdP directly and informs
> about a possible blacklisting if the issue is not resolved within 2 weeks.
> 5. If no resolution is found after 2 weeks the IdP is blacklisted.
> 
> Comments?
> 
> Martin
> 
> --
> Martin Matthiesen
> CSC - Tieteen tietotekniikan keskus
> CSC - IT Center for Science
> PL 405, 02101 Espoo, Finland
> +358 9 457 2376, martin.matthiesen at csc.fi
> Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
> Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704
> _______________________________________________
> Tf-aai mailing list
> Tf-aai at lists.clarin.eu
> https://lists.clarin.eu/cgi-bin/mailman/listinfo/tf-aai