[Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what to do?

Martin Matthiesen martin.matthiesen at csc.fi
Mon Oct 14 14:45:55 CEST 2019 

Hi André,

I actually do have experience with an AA, we use it to authorize CLARIN RES resources[1]. 

It seems at least some of the AAs are IdPs at the same time, like Hamburg: https://saml.clarin.eu/metadata/%7Bsha1%7D9a19c80b74964715f346276ab8e879d302a79e21.html

I suspect that most of the AAs are in fact IdP/AA combinations.

I think pure AAs do not make a lot of sense in general metadata, since by definition you use them to authorize resources that require more information than just the usual IdP attributes. In my case the AA that authorizes users to use corpora on korp.csc.fi which are authorized by lbr.csc.fi is not published to any external metadata, not Haka, eduGAIN or SPF.

Regards,
Martin


[1] See slide 36 here: https://www.deic.dk/sites/default/files/uploads/PDF/Martin_Matthiesen_REMS_at_the_Language_Bank_of_Finland.pdf (somewhat outdated, but the principle is still the same).
-- 
Martin Matthiesen
CSC - Tieteen tietotekniikan keskus
CSC - IT Center for Science
PL 405, 02101 Espoo, Finland
+358 9 457 2376, martin.matthiesen at csc.fi
Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704

----- Original Message -----
> From: "André Moreira" <andre at clarin.eu>
> To: "tf-aai" <tf-aai at lists.clarin.eu>
> Cc: "spf" <spf at clarin.eu>
> Sent: Monday, 14 October, 2019 13:01:13
> Subject: [Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what	to do?

> Dear all,
> 
> I am trying to decide what should we do with the SAML Attribute Authorities
> which we currently bundle (silently) in the CLARIN SPF IdPs feed [1]. This
> happens because some IdPs e.g. Charles University
> entityID="https://cas.cuni.cz/idp/shibboleth” bundle together an IdP
> (IDPSSODescriptor) and an AA (AttributeAuthorityDescriptor).
> I think the current situation is not ideal and I would like to move to one of
> two options:
> 1. Move all the AAs we currently have (1211 [2]) to their own separate AA feed.
> 2. Remove them.
> 
> This applies to both our traditional CLARIN SPF feed [1] as well as our new
> CLARIN eduGAIN feed [3].
> 
> Before doing anything and because I never really heard much about AAs in
> practice being used by our SPs, I would like to hear your opinions:
> - Does your SP configuration somehow relies on the AAs we bundle in our IdPs
> feed?
> - In your view, would this change have any foreseeable impact in the CLARIN SPF?
> - Are you aware of any use case involving an AA?
> 
> 
> Best regards,
> André
> 
> 
> [1] - https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
> [2] - https://saml.clarin.eu/
> [3] - https://infra.clarin.eu/aai/prod_md_about_edugain_idps.xml
> ----
> André Moreira
> CLARIN ERIC
> https://www.clarin.eu
> 
> 
> 
> 
> 
> [Text File:ATT00001]

More information about the Tf-aai mailing list