[Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what to do?
André Moreira
andre at clarin.eu
Mon Oct 14 15:21:40 CEST 2019
Hi Martin,
Thanks a lot for your input.
> I suspect that most of the AAs are in fact IdP/AA combinations.
To clarify, this is always the case in our feed!
Because the AAs are just selected as a side effect of selecting the IdPs (with a not so strict XPath). This is what I meant by “some IdPs that bundle together an IdP and AA"
The question is only about these IdP/AA combinations:
- Shall we remove the AAs from them? or create a separate feed for them? or leave it as it is?
In your case, removing the AAs from https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml would have any implication?
Cheers,
André
> On 14 Oct 2019, at 14:45, Martin Matthiesen <martin.matthiesen at csc.fi> wrote:
>
> Hi André,
>
> I actually do have experience with an AA, we use it to authorize CLARIN RES resources[1].
>
> It seems at least some of the AAs are IdPs at the same time, like Hamburg: https://saml.clarin.eu/metadata/%7Bsha1%7D9a19c80b74964715f346276ab8e879d302a79e21.html
>
> I suspect that most of the AAs are in fact IdP/AA combinations.
>
> I think pure AAs do not make a lot of sense in general metadata, since by definition you use them to authorize resources that require more information than just the usual IdP attributes. In my case the AA that authorizes users to use corpora on korp.csc.fi which are authorized by lbr.csc.fi is not published to any external metadata, not Haka, eduGAIN or SPF.
>
> Regards,
> Martin
>
>
> [1] See slide 36 here: https://www.deic.dk/sites/default/files/uploads/PDF/Martin_Matthiesen_REMS_at_the_Language_Bank_of_Finland.pdf (somewhat outdated, but the principle is still the same).
> --
> Martin Matthiesen
> CSC - Tieteen tietotekniikan keskus
> CSC - IT Center for Science
> PL 405, 02101 Espoo, Finland
> +358 9 457 2376, martin.matthiesen at csc.fi
> Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
> Fingerprint: AA25 6F56 5C9A 8B42 009F BA70 74B1 2876 FD89 0704
>
> ----- Original Message -----
>> From: "André Moreira" <andre at clarin.eu>
>> To: "tf-aai" <tf-aai at lists.clarin.eu>
>> Cc: "spf" <spf at clarin.eu>
>> Sent: Monday, 14 October, 2019 13:01:13
>> Subject: [Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what to do?
>
>> Dear all,
>>
>> I am trying to decide what should we do with the SAML Attribute Authorities
>> which we currently bundle (silently) in the CLARIN SPF IdPs feed [1]. This
>> happens because some IdPs e.g. Charles University
>> entityID="https://cas.cuni.cz/idp/shibboleth” bundle together an IdP
>> (IDPSSODescriptor) and an AA (AttributeAuthorityDescriptor).
>> I think the current situation is not ideal and I would like to move to one of
>> two options:
>> 1. Move all the AAs we currently have (1211 [2]) to their own separate AA feed.
>> 2. Remove them.
>>
>> This applies to both our traditional CLARIN SPF feed [1] as well as our new
>> CLARIN eduGAIN feed [3].
>>
>> Before doing anything and because I never really heard much about AAs in
>> practice being used by our SPs, I would like to hear your opinions:
>> - Does your SP configuration somehow relies on the AAs we bundle in our IdPs
>> feed?
>> - In your view, would this change have any foreseeable impact in the CLARIN SPF?
>> - Are you aware of any use case involving an AA?
>>
>>
>> Best regards,
>> André
>>
>>
>> [1] - https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>> [2] - https://saml.clarin.eu/
>> [3] - https://infra.clarin.eu/aai/prod_md_about_edugain_idps.xml
>> ----
>> André Moreira
>> CLARIN ERIC
>> https://www.clarin.eu
>>
>>
>>
>>
>>
>> [Text File:ATT00001]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20191014/a7d56c1a/attachment.sig>
More information about the Tf-aai
mailing list