[Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what to do?

Jozef Misutka misutka at ufal.mff.cuni.cz
Mon Oct 14 15:51:19 CEST 2019 

I do not know any SP using AA from SPF.
I also do not see any problem with leaving them in the SPF feed - in the
AAI world "If it ain't broke, don't fix it."
And finally I think there are no implications in removing them.

Because of the above, I think that in this case it is you, as the
maintainer, that should decide what to do.

Best,
Jozef

On Mon, 14 Oct 2019 at 15:22, André Moreira <andre at clarin.eu> wrote:

> Hi Martin,
>
> Thanks a lot for your input.
>
> > I suspect that most of the AAs are in fact IdP/AA combinations.
> To clarify, this is always the case in our feed!
>  Because the AAs are just selected as a side effect of selecting the IdPs
> (with a not so strict XPath). This is what I meant by “some IdPs that
> bundle together an IdP and AA"
>
> The question is only about these IdP/AA combinations:
> - Shall we remove the AAs from them? or create a separate feed for them?
> or leave it as it is?
>
> In your case, removing the AAs from
> https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml would have any
> implication?
>
>
> Cheers,
> André
>
>
> > On 14 Oct 2019, at 14:45, Martin Matthiesen <martin.matthiesen at csc.fi>
> wrote:
> >
> > Hi André,
> >
> > I actually do have experience with an AA, we use it to authorize CLARIN
> RES resources[1].
> >
> > It seems at least some of the AAs are IdPs at the same time, like
> Hamburg:
> https://saml.clarin.eu/metadata/%7Bsha1%7D9a19c80b74964715f346276ab8e879d302a79e21.html
> >
> > I suspect that most of the AAs are in fact IdP/AA combinations.
> >
> > I think pure AAs do not make a lot of sense in general metadata, since
> by definition you use them to authorize resources that require more
> information than just the usual IdP attributes. In my case the AA that
> authorizes users to use corpora on korp.csc.fi which are authorized by
> lbr.csc.fi is not published to any external metadata, not Haka, eduGAIN
> or SPF.
> >
> > Regards,
> > Martin
> >
> >
> > [1] See slide 36 here:
> https://www.deic.dk/sites/default/files/uploads/PDF/Martin_Matthiesen_REMS_at_the_Language_Bank_of_Finland.pdf
> (somewhat outdated, but the principle is still the same).
> > --
> > Martin Matthiesen
> > CSC - Tieteen tietotekniikan keskus
> > CSC - IT Center for Science
> > PL 405, 02101 Espoo, Finland
> > +358 9 457 2376, martin.matthiesen at csc.fi
> > Public key :
> https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
> > Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704
> >
> > ----- Original Message -----
> >> From: "André Moreira" <andre at clarin.eu>
> >> To: "tf-aai" <tf-aai at lists.clarin.eu>
> >> Cc: "spf" <spf at clarin.eu>
> >> Sent: Monday, 14 October, 2019 13:01:13
> >> Subject: [Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed -
> what   to do?
> >
> >> Dear all,
> >>
> >> I am trying to decide what should we do with the SAML Attribute
> Authorities
> >> which we currently bundle (silently) in the CLARIN SPF IdPs feed [1].
> This
> >> happens because some IdPs e.g. Charles University
> >> entityID="https://cas.cuni.cz/idp/shibboleth” bundle together an IdP
> >> (IDPSSODescriptor) and an AA (AttributeAuthorityDescriptor).
> >> I think the current situation is not ideal and I would like to move to
> one of
> >> two options:
> >> 1. Move all the AAs we currently have (1211 [2]) to their own separate
> AA feed.
> >> 2. Remove them.
> >>
> >> This applies to both our traditional CLARIN SPF feed [1] as well as our
> new
> >> CLARIN eduGAIN feed [3].
> >>
> >> Before doing anything and because I never really heard much about AAs in
> >> practice being used by our SPs, I would like to hear your opinions:
> >> - Does your SP configuration somehow relies on the AAs we bundle in our
> IdPs
> >> feed?
> >> - In your view, would this change have any foreseeable impact in the
> CLARIN SPF?
> >> - Are you aware of any use case involving an AA?
> >>
> >>
> >> Best regards,
> >> André
> >>
> >>
> >> [1] - https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
> >> [2] - https://saml.clarin.eu/
> >> [3] - https://infra.clarin.eu/aai/prod_md_about_edugain_idps.xml
> >> ----
> >> André Moreira
> >> CLARIN ERIC
> >> https://www.clarin.eu
> >>
> >>
> >>
> >>
> >>
> >> [Text File:ATT00001]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clarin.eu/cgi-bin/mailman/private/tf-aai/attachments/20191014/d23cb1fd/attachment.htm>

More information about the Tf-aai mailing list