[Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what to do?

Martin Matthiesen martin.matthiesen at csc.fi
Mon Oct 14 16:06:35 CEST 2019 

Hi André

----- Original Message -----
> From: "André Moreira" <andre at clarin.eu>
> To: "Martin Matthiesen" <martin.matthiesen at csc.fi>
> Cc: "tf-aai" <tf-aai at lists.clarin.eu>, "spf" <spf at clarin.eu>
> Sent: Monday, 14 October, 2019 16:21:40
> Subject: Re: [Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what	to do?

> Hi Martin,
> 
> Thanks a lot for your input.
> 
>> I suspect that most of the AAs are in fact IdP/AA combinations.
> To clarify, this is always the case in our feed!
> Because the AAs are just selected as a side effect of selecting the IdPs (with a
> not so strict XPath). This is what I meant by “some IdPs that bundle together
> an IdP and AA"

Reading helps, sorry for the confusion. I was totally not aware of such a setup.
 
> The question is only about these IdP/AA combinations:
> - Shall we remove the AAs from them? or create a separate feed for them? or
> leave it as it is?

eduGAIN seems to also have 3500+ AA's in it. What problem do you see by doing nothing?

If I googled right this time, this seems to be behind the whole doubling:

https://www.switch.ch/aai/support/presentations/update2016/06_Attribute-Query.pdf

> In your case, removing the AAs from
> https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml would have any
> implication?

I am not aware of any SP using this, but then again, I was not aware of the whole setup.

The IdP/AA tandem does seem to make sense, though. So I would not touch it.

Martin

> 
> 
> Cheers,
> André
> 
> 
>> On 14 Oct 2019, at 14:45, Martin Matthiesen <martin.matthiesen at csc.fi> wrote:
>> 
>> Hi André,
>> 
>> I actually do have experience with an AA, we use it to authorize CLARIN RES
>> resources[1].
>> 
>> It seems at least some of the AAs are IdPs at the same time, like Hamburg:
>> https://saml.clarin.eu/metadata/%7Bsha1%7D9a19c80b74964715f346276ab8e879d302a79e21.html
>> 
>> I suspect that most of the AAs are in fact IdP/AA combinations.
>> 
>> I think pure AAs do not make a lot of sense in general metadata, since by
>> definition you use them to authorize resources that require more information
>> than just the usual IdP attributes. In my case the AA that authorizes users to
>> use corpora on korp.csc.fi which are authorized by lbr.csc.fi is not published
>> to any external metadata, not Haka, eduGAIN or SPF.
>> 
>> Regards,
>> Martin
>> 
>> 
>> [1] See slide 36 here:
>> https://www.deic.dk/sites/default/files/uploads/PDF/Martin_Matthiesen_REMS_at_the_Language_Bank_of_Finland.pdf
>> (somewhat outdated, but the principle is still the same).
>> --
>> Martin Matthiesen
>> CSC - Tieteen tietotekniikan keskus
>> CSC - IT Center for Science
>> PL 405, 02101 Espoo, Finland
>> +358 9 457 2376, martin.matthiesen at csc.fi
>> Public key : https://pgp.mit.edu/pks/lookup?op=get&search=0x74B12876FD890704
>> Fingerprint: AA25 6F56 5C9A 8B42 009F  BA70 74B1 2876 FD89 0704
>> 
>> ----- Original Message -----
>>> From: "André Moreira" <andre at clarin.eu>
>>> To: "tf-aai" <tf-aai at lists.clarin.eu>
>>> Cc: "spf" <spf at clarin.eu>
>>> Sent: Monday, 14 October, 2019 13:01:13
>>> Subject: [Tf-aai] SAML Attribute Authorities in the CLARIN SPF feed - what	to
>>> do?
>> 
>>> Dear all,
>>> 
>>> I am trying to decide what should we do with the SAML Attribute Authorities
>>> which we currently bundle (silently) in the CLARIN SPF IdPs feed [1]. This
>>> happens because some IdPs e.g. Charles University
>>> entityID="https://cas.cuni.cz/idp/shibboleth” bundle together an IdP
>>> (IDPSSODescriptor) and an AA (AttributeAuthorityDescriptor).
>>> I think the current situation is not ideal and I would like to move to one of
>>> two options:
>>> 1. Move all the AAs we currently have (1211 [2]) to their own separate AA feed.
>>> 2. Remove them.
>>> 
>>> This applies to both our traditional CLARIN SPF feed [1] as well as our new
>>> CLARIN eduGAIN feed [3].
>>> 
>>> Before doing anything and because I never really heard much about AAs in
>>> practice being used by our SPs, I would like to hear your opinions:
>>> - Does your SP configuration somehow relies on the AAs we bundle in our IdPs
>>> feed?
>>> - In your view, would this change have any foreseeable impact in the CLARIN SPF?
>>> - Are you aware of any use case involving an AA?
>>> 
>>> 
>>> Best regards,
>>> André
>>> 
>>> 
>>> [1] - https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml
>>> [2] - https://saml.clarin.eu/
>>> [3] - https://infra.clarin.eu/aai/prod_md_about_edugain_idps.xml
>>> ----
>>> André Moreira
>>> CLARIN ERIC
>>> https://www.clarin.eu
>>> 
>>> 
>>> 
>>> 
>>> 
> >> [Text File:ATT00001]

More information about the Tf-aai mailing list