Refeds


Subject Re: How to join the refeds wiki
From Peter Schober <peter.schober@xxxxxxxxxxxx>
Date Fri, 7 Aug 2009 15:48:19 +0200

Sorry to revive an old thread but it seems I have to correct a few of
my (too optimistic) statements back in March, given that the state of
the REFEDs wiki has not changed in several months.
Both Ian and Bob were fully correct in their criticism and things
still need to be changed (which I took for granted back then, but
obviously this never happened).

* It's still SAML2 only, for no appearant reason. While I personally
  couldn't care less about SAML1.1 this seems to shuts out interested
  parties and should be fixed, esp. since it's a simple config option.

  Gijsbert: please enable Shib1.3 functionality in your simpleSAMLphp
  deployment and update the metadata accordingly.

* From looking at the document
  https://refeds.terena.org/images/2/26/REFEDs_Shib21Idp.doc it still
  seems to require one to configure attribute names in contradiction
  to the eduPerson specs, suggesting this was not a simple oversight
  (what I expected the wording on
  https://refeds.terena.org/index.php/WikiAccessControl to be,
  originally).

  Anyone: please update the wiki to reflect that the required
  attributes should be sent according to the eduPerson specs. The
  SAML wire-representation of which is specified in
  http://middleware.internet2.edu/dir/docs/internet2-mace-dir-saml-attributes-200804.pdf
  Attribute Profile for SAML2.0: "3.2 SAML Attribute Naming [...]
  The legacy names assigned for use with the SAML 1.x attribute
  profile MUST NOT be used with this profile."

  Anyone/Stefano Gargiulo: The document describing how to create
  non-conforming attributes with a Shib 2 IdP should either be removed
  (it also contains other rather peculiar advice presented as generic
  configuration, i.e. custom relying party configuration, custom
  metadata configuration, cronjob for remote metadata fetching,
  etc.) or corrected.

  Gijsbert: please enable the simpleSAMLphp attribute map 'oid2name'
  in simpleSAMLphp's config.php in 'authproc.sp', so both URN and OID
  style named attributes will map to the same attribute for
  simpleSAMLphp (so no changes to MediaWIki should be neccessary).

Alternatively I'd be interested why precicely the REFEDs wiki (of all
wikis) should require a configuration that's in contradiction to
published standards for federating in HE. Beats me.

Or, certainly even less desirable, disable SAML2 support and continue
using the legacy attribute names as is (requires enabling SAML1
support in the installation first, see above).

cheers,
-peter