Subject Re: use of eduPersonEntitlement
From Joost van Dijk <Joost.vanDijk@xxxxxxxxxx>
Date Wed, 15 May 2013 16:19:39 +0200


That is interesting. Does this mean that Elsevier receives entitlement-values that are not intended for Elsevier's services?

Our federation treats entitlement attributes in a special way in the sense that when implementing attribute release policies, we need to filter on attribute *values* as well as on attribute names.
Our IDPs think this is important, for instance because they don't want entitlements used for the TCS Personal Certificate service to end up at other SPs. Sending those values to other SPs would leak information on who has administrator privileges for the TCS portals.

Operating a hub-and-spoke style federation, we have implemented filtering on our hub.
I wonder how mesh federations handle this? What IDP software allows you to easily filter on attribute values? I know simplesamlphp can, but I'm not sure about others.

My apologies if you think I am drifting off-topic.

Joost van Dijk

On May 15, 2013, at 3:25 PM, "Vries, Ale de (ELS-NYC)" <ale@xxxxxxxxxxxx> wrote:

> Our SP _generally_ requires the eduPersonEntitlement value, but coincidentally we've been running into the issue recently that more and more IdPs in more and more federations release multiple values for that attribute. Our assumption has always been that _if_ eduPersonEntitlement is used in any given federation, then just one value will be released for any given user at any given time - not multiple. So we're now faced with implementing logic to evaluate multiple attribute values to determine which of them may be valid for access to our products - which is not a small effort because of how deeply intertwined this logic is with our (already complex) authorization logic. Pending that implementation, we have simply decided to not check for eduPersonEntitlement value _at all_ for some federations, which means that in those federations some users may be getting access to our products while in fact they shouldn't.
>> -----Original Message-----
>> From: Keith Hazelton [mailto:hazelton@xxxxxxxx]
>> Sent: Tuesday, May 14, 2013 14:00
>> To: REFeds
>> Subject: [refeds] use of eduPersonEntitlement
>> An email thread here has me wondering whether IdPs outside InCommon
>> tend to make much use of the eduPersonEntitlement attribute.
>> Any data points welcome.
>>      --Keith Hazelton