Refeds
Subject |
RE: use of eduPersonEntitlement |
From |
"Vries, Ale de (ELS-NYC)" <ale@xxxxxxxxxxxx> |
Date |
Wed, 15 May 2013 16:00:43 +0000 |
Actually, in the specific case of SURFconext we encountered this issue not because of multiple values being released, but because of the same value being released in two different formats - urn:mace:<name> and urn:mace:<oid>. Our access management system choked on that - and it's currently being worked around by the SURFconext hub, IIRC.
> -----Original Message-----
> From: Joost van Dijk [mailto:Joost.vanDijk@xxxxxxxxxx]
> Sent: Wednesday, May 15, 2013 10:20
> To: Vries, Ale de (ELS-NYC)
> Cc: Keith Hazelton; REFeds
> Subject: Re: [refeds] use of eduPersonEntitlement
>
> Hi,
>
> That is interesting. Does this mean that Elsevier receives entitlement-values
> that are not intended for Elsevier's services?
>
> Our federation treats entitlement attributes in a special way in the sense that
> when implementing attribute release policies, we need to filter on attribute
> *values* as well as on attribute names.
> Our IDPs think this is important, for instance because they don't want
> entitlements used for the TCS Personal Certificate service to end up at other
> SPs. Sending those values to other SPs would leak information on who has
> administrator privileges for the TCS portals.
>
> Operating a hub-and-spoke style federation, we have implemented filtering
> on our hub.
> I wonder how mesh federations handle this? What IDP software allows you
> to easily filter on attribute values? I know simplesamlphp can, but I'm not
> sure about others.
>
> My apologies if you think I am drifting off-topic.
>
> Cheers,
> --
> Joost van Dijk
> SURFnet
>
>
> On May 15, 2013, at 3:25 PM, "Vries, Ale de (ELS-NYC)" <ale@xxxxxxxxxxxx>
> wrote:
>
> > Our SP _generally_ requires the eduPersonEntitlement value, but
> coincidentally we've been running into the issue recently that more and more
> IdPs in more and more federations release multiple values for that attribute.
> Our assumption has always been that _if_ eduPersonEntitlement is used in
> any given federation, then just one value will be released for any given user
> at any given time - not multiple. So we're now faced with implementing logic
> to evaluate multiple attribute values to determine which of them may be
> valid for access to our products - which is not a small effort because of how
> deeply intertwined this logic is with our (already complex) authorization
> logic. Pending that implementation, we have simply decided to not check for
> eduPersonEntitlement value _at all_ for some federations, which means that
> in those federations some users may be getting access to our products while
> in fact they shouldn't.
> >
> >
> >> -----Original Message-----
> >> From: Keith Hazelton [mailto:hazelton@xxxxxxxx]
> >> Sent: Tuesday, May 14, 2013 14:00
> >> To: REFeds
> >> Subject: [refeds] use of eduPersonEntitlement
> >>
> >> An email thread here has me wondering whether IdPs outside InCommon
> >> tend to make much use of the eduPersonEntitlement attribute.
> >>
> >> Any data points welcome.
> >>
> >> --Keith Hazelton