Refeds

Subject	RE: use of eduPersonEntitlement
From	"Vries, Ale de (ELS-NYC)" <ale@xxxxxxxxxxxx>
Date	Wed, 15 May 2013 16:00:43 +0000

Actually, in the specific case of SURFconext we encountered this issue not because of multiple values being released, but because of the same value being released in two different formats - urn:mace:<name> and urn:mace:<oid>. Our access management system choked on that - and it's currently being worked around by the SURFconext hub, IIRC. 

> -----Original Message-----
> From: Joost van Dijk [mailto:Joost.vanDijk@xxxxxxxxxx]
> Sent: Wednesday, May 15, 2013 10:20
> To: Vries, Ale de (ELS-NYC)
> Cc: Keith Hazelton; REFeds
> Subject: Re: [refeds] use of eduPersonEntitlement
> 
> Hi,
> 
> That is interesting. Does this mean that Elsevier receives entitlement-values
> that are not intended for Elsevier's services?
> 
> Our federation treats entitlement attributes in a special way in the sense that
> when implementing attribute release policies, we need to filter on attribute
> *values* as well as on attribute names.
> Our IDPs think this is important, for instance because they don't want
> entitlements used for the TCS Personal Certificate service to end up at other
> SPs. Sending those values to other SPs would leak information on who has
> administrator privileges for the TCS portals.
> 
> Operating a hub-and-spoke style federation, we have implemented filtering
> on our hub.
> I wonder how mesh federations handle this? What IDP software allows you
> to easily filter on attribute values? I know simplesamlphp can, but I'm not
> sure about others.
> 
> My apologies if you think I am drifting off-topic.
> 
> Cheers,
> --
> Joost van Dijk
> SURFnet
> 
> 
> On May 15, 2013, at 3:25 PM, "Vries, Ale de (ELS-NYC)" <ale@xxxxxxxxxxxx>
> wrote:
> 
> > Our SP _generally_ requires the eduPersonEntitlement value, but
> coincidentally we've been running into the issue recently that more and more
> IdPs in more and more federations release multiple values for that attribute.
> Our assumption has always been that _if_ eduPersonEntitlement is used in
> any given federation, then just one value will be released for any given user
> at any given time - not multiple. So we're now faced with implementing logic
> to evaluate multiple attribute values to determine which of them may be
> valid for access to our products - which is not a small effort because of how
> deeply intertwined this logic is with our (already complex) authorization
> logic. Pending that implementation, we have simply decided to not check for
> eduPersonEntitlement value _at all_ for some federations, which means that
> in those federations some users may be getting access to our products while
> in fact they shouldn't.
> >
> >
> >> -----Original Message-----
> >> From: Keith Hazelton [mailto:hazelton@xxxxxxxx]
> >> Sent: Tuesday, May 14, 2013 14:00
> >> To: REFeds
> >> Subject: [refeds] use of eduPersonEntitlement
> >>
> >> An email thread here has me wondering whether IdPs outside InCommon
> >> tend to make much use of the eduPersonEntitlement attribute.
> >>
> >> Any data points welcome.
> >>
> >>      --Keith Hazelton

Follow-Ups:
- Re: use of eduPersonEntitlement
  - From: Peter Schober

References:
- use of eduPersonEntitlement
  - From: Keith Hazelton
- RE: use of eduPersonEntitlement
  - From: Vries, Ale de (ELS-NYC)
- Re: use of eduPersonEntitlement
  - From: Joost van Dijk

Prev by Date: Re: advice on redirect from email for discovery?
Next by Date: Re: advice on redirect from email for discovery?
Previous by thread: Re: use of eduPersonEntitlement
Next by thread: Re: use of eduPersonEntitlement
Index(es):
- Date
- Thread