...
Title | Discovery for Attribute Authorities (AAs) |
---|---|
Description | Users can select their IdP via discovery, therefore the SP can potentially receive users from thousands of IdPs. There is no such facility for AA-s however, meaning that SP-s need to hard-configure which AAs they query. Also, query all the configured AAs for all users all the time. In GN4-1-JRA3-T1 it has been established that this is a serious bottleneck, as maximum 2-3 AAs can be queried without breaking the entire login session. A better approach is needed. The SPs need to query AAs selectively, based on either user input or some alternative means, like some VO lookup service. Otherwise all SPs will just stick with the biggest AAs like eduTEAMS basic membership service or hexaa.eduid.hu and not query alternative entities, making single-tenant AAs very unattractive. |
Proposer | Mihály Héder |
Resource requirements | This is a hard one. Currently there is no support for any elements of this whatsoever
|
+1's | Constantin Sclifos, RENAM |
-1's | Wolfgang Pempe, DFN: Such a dynamic approach would raise issues concerning trust and privacy. An attribute authority must be in control auf the list of SPs that are entitled to perform attribute queries and (possibly) recieve PII. |
Title | Attribute Authority scoping information in Metadata |
---|---|
Description | It seems that AARC-JRA1.4A will propose "scoping of group membership information". However, there is no element in the SAML metadata that contains the scope of an AA, therefore, there is nothing to verify the scoped membership information against. The only way today is to learn about the scopes used by an AA entity via word-of-mouth and then apply those scopes in attribute value level filtering and access control rules, maintained manually in the SP config. Obviously this does not scale. |
Proposer | Mihály Héder |
Resource requirements |
|
+1's |
...
Title | Attribute Authority Metadata policy development for eduGAIN |
---|---|
Description | While for IdPs and SPs eduGAIN metadata requirements are well described, no such requirements exist for AAs. We have however already 5 of these entities in eduGAIN. It would also be a good idea to consider/define what it would mean for an AA to claim CoCo, R&S and Sirtifi support |
Proposer | Niels van Dijk |
Resource requirements |
|
+1's | Constantin Sclifos, RENAM Nick Roy, InCommon SURFnet Rhys Smith, UKf: I think AAs will become more important as we move forward, and there is a gap here in policy that needs thinking about. Wolfgang Pempe, DFN |