Service Description: Service to allow a user to see if his eduGAIN IdP is releasing attributes properly, not too many and not too few. Service URL is http://release-check.edugain.org/)
Components: Uses a LAMP stack with PHP and MySQL.
Code Repository: https://code.geant.net/stash/projects/GN4SA2T2/repos/edugain-attribute-release-check/browse
Infrastructure:
- Test infrastructure: uat-edugain01.geant.net (change local hosts file for release-check.edugain.org to point to this host )
- Production infrastructure: prod-edugain01.geant.net (service name http://release-check.edugain.org/)
Operational Information: No regular operational maintenance needed as far as we know
Roadmap/ToDos:
- REFEDS Research and Scholarship NG, what does the NG stand for? Locally change test names in code to:
- EARC - REFEDS Research and Scholarship Test -> REFEDS R&S Test with Requested Attributes
- EARC - REFEDS Research and Scholarship NG -> REFEDS R&S Test
- EARC - GEANT Data Protection Code of Conduct Test -> GEANT Data Protection Code of Conduct Test
- EARC - No Entity Category Test -> No Entity Category Test Changes SP MDUI DisplayName to
- EARC - REFEDS Research and Scholarship Test -> EARC - REFEDS Research and Scholarship with Requested Attributes Test
- EARC - REFEDS Research and Scholarship NG -> EARC - REFEDS Research and Scholarship Test
- Discuss changing grade for overreleasing (ePTID and comon-lib entitlement value in UK and PL)
- ePTID: Accept (= dont treat as superflous attribute) but show info that this attribute was not requested by SP, treat ePTID and persistentID the same way. Rename attribute e.g. to eduPersonTargetedID/persistentId
- common-lib-terms: Dont tream common-lib-terms value in entitlement attribute as superflous. Treat other values as superflous though.
- Provide REST/JSON API to query results (asked by Tomasz and Maja) or sync database to technical.edugain.org
- API should allow to query results of a particular IdP and to ask which grades an IdP would get if releasing certain attributes to a test SP. Some API calls need yet to be defined and then documented somewhere (e.g. wiki.edugain.org). Should not have high priority as Tomasz/Maja asked for this based on false assumptions about EARC initially. However, others (e.g. Niels) also have some use for an API.
- No distinction between ePTID and persistentID NameID format (Wolfgang)
- See above, should not play a role anymore if both are treated the same way (= without penalty)
- Provide (shib) idp admin hints on where to fix things
- Add links to existing R&S, CoCo documentation if grade is worse than an A.
- Why have the no-EC-test? (Pal Axelsson)
- We don't have a good idea how to grade the results of this test because we don't know what should have more precedence: usability or data privacy or a mix of both.
- Remove grading as it is not easily possible to do a proper grading but keep information on what is released.
- Replace verdict with a hint (no attributes = good data privacy but bad usability, all attributes = the other way around)
- Beautification proposals:
- Remove section "entityCategories" as it is obsolete/redundant
- Rename "requestedAttributes" -> "Requested Attributes"
- Ask for local federation-specific attribute release check in next email to eduGAIN Steering group. Then add them to EARC.