Jon Warbrick wrote:
>> Isn't there already a defined "alumni" value for ePSA?
>
> I believe so.
Yes, there is.
>> I don't see any reason why this would predjudice our continuing to
>> work within the UK Fed.
>
> My immediate concern was with user accountability. The registration of
> our current IdP says that we are able to hold our users accountable.
> Which we are as long as they are current 'members' of the University.
> I'm not sure that we could make the same assertion of our Alumni, which
> suggests that we'd at least need a separate IdP for them, which we might
> not want in the normal UK Federation WAYF. Having gone this far, it's
> not clear that there is any point in the UK Federation knowing anything
> about this IdP.
This has come up a number of times. One observation is that of course
there are a significant number of resources who don't require user
accountability from you; there's no need to set up something in parallel
to the UK federation just because the federation has the concept of user
accountability.
An extreme position (I will name no names) would be to say that really
no institution has the same level of control (and therefore
accountability) over every one of the users it might authenticate, and
asking people to sign up to "user accountability" as an all or nothing
thing is making things easy for the SPs at the expense of the IdPs.
Setting up more than one IdP (one for accountable users, another for the
riffraff) is a solution to this that has been suggested more than once,
and implementing it invisibly is technically feasible in some scenarios
because SAML 1.x allows unsolicited "responses" to come back from any
IdP, so you could respond "from" an appropriate IdP depending on the
user authenticated. This is the same loophole that allows the 1.x WAYF
technology to work.
Another approach that is gaining ground elsewhere, particularly in
InCommon as I understand it, is to generalise the idea of LoA into a
system of "identity assurance profiles". IAP identifiers would be used
to label the *capabilities* of IdPs and also be transmitted as
attributes describing the profile or profiles met by individual users
(or, in general, individual authentication events about individual users).
[Generalised in two senses. Firstly, there is no assumption that IAPs
form a system of hierarchical "levels"; second, an individual user or
asseertion might be labelled with more than one IAP.]
Obviously this kind of scheme is more complicated than our current
section 6 profile, with costs on both the IdP and SP over and above what
working with section 6 requires. On the other hand, anyone running an
identity store with a few dozen different kinds of user can see that it
is closer to being able describe reality.
I personally think that the IAP concept has significant "legs" in the
long term. Whether there's a need to develop the concept for use within
the UK federation will depend on how many people find that the
particular set of rules described by section 6 fail to cover their use
cases. If you're in that position, drop me a line.
> There is also the nagging worry that some SPs may be accepting any
> authentication from IdPs that appear in the Federation metadata without
> checking ePSA...
That would certainly be bad, and people should not do it. We try to
discourage such blind reliance by warnings in multiple places, for
example the following from TRP section 4:
> Note, however, that presence in the federation metadata alone should not be
> taken to imply particular behavioural guarantees. In particular:
> * it is the responsibility of each identity provider to establish appropriate
> policies for attribute release based on their knowledge of individual
> service providers;
> * it is the responsibility of each service provider to decide how much
> trust to place in the attributes presented by an identity provider based
> on their knowledge of the individual identity provider.
-- Ian
|