Jon,
>
> >> Would you expect such an IdP to restrict who it made
> assertions about?
> >> We, the University of Cambridge, might for example choose to run a
> >> publicly available IdP on which anyone could register
> (c.f. the one run
> >> by Protect Network [1]). Clearly such an IdP would be
> being run by an
> >> HE institution. Would marking it as such be useful?
> >
> > No, we would not expect that. We would still require that the
> > eduPersonScopedAffiliation value was member or equivalent
> (for relevant
> > licences). The HE/FE/Research Council flag would just help us to
> > automate producing our list of eligible organisations.
>
> Isn't what you really want an assertion of the status
> associated with the
> scope used to form the eduPersonScopedAffiliation, rather
> than of the IdP
> operator? That way you could implement "must have ePSA of
> 'member' within
> an HE institution", and we could run one IdP asserting
> "[log in to unmask]"
> for 'real' members and [log in to unmask] for alumni.
>
That would seem to be a particularly perverse use of 'member' in ePSA; I thought 'member' was defined as equivelent to 'staff, student, faculty or employee' and explicitly not equivalent to 'alum'.
Surely it's much simpler to have one IdP and assert ePSA values "[log in to unmask]" for members and "[log in to unmask]" for alumni. Then if your IdP is marked as status HE our SP can deal with the situation by using the ePSA to distinguish members from alumni.
> A quick peek at the current UK federation metadta suggests
> that multiple
> scopes are legal. For instance
> entityID="urn:mace:eduserv.org.uk:athens:federation:beta" currently
> asserts lots of scopes, not all of which can possibly be of the same
> status (anglia.ac.uk vs. test.ovid.com).
>
> Jon.
>
I accept that some IdPs have multiple scopes (though I believe that soon that will no longer be the case for organisations outsourcing their IdP to Eduserv), in which case the status could be associated with the scope.
Sean
|