Andy Swiffin wrote:
> Granted we will only assert EPSA as member correctly, there are still
other
> "anyones" lurking in the directory that we would not want to make an
implicit
> assertion of "HE" about even if not asserting EPSA=member.
The suggestion was made that the SP would only be able to rely on the
HE qualifier if member was also present.
> Is that necessary? The IdP operator has agreed to abide by the rules and
> only assert the truth - there has to be some "trust" that they will do
that.
True, but ideally, if you're an SP you want to take attributes
from the authoritative source for those attributes. So, for example,
your institution would be the authoritative source for an attribute
such as what course a student had signed up to. It is less obvious
that a test IdP belonging to "Joe's Library Resources Ltd." is an
authoritative source for an attribute that says "I am an HE institution"
(even by accident).
> From the discussion it does seem like either a new attribute is
> required
The other problem with using an attribute is a practical one:
if it was defined, it wouldn't be useful until all the IdPs had set it
up in their directories. Since in this case it would actually benefit
them to do so (by enabling access to more resources), there might be
a non-zero chance of this actually happening, though not necessarily
in a short enough timescale, which is part of what makes the centralised
approach attractive.
> or new values for EPSA. Although that is probably something that
> puts ice in the hearts of those tasked with negotiating it!
Understatement!
> Could eduPersonEntitlement be used in the meantime?
If IdPs were going to be trusted to self-assert an attribute then
eduPersonEntitlement ought to be workable. It's certainly extensible
enough. But I'd want to think further on the various possibilities
floated so far.
Thanks for all the discussion by the way folks.
Fiona.
|