I agree with Richard that the Federation should expand the 'standard' attributes and value-ranges it recommends; that may (or may not) include making more mandatory (but why raise the bar of entry, for institutions that just want to eliminate what they now do via the centralised Athens service?) I don't think that such a review needs to happen before the transition of all/most of F&HEIs into Fed membership. John -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Richard Dunning Sent: 14 June 2007 11:04 To: [log in to unmask] Subject: Re: [JISC-SHIBBOLETH] Anyone using ArpViewer or Autograph? Is this not a case for the Federation mandating attributes? There is a potential here for IdPs having to set up bilateral agreements with all SPs they wish to connect to... Best regards Richard Dunning Eduserv innovative technology services _____ [log in to unmask] tel: +44 (0)1225 474317 fax: +44 (0)1225 474332 http://www.eduserv.org.uk _____ -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Alistair Young Sent: Thu 14 June 2007 10:42 To: [log in to unmask] Subject: Re: Anyone using ArpViewer or Autograph? yes, I think it's important to remember that users should not be exposed to the current attribute vocabulary. i.e. "do you want to release your userRole attribute to this service provider?" will flood the helpdesk with "what's my userRole attribute?" questions. "Do you want to let the Service Provider know your email address?" is what they should be asked and the IdP should do that mapping. But then again, IdPs don't know what attributes the SP wants. Most SPs take a blunderbuss approach, getting the IdP to release everything and then sifting to see if what has arrived is enough to grant access. Remember that your first name can be transported in any number of attributes depending on which SP wants it. So you should be asked about your first name, not your urn:very:long:urn:eduThingyNeverHeardOfThatAttribute. The IdP is an attribute babel fish: http://en.wikipedia.org/wiki/Babel_fish Alistair -- mov eax,1 mov ebx,0 int 80h > first off, i would supply a simple and advanced intereface, with > simple NOT giving any of these problematic terms. Let them give less > granular sets of permissions, perhaps even simply listing, as > Alistair has in his example, that the SP wants some info, and do you > want to give the info to the SP? > > Let them drill down into that if they like, with a pref setting to > remember. Also, an info box on each attribute type with an easily > mod'd institutional entry to give it local context. > > > s > > On 14 Jun 2007, at 07:13, Alex Reid wrote: > >> At 09:26 PM 13/06/2007, Alistair Young wrote: >> ... >>> Wouldn't it be nice to have a graphical interface with icons for SPs >>> and icons for each of your attributes and you could drag and drop >>> your attributes onto each of the SPs. >> ... >>> > On Tue, 12 Jun 2007, Chad La Joie wrote: >> ... >>> > However I think that an interface that pops up a message during >>> the Shib >>> > interaction that says something like: >>> > >>> > To let you access the Journal of Applied Confusion website >>> > we need to tell it the following things about you: >>> > >>> > Affiliation: [log in to unmask] >>> > Anonymous identifier: [log in to unmask] >>> > Inside leg measurement: 820mm >>> > >>> > Do you want us to: >>> > >>> > a) Do so this one time >>> > b) Do this now and for this site in future >>> > c) Do this now and for _all_ sites in future >>> > >>> > would probably make sense to most users. >> >> I agree with both these suggestions in principle, but some of the >> attributes are so arcane (eg eduPersonPrincipalName (and distinctions >> between that, sn and cn), eduPersonScopedAffiliation, >> eduPersonTargetedID - all of which we are planning to make "must >> haves" for the Australian Federation) that I strain to think about >> they can be conveyed meaningfully to users. Anyone any ideas? >> >> Cheers, Alex. >> >> ------------------------------------------------------- >> T Alex Reid >> Director, eResearch/Middleware >> AARNet Pty Ltd >> c/- 71A Raymond Street, Yokine, 6060 >> Western Australia >> ph +61 8 9345 0440 >> mobile +61 40 888 5515 >> email [log in to unmask] >> web http://www.aarnet.edu.au/engineering/middleware/ >> > Unless otherwise agreed expressly in writing by a senior manager of Eduserv, this communication is to be treated as confidential and the information in it may not be used or disclosed except for the purpose for which it has been sent. If you have reason to believe that you are not the intended recipient of this communication, please contact the sender immediately. No employee or agent is authorised to enter into any binding agreement or contract on behalf of Eduserv or Eduserv Technologies Ltd., unless that agreement is subsequently confirmed by the conclusion of a written contract or the issue of a purchase order. Eduserv (Limited by Guarantee) - company number 3763109 - and Eduserv Technologies Ltd - company number - 4256630 - are both companies incorporated in England and Wales and have their registered offices at Queen Anne House, 11 Charlotte Street, Bath, BA1 2NE. Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/secretariat/legal/disclaimer.htm