On Fri, 25 Apr 2008, Sean Dunne wrote:
>> Would you expect such an IdP to restrict who it made assertions about?
>> We, the University of Cambridge, might for example choose to run a
>> publicly available IdP on which anyone could register (c.f. the one run
>> by Protect Network [1]). Clearly such an IdP would be being run by an
>> HE institution. Would marking it as such be useful?
>
> No, we would not expect that. We would still require that the
> eduPersonScopedAffiliation value was member or equivalent (for relevant
> licences). The HE/FE/Research Council flag would just help us to
> automate producing our list of eligible organisations.
Isn't what you really want an assertion of the status associated with the
scope used to form the eduPersonScopedAffiliation, rather than of the IdP
operator? That way you could implement "must have ePSA of 'member' within
an HE institution", and we could run one IdP asserting "[log in to unmask]"
for 'real' members and [log in to unmask] for alumni.
A quick peek at the current UK federation metadta suggests that multiple
scopes are legal. For instance
entityID="urn:mace:eduserv.org.uk:athens:federation:beta" currently
asserts lots of scopes, not all of which can possibly be of the same
status (anglia.ac.uk vs. test.ovid.com).
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|