Not sure I can map that statement to a specific thing the metadata is
meant to solve. It certainly doesn't tell you the country of origin of an
account holder to know who registered an IdP.

I'm against using metadata and the identity of an IdP for authorization of
users, both before and after interfederation. It's the attributes that
should matter. What these policy controls would hit would be for filtering
of attributes, or if the IdP just didn't pass muster operationally or
something like that.

-- Scott

It seems odd to use the registrar ID for this. You'd be saying, essentially, that any user authenticated by an IdP registered by InCommon was assumed to be engaged in "US research" (however that's defined) but that any user (even the same user) authenticated by an IdP registered by some other registrar was assumed not to be engaged in an eligible activity. That seems like conflating two concepts, particularly in the longer term.

I realise that you may feel there's nothing else available to represent the concept you want; I'm just saying this isn't what the registrationAuthority is supposed to be for at all.

-- Ian

No idea what that means for services, subjects and their research.
http://dev.maxmind.com/geoip/legacy/mod_geoip2/ ?
Not that virtually being on US soil (as far as GeoIP is concerned)
will tell you what kind of research I'm involved with.

Related to what Scott said about registrar info as Entity Attributes:
DFN-AAI translates @registrationAuthority into entity attributes in
their downstreams, IIRC, so the Shib SP's (and IDP's) built-in match
functors can be used for that, no extensions needed.
Quick short term "fix", I would think.
(And no, I also don't understand what a metadata registrar has to do
with the above mentioned use case. But then I don't understand the use
case. Or its relation to SAML and Shibboleth.)
-peter

What does NSF and R&S stand for btw?

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org *


-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Tom Scavo
Sent: 17 September 2014 16:58
To: Shib Users
Subject: Re: entity descriptors from multiple registrars
I definitely have use cases: two NSF-funded R&S SPs where the NSF dollars are intended to be used for US research, exclusively. My need is real and immediate. Without a solution, extending our local implementation of R&S to the international research community is essentially blocked.

Tom
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

Hi,
At Knodium we're doing some work to try to map IDPs and their scopes to
real life institutions. However, our authorization policies still rely
on attributes so without something like an affiliation or entitlement to
tell you so, I don't see how you can achieve this.

In particular, the staff@ and student@ affiliations don't tell you
anywhere near as much as you might hope. PhD students are an interesting
edge case.


Your use cases seems to have parallels with "journal access", for which
the "common-lib-terms" entitlement is commonly used. Perhaps you need a
"was-given-nsf-dollars" entitlement?





Regards,
@ndy

Hi,
Having thought about this over lunch, I'm guessing that your assumption
is, given you have to be a US academic institution to register an IDP in
InCommon, that an InCommon IDP authentication authorizes the principal
as someone who is a US academic researcher?


Given that those SPs don't want to serve principals from other
federations, why can't you use the InCommon metadata only in the SP
configuration?


Would it be possible to accept a *.edu scope in an affiliation attribute
to identify US registered academic principals?


How strict do you need to be? Would it suffice to have a self
certification during first login?





Regards,
@ndy