[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: RE: Identity Provider question
From: Benji Wakely <B.Wakely () latrobe ! edu ! au>
Date: 2014-05-21 0:22:58
Message-ID: ED388DC4A58F6B448B46A84604DFFE4921E15D41 () MBX02 ! ltu ! edu ! au
[Download RAW message or body]
As an example, the Australian Access Federation (which we're part of) has t=
he following attributes that
an IdP must technically be able to populate:
http://aaf.edu.au/technical/aaf-core-attributes/
Of these attributes,
Service Providers must justify to the AAF why they need certain attributes,
and if so, will be allowed to request those attributes from an IdP
(the AAF takes care of metadata on behalf of the IdPs / is regularly synchr=
onised.)
Additionally, at La Trobe, we've installed uApprove:
https://www.switch.ch/aai/support/tools/uApprove.html
which compels the user to acknowledge and approve of their individual attri=
butes
that are being released - if they're ultimately not comfortable with it,
they can refuse consent.
--Benji
Benji Wakely <b.wakely@latrobe.edu.au>
Unix Systems Administrator
La Trobe University
+613 9479 5499
+614 34 307 667
From: users-bounces@shibboleth.net [mailto:users-bounces@shibboleth.net] On=
Behalf Of Nate Klingenstein
Sent: Wednesday, 21 May 2014 3:53 AM
To: Shib Users
Subject: Re: Identity Provider question
Walter,
I am trying to get more information on Identity Provider. Is there a list o=
f the information that Identity Provider provides about users who opt to al=
low us to see this information?
Any given identity provider(IdP) is operated directly by the organization t=
hat it asserts information on behalf of, so there is no one "Identity Provi=
der". Any IdP can release as little or as much information as desired to a=
ny service. You can make a request for specific attributes but you'll need=
logic to handle instances where you don't get it. The attributes availabl=
e generally include inetOrgPerson and eduPerson as a baseline, and many IdP=
's support additional attributes.
Is there any indication of what percentage of users opt to allow this servi=
ce?
Most IdP's in academia operate under the principle that attribute release i=
s a required part of delivering educational services and don't explicitly p=
rompt the user for further consent. Some IdP's do request consent and ther=
e are widely used implementations for this for Shibboleth. We don't have a=
ny statistics regarding consent from them.
Hope this helps,
Nate.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<base href="x-msg://785/"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-AU" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">As \
an example, the Australian Access Federation (which we're part of) has the following \
attributes that <o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">an \
IdP must technically be able to populate:<o:p></o:p></span></p> <p class="MsoNormal" \
style="text-indent:36.0pt"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">http://aaf.edu.au/technical/aaf-core-attributes/<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Of \
these attributes, <o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Service \
Providers must justify to the AAF why they need certain \
attributes,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">and \
if so, will be allowed to request those attributes from an IdP<o:p></o:p></span></p> \
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">(the \
AAF takes care of metadata on behalf of the IdPs / is regularly \
synchronised.)<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Additionally, \
at La Trobe, we've installed uApprove:<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><a \
href="https://www.switch.ch/aai/support/tools/uApprove.html">https://www.switch.ch/aai/support/tools/uApprove.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">which \
compels the user to acknowledge and approve of their individual attributes \
<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">that \
are being released - if they're ultimately not comfortable with \
it,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">they \
can refuse consent.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">--Benji</span><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Benji \
Wakely <b.wakely@latrobe.edu.au><o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Unix \
Systems Administrator<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">La \
Trobe University<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">+613 \
9479 5499<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">+614 \
34 307 667<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> \
users-bounces@shibboleth.net [mailto:users-bounces@shibboleth.net] <b>On Behalf Of \
</b>Nate Klingenstein<br> <b>Sent:</b> Wednesday, 21 May 2014 3:53 AM<br>
<b>To:</b> Shib Users<br>
<b>Subject:</b> Re: Identity Provider question<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Walter, <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">I am \
trying to get more information on Identity Provider. Is there a list of the \
information that Identity Provider provides about users who opt to allow us to see \
this information?<o:p></o:p></span></p> </div>
</div>
</blockquote>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Any given identity provider(IdP) is operated directly by the \
organization that it asserts information on behalf of, so there is no one \
"Identity Provider". Any IdP can release as little or as much \
information as desired to any service. You can make a request for specific \
attributes but you'll need logic to handle instances where you don't get it. \
The attributes available generally include inetOrgPerson and eduPerson as a \
baseline, and many IdP's support additional attributes.<o:p></o:p></p> </div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Is \
there any indication of what percentage of users opt to allow this \
service?<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Most IdP's in academia operate under the principle that \
attribute release is a required part of delivering educational services and don't \
explicitly prompt the user for further consent. Some IdP's do request consent \
and there are widely used implementations for this for Shibboleth. We don't \
have any statistics regarding consent from them.<o:p></o:p></p> </div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Hope this helps,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Nate.<o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>
--
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
--===============5176082451761239197==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic