1 / 15

GEANT eduGAIN Data Protection "Code of Conduct" Workshop

GEANT eduGAIN Data Protection "Code of Conduct" Workshop. Dieter Van Uytvanck d ieter.vanuytvanck@mpi.nl Brussels. We, the Service Providers. CLARIN SPs – www.clarin.eu/spf DARAH SPs More general: DASISH community EUDAT community . CLARIN SPs. Dutch IDF. Finish IDF. …. User.

kioshi
Download Presentation

GEANT eduGAIN Data Protection "Code of Conduct" Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck dieter.vanuytvanck@mpi.nl Brussels

  2. We, the Service Providers • CLARIN SPs – www.clarin.eu/spf • DARAH SPs • More general: • DASISH community • EUDAT community

  3. CLARIN SPs Dutch IDF Finish IDF … User German IDF EU IDF (GEANT/eduGain) CLARIN ERIC CLARIN Service Provider Organization Depositor

  4. The ideal world…

  5. I would like to use a CLARIN service… 1. wants to access 7. uses Service Provider 6. redirects to resource for authorization check 5. User enters credentials 3. User selects IdP Identity Provider 2. redirects to Discovery Service 4. redirects to

  6. Back to reality • Main problems: • Not enough (worst case: no) attributes are released • Opt-in at the side of the Identity Providers • No support for “exotic” SAML profiles like ECP at the side of the providers

  7. I would like to use a CLARIN service… 1. wants to access 7. uses Service Provider 6. send attributes for authorization check 5. User enters credentials 3. User selects IdP Identity Provider 2. redirects to Discovery Service 4. redirects to

  8. I would like to use a CLARIN service… 1. wants to access Service Provider 2. access denied Error "Universiteit van Tilburg" is not in the list of organisations that have requested access for the service "CATALOG (CLARIN)". If you require access you need to contact your organization's ICT department regarding this service; when they agree, they can contact SURFfederatie to include your organization in the list. Identity Provider

  9. But which ICT department? contact Research Group ICT dept. contact FacultyICT dept. contact University ICT dept.

  10. And what to ask for? From: christianh@someuniversity.eu To: support@someuniversity.eu Re: Component Registry Dear support team, I would like to access the CLARIN component registry but get an error message: "Universiteit van Tilburg" is not in the list of organisations that have requested access for the service "CATALOG (CLARIN)" What should I do now? Best regards, Christian

  11. … to summarize • Logging in to an SP for the first time: • Takes a while (asking for permission!) • Depends on a non-standardized workflow • Depending on the reaction of the researcher • Depending on the reaction of the IT helpdesk • Adds to the bureaucratic burden that AAI was supposed to address • Takes more effort for the user than creating a new ad-hoc account • Scalability problem: many SPs and IdPs (CLARIN e.g. – S * I times permission requests)

  12. Exotic SAML profiles • CLARIN and DARIAH want to use web service trust delegation • This has been tested by DARIAH and works … • … but depends on the IdP, who has to configure the ECP SAML profile correctly

  13. Summarizing our needs Less problematic attribute release policy (eduGAIN code of conduct = good initiative!) Get rid of opt-in for IdPs Try to configure the ECP profile by default at the side of IdP

  14. Temporary workaround • For CLARIN: the CLARIN IdP • In practice: running our own federation • Not what we want to do! • Gold standard for attributes: • eduPersonPrincipleName (EPTID) • Common name • Organisation (schacHomeOrganisation) • Mail • eduPersonScopedAffiliation

  15. Practical questions about CoC • What about trust delegation? • Web service A calls web service B on behalf of user X • How long can a Service Provider store attributes?

More Related