Automatic attribute filtering based on SPs SAML entity categories

[Olivier Salaün]

Hello,

I'm setting up an Identity Provider using simpleSAMLphp.
This Identity Provider will be part of eduGAIN inter-federation <http://www.geant.net/service/eduGAIN/Pages/home.aspx> and it is expected that it automatically releases attributes, based on:

1. RequestedAttribute elements found in SAML metadata. These XML elements associated to an SP, tell all IdPs what user attributes this SP need to work;
2. Data Protection Code of Conduct compliance for the requesting SP. Compliance to the eduGAIN Code of Conduct <http://www.geant.net/uri/dataprotection-code-of-conduct/v1/Pages/default.aspx> is expressed via EntityAttributes XML elements in SAML metadata. It is reasonable for an IdP admin to automatically release PII (Personally Identifiable Informations) to SPs that comply to the Code of Conduct;
3. Research & Scholarship compliance for the requesting SP.  Compliance to R&S <https://refeds.org/category/research-and-scholarship/> is also expressed via EntityAttributes in SAML metadata.

I've been able to configure my IdP for (1), using the core:AttributeLimit filter but I'd also like to have a way to make the IdP treat differently required and optional user attributes.

I found Brook Schofield's patch <https://code.google.com/p/simplesamlphp/issues/detail?id=591> for core:AttributeLimit that would allow attribute filtering based on SP
EntityCategories. However the developers suggested refactoring before it could be integrated in simpleSAMLphp.

Did I miss any other feature that would allow that kind of advanced attribute filtering?
I'd like to get feedback from simpleSAMLphp IdP admins registered in eduGAIN: how do you cope with attributes filtering for eduGAIN?
Anybody currently working on a new filter comparable to what Brook produced?

Thank you.

--

Olivier Salaün Etudes et projets applicatifs
Tél : +33 2 23 23 71 27 Fax : +33 2 23 23 71 11 www.renater.fr	RENATER 263 Avenue du Gal Leclerc 35042 Rennes Cedex

[Georg Gollmann]

> Am 05.12.2014 um 15:14 schrieb Olivier Salaün <olivier...@renater.fr>:
>
> I'd like to get feedback from simpleSAMLphp IdP admins registered in eduGAIN: how do you cope with attributes filtering for eduGAIN?

See https://github.com/gollmann/MetaMerge for my approach.

There is also a pull request to pass attribute status through MetaRefresh: https://github.com/simplesamlphp/simplesamlphp/pull/105

Kind regards
Georg

[Kristof Bajnok]

Hi all,

to cut it short: is anybody working on supporting attribute filtering
based on entity category?

Thanks,
Kristof

On 2014-12-05 15:14, Olivier Salaün wrote:
> I'm setting up an Identity Provider using simpleSAMLphp.
> This Identity Provider will be part of eduGAIN inter-federation
> <http://www.geant.net/service/eduGAIN/Pages/home.aspx> and it is
> expected that it automatically releases attributes, based on:
>

> 1. RequestedAttribute elements found in SAML metadata. These XML

> elements associated to an SP, tell all IdPs what user attributes
> this SP need to work;

> 2. Data Protection Code of Conduct compliance for the requesting SP.

> Compliance to the eduGAIN Code of Conduct
> <http://www.geant.net/uri/dataprotection-code-of-conduct/v1/Pages/default.aspx>
> is expressed via EntityAttributes XML elements in SAML metadata. It
> is reasonable for an IdP admin to automatically release PII
> (Personally Identifiable Informations) to SPs that comply to the
> Code of Conduct;

> 3. Research & Scholarship compliance for the requesting SP. Compliance

[Georg Gollmann]

Am 14.04.2015 um 13:23 schrieb Kristof Bajnok <baj...@niif.hu>:

> to cut it short: is anybody working on supporting attribute filtering
> based on entity category?

See https://github.com/gollmann/MetaMerge

Kind regards
Georg