No Entity Category Support in SSP?
88 views
Skip to first unread message
Lukas Hämmerle
Jun 22, 2016, 4:15:35 AM6/22/16
to SimpleSAMLphp
Hello all
Can SSP as of today release attributes based on a SAML2 Entity Category
(like the REFEDS Research & Scholarship or GÉANT Data Protection Code of
Conduct entity categories) at all or at least using some plugin/extension?
* If so, documentation on how to do that is not very easy to find.
Nothing on https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
and nothing obvious on Google.
* If this is not supported, what is the reason this feature has not been
added yet and when will it be supported?
Given that quite a few IdPs use SSP and given that entity categor-based
attribute release currently seems to be a key success factor to battle
the attribute release problems in various federation (and eduGAIN), I
would wonder why this feature is not part of SSP.
Best Regards
Lukas
--
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader of
"eduGAIN Service Development - Research and Service Providers"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.h...@switch.ch, http://www.switch.ch
Can SSP as of today release attributes based on a SAML2 Entity Category
(like the REFEDS Research & Scholarship or GÉANT Data Protection Code of
Conduct entity categories) at all or at least using some plugin/extension?
* If so, documentation on how to do that is not very easy to find.
Nothing on https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
and nothing obvious on Google.
* If this is not supported, what is the reason this feature has not been
added yet and when will it be supported?
Given that quite a few IdPs use SSP and given that entity categor-based
attribute release currently seems to be a key success factor to battle
the attribute release problems in various federation (and eduGAIN), I
would wonder why this feature is not part of SSP.
Best Regards
Lukas
--
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader of
"eduGAIN Service Development - Research and Service Providers"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.h...@switch.ch, http://www.switch.ch
Peter Schober
Jun 22, 2016, 6:33:42 AM6/22/16
to SimpleSAMLphp
Lukas, I'm sure the SSP developers (aehm, let's stick with plural for
politeness reasons ;)) are well aware of the situation.
* Lukas Hämmerle <lukas.h...@switch.ch> [2016-06-22 10:15]:
RequestedAttribute elements. I'm not aware how to make that release
conditional to e.g. the CoCo category entity attribute of the SP.
With the future amendment to R&S it gets worse as RequestedAttributes
then may not be available in the SP's metadata, which is why I
recently suggested creating an extension to metarefresh that would
decorate R&S SPs with the R&S attribute bundle attributes so that
RequestedAttribute elements would effectively be minted from the
entity attribute, allowing the existing mechanism to continue to work
fine.
Outside of what's included by default, Georg G. has created
https://github.com/gollmann/MetaMerge to help his IDP deal with
eduID.at and eduGAIN metadata, but I have not looked at that in any
detail. It would probably also need updating in light of the amended
R&S spec, I'd imagine.
> * If this is not supported, what is the reason this feature has not been
> added yet and when will it be supported?
The usual? Resources? Changed realities (R&S) not bringing matching
code with them?
> Given that quite a few IdPs use SSP and given that entity
> categor-based attribute release currently seems to be a key success
> factor to battle the attribute release problems in various
> federation (and eduGAIN), I would wonder why this feature is not
> part of SSP.
Pull requests always welcome! :)
Note that there was a huge contribution from Brook a while ago, adding
a quite complex policy language to SSP, but AFAIR that never made it
through code review (still done by Olav, back then). There should be
an open issue about that in Github in case you're interested.
-peter
politeness reasons ;)) are well aware of the situation.
* Lukas Hämmerle <lukas.h...@switch.ch> [2016-06-22 10:15]:
> Can SSP as of today release attributes based on a SAML2 Entity Category
> (like the REFEDS Research & Scholarship or GÉANT Data Protection Code of
> Conduct entity categories) at all or at least using some plugin/extension?
AFAIK SSP supports the release of attributes based on
> (like the REFEDS Research & Scholarship or GÉANT Data Protection Code of
> Conduct entity categories) at all or at least using some plugin/extension?
RequestedAttribute elements. I'm not aware how to make that release
conditional to e.g. the CoCo category entity attribute of the SP.
With the future amendment to R&S it gets worse as RequestedAttributes
then may not be available in the SP's metadata, which is why I
recently suggested creating an extension to metarefresh that would
decorate R&S SPs with the R&S attribute bundle attributes so that
RequestedAttribute elements would effectively be minted from the
entity attribute, allowing the existing mechanism to continue to work
fine.
Outside of what's included by default, Georg G. has created
https://github.com/gollmann/MetaMerge to help his IDP deal with
eduID.at and eduGAIN metadata, but I have not looked at that in any
detail. It would probably also need updating in light of the amended
R&S spec, I'd imagine.
> * If this is not supported, what is the reason this feature has not been
> added yet and when will it be supported?
code with them?
> Given that quite a few IdPs use SSP and given that entity
> categor-based attribute release currently seems to be a key success
> factor to battle the attribute release problems in various
> federation (and eduGAIN), I would wonder why this feature is not
> part of SSP.
Note that there was a huge contribution from Brook a while ago, adding
a quite complex policy language to SSP, but AFAIR that never made it
through code review (still done by Olav, back then). There should be
an open issue about that in Github in case you're interested.
-peter
Jaime Perez Crespo
Jun 22, 2016, 7:37:02 AM6/22/16
to simple...@googlegroups.com
Hi Lukas!
Peter pretty much nailed it.
If there’s no official Entity Category support in SimpleSAMLphp today that’s because nobody contributed a solution that fits our needs. As simple as that. Brook submitted a patch some time ago, but it was a bit over-complicated, specially for the basic needs of the R&S or CoCo Entity Categories. See here:
https://github.com/simplesamlphp/simplesamlphp/issues/49
Now, that said, I’ve been working lately on a module adding Entity Category support:
https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/
Note though that this module is probably not ready for production, since:
- It’s not been extensively tested.
- It just offers a generic filter, so you would need to configure the categories manually.
- It lacks the additional logic needed by R&S or CoCo.
The plan is to have two additional filters, one for each category, implementing all the logic that’s needed and making the filter work out of the box, without any configuration.
Still, this module just adds the attributes in the bundle to the list of attributes requested by a service *dynamically*, and the AttributeLimit filter must be run afterwards.
Regarding metarefresh, since it already produces SimpleSAMLphp metadata including Entity Attributes for ever entity that may contain them, using these filters should be enough to serve any entities being consumed automatically. The idea then would be to integrate these filters in existing deployments, without updating SimpleSAMLphp or altering the logic already in place (meaning metarefresh & existing attribute release policies).
That said, I wouldn’t be able to provide any estimations on when could Entity Categories support be available. We have quite a few people contributing and helping out in the project (and I would like to publicly thank all of them here), but still it’s only me actively developing and maintaining the software (and not even full time). It’s true that we have a huge user base, not only in the public sector, but unfortunately the help we are receiving back is far from what we would need. So it’s probably a good idea to take this as a reminder for those using SimpleSAMLphp for free that this is open source software, and if it is critical for their businesses, they should consider contributing back to the project and helping to maintain it in good shape.
> --
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Peter pretty much nailed it.
If there’s no official Entity Category support in SimpleSAMLphp today that’s because nobody contributed a solution that fits our needs. As simple as that. Brook submitted a patch some time ago, but it was a bit over-complicated, specially for the basic needs of the R&S or CoCo Entity Categories. See here:
https://github.com/simplesamlphp/simplesamlphp/issues/49
Now, that said, I’ve been working lately on a module adding Entity Category support:
https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/
Note though that this module is probably not ready for production, since:
- It’s not been extensively tested.
- It just offers a generic filter, so you would need to configure the categories manually.
- It lacks the additional logic needed by R&S or CoCo.
The plan is to have two additional filters, one for each category, implementing all the logic that’s needed and making the filter work out of the box, without any configuration.
Still, this module just adds the attributes in the bundle to the list of attributes requested by a service *dynamically*, and the AttributeLimit filter must be run afterwards.
Regarding metarefresh, since it already produces SimpleSAMLphp metadata including Entity Attributes for ever entity that may contain them, using these filters should be enough to serve any entities being consumed automatically. The idea then would be to integrate these filters in existing deployments, without updating SimpleSAMLphp or altering the logic already in place (meaning metarefresh & existing attribute release policies).
That said, I wouldn’t be able to provide any estimations on when could Entity Categories support be available. We have quite a few people contributing and helping out in the project (and I would like to publicly thank all of them here), but still it’s only me actively developing and maintaining the software (and not even full time). It’s true that we have a huge user base, not only in the public sector, but unfortunately the help we are receiving back is far from what we would need. So it’s probably a good idea to take this as a reminder for those using SimpleSAMLphp for free that this is open source software, and if it is critical for their businesses, they should consider contributing back to the project and helping to maintain it in good shape.
> You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
> To post to this group, send email to simple...@googlegroups.com.
> Visit this group at https://groups.google.com/group/simplesamlphp.
> For more options, visit https://groups.google.com/d/optout.
--
Jaime Pérez
UNINETT / Feide
mail: jaime...@uninett.no
xmpp: ja...@jabber.uninett.no
"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost
Lukas Hämmerle
Jun 27, 2016, 9:38:00 AM6/27/16
to simple...@googlegroups.com
Hi Peter and Jaime
On 22.06.16 13:36, Jaime Perez Crespo wrote:
> Peter pretty much nailed it.
Thanks for the comprehensive responses :-)
> If there’s no official Entity Category support in SimpleSAMLphp today
> that’s because nobody contributed a solution that fits our needs. As
> simple as that.
Ok, I'll keep that in mind. Given that AARC and GÉANT are staffed with
some skilled programmers and both are fighting the attribute release
problem, there might be a chance to help a bit with that.
So, maybe we can provide SSP with something in that area.
> Now, that said, I’ve been working lately on a module adding Entity
> Category support:
>
> https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/
>
> Note though that this module is probably not ready for production,
> since:
>
> - It’s not been extensively tested. - It just offers a generic
> filter, so you would need to configure the categories manually. - It
> lacks the additional logic needed by R&S or CoCo.
I figure that some testing would be needed here? And then some logic to
use the generic entity category attribute filter in the context of R&S
and CoCo, right?
On 22.06.16 13:36, Jaime Perez Crespo wrote:
> Peter pretty much nailed it.
> If there’s no official Entity Category support in SimpleSAMLphp today
> that’s because nobody contributed a solution that fits our needs. As
> simple as that.
some skilled programmers and both are fighting the attribute release
problem, there might be a chance to help a bit with that.
So, maybe we can provide SSP with something in that area.
> Now, that said, I’ve been working lately on a module adding Entity
> Category support:
>
> https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/
>
> Note though that this module is probably not ready for production,
> since:
>
> - It’s not been extensively tested. - It just offers a generic
> filter, so you would need to configure the categories manually. - It
> lacks the additional logic needed by R&S or CoCo.
use the generic entity category attribute filter in the context of R&S
and CoCo, right?
Jaime Perez Crespo
Jun 28, 2016, 3:16:22 AM6/28/16
to simple...@googlegroups.com
Hi Lukas,
On 27 Jun 2016, at 15:37 PM, Lukas Hämmerle <lukas.h...@switch.ch> wrote:
>> If there’s no official Entity Category support in SimpleSAMLphp today
>> that’s because nobody contributed a solution that fits our needs. As
>> simple as that.
>
> Ok, I'll keep that in mind. Given that AARC and GÉANT are staffed with
> some skilled programmers and both are fighting the attribute release
> problem, there might be a chance to help a bit with that.
>
> So, maybe we can provide SSP with something in that area.
I had a brief chat with Licia about that too after TNC. In any case, it would be great to have help from people with knowledge on SAML and identity federations in general, so thanks!
> I figure that some testing would be needed here? And then some logic to
> use the generic entity category attribute filter in the context of R&S
> and CoCo, right?
Definitely! Right now we only have some generic functionality, so all the additional logic of CoCo or R&S is missing, but it would be helpful to have feedback anyway.
On 27 Jun 2016, at 15:37 PM, Lukas Hämmerle <lukas.h...@switch.ch> wrote:
>> If there’s no official Entity Category support in SimpleSAMLphp today
>> that’s because nobody contributed a solution that fits our needs. As
>> simple as that.
>
> Ok, I'll keep that in mind. Given that AARC and GÉANT are staffed with
> some skilled programmers and both are fighting the attribute release
> problem, there might be a chance to help a bit with that.
>
> So, maybe we can provide SSP with something in that area.
> I figure that some testing would be needed here? And then some logic to
> use the generic entity category attribute filter in the context of R&S
> and CoCo, right?
Lukas Hämmerle
Aug 4, 2016, 2:26:28 AM8/4/16
to simple...@googlegroups.com
On 28.06.16 09:16, Jaime Perez Crespo wrote:
> On 27 Jun 2016, at 15:37 PM, Lukas Hämmerle
> <lukas.h...@switch.ch> wrote:
>>> If there’s no official Entity Category support in SimpleSAMLphp
>>> today that’s because nobody contributed a solution that fits our
>>> needs. As simple as that.
>>
>> Ok, I'll keep that in mind. Given that AARC and GÉANT are staffed
>> with some skilled programmers and both are fighting the attribute
>> release problem, there might be a chance to help a bit with that.
>>
>> So, maybe we can provide SSP with something in that area.
>
> I had a brief chat with Licia about that too after TNC. In any case,
> it would be great to have help from people with knowledge on SAML and
> identity federations in general, so thanks!
Some update on this point:
> On 27 Jun 2016, at 15:37 PM, Lukas Hämmerle
> <lukas.h...@switch.ch> wrote:
>>> If there’s no official Entity Category support in SimpleSAMLphp
>>> today that’s because nobody contributed a solution that fits our
>>> needs. As simple as that.
>>
>> Ok, I'll keep that in mind. Given that AARC and GÉANT are staffed
>> with some skilled programmers and both are fighting the attribute
>> release problem, there might be a chance to help a bit with that.
>>
>> So, maybe we can provide SSP with something in that area.
>
> I had a brief chat with Licia about that too after TNC. In any case,
> it would be great to have help from people with knowledge on SAML and
> identity federations in general, so thanks!
I asked Andres and Sven from EENET (Estonia), two of my GÉANT task
members, to help create support for entity category (R&S, CoCo) based
attribute release. Also, I have heard that in Greece there is a
university that recently wrote code for EC-based attribute release.
Then we also have identified some test users already.
Would you be available for a quick VC in the next few days with us to
ensure that things are done the proper SimpleSAML PHP way and to discuss
the missing pieces?
>> I figure that some testing would be needed here? And then some
>> logic to use the generic entity category attribute filter in the
>> context of R&S and CoCo, right?
>
> Definitely! Right now we only have some generic functionality, so all
> the additional logic of CoCo or R&S is missing, but it would be
> helpful to have feedback anyway.
early versions of the code.
Jaime Perez Crespo
Aug 4, 2016, 7:23:32 AM8/4/16
to simple...@googlegroups.com
Hi Lukas!
On 04 Aug 2016, at 08:26 AM, Lukas Hämmerle <lukas.h...@switch.ch> wrote:
> Some update on this point:
> I asked Andres and Sven from EENET (Estonia), two of my GÉANT task
> members, to help create support for entity category (R&S, CoCo) based
> attribute release. Also, I have heard that in Greece there is a
> university that recently wrote code for EC-based attribute release.
> Then we also have identified some test users already.
Sounds great!
> Would you be available for a quick VC in the next few days with us to
> ensure that things are done the proper SimpleSAML PHP way and to discuss
> the missing pieces?
Yes, as usual during this time of the year, my agenda is quite free, so let’s try to agree on a date and time privately.
> I also know from some colleagues in my task who are willing to test
> early versions of the code.
They could probably start by testing the module I was mentioning before:
https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/
It’s absolutely generic and everything needs to be configured manually, and no fancy features are supported, such as “release this if available, or these other attributes otherwise”, but it’s something to start with at least.
On 04 Aug 2016, at 08:26 AM, Lukas Hämmerle <lukas.h...@switch.ch> wrote:
> Some update on this point:
> I asked Andres and Sven from EENET (Estonia), two of my GÉANT task
> members, to help create support for entity category (R&S, CoCo) based
> attribute release. Also, I have heard that in Greece there is a
> university that recently wrote code for EC-based attribute release.
> Then we also have identified some test users already.
> Would you be available for a quick VC in the next few days with us to
> ensure that things are done the proper SimpleSAML PHP way and to discuss
> the missing pieces?
> I also know from some colleagues in my task who are willing to test
> early versions of the code.
https://github.com/simplesamlphp/simplesamlphp-module-entitycategories/
It’s absolutely generic and everything needs to be configured manually, and no fancy features are supported, such as “release this if available, or these other attributes otherwise”, but it’s something to start with at least.
Reply all
Reply to author
Forward
0 new messages