From: Sander A. <sa....@fz...> - 2019-11-12 10:51:32
|
Hi Krzysztof, On Tue, 2019-11-12 at 10:15 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 11.11.2019 o 14:48, Sander Apweiler pisze: > > Hi Krzysztof, > > > > the DFN AAI offers different trust levels for the IdP federation > > based > > on the identity vetting. Every IdP is in the basic one but not all > > are > > in the advanced one (higher identity vetting). If we want to > > support > > both federations, unity will find IdPs two times. One in basic and > > one > > in advanced. > > > > We want to store some Assurance information to the users, based on > > the > > federation. Because the users of an IdP from DFN advanced have a > > high > > identity vetting instead of basic AAI. I assume we would need two > > different input translation profiles for it. Please correct me if I > > am > > wrong. > > > > So I have two different questions. > > 1. Can unity deal with the fact that IdPs are listed two times and > > using different translation profiles? > > 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are > > always uses the path trough advanced and never trough the basic > > AAI? > > If I understood this correctly those are basically two federations > (two > XMLs with metadata) Basic and Advanced, in Advanced I'll find all > IdPs > from Basic (same SAML entityIds), right? > > If so how do you envision a choice which one is going to be used for > authentication of a user who happens to be in IdP which is member of > both? There should be a choice (so user can select) or simply always > use > the advanced one? If the IdP is part of the advanced class, it should be always used the advanced. There should be no user selection, because user will always end at the same IdP. Cheers, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |