Menu
▾
▴
unity-idm-discuss
|
From: Sander A. <sa....@fz...> - 2019-11-11 13:49:08
Attachments:
smime.p7s
|
Hi Krzysztof, the DFN AAI offers different trust levels for the IdP federation based on the identity vetting. Every IdP is in the basic one but not all are in the advanced one (higher identity vetting). If we want to support both federations, unity will find IdPs two times. One in basic and one in advanced. We want to store some Assurance information to the users, based on the federation. Because the users of an IdP from DFN advanced have a high identity vetting instead of basic AAI. I assume we would need two different input translation profiles for it. Please correct me if I am wrong. So I have two different questions. 1. Can unity deal with the fact that IdPs are listed two times and using different translation profiles? 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are always uses the path trough advanced and never trough the basic AAI? Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-11-12 09:15:21
|
Hi Sander, W dniu 11.11.2019 o 14:48, Sander Apweiler pisze: > Hi Krzysztof, > > the DFN AAI offers different trust levels for the IdP federation based > on the identity vetting. Every IdP is in the basic one but not all are > in the advanced one (higher identity vetting). If we want to support > both federations, unity will find IdPs two times. One in basic and one > in advanced. > > We want to store some Assurance information to the users, based on the > federation. Because the users of an IdP from DFN advanced have a high > identity vetting instead of basic AAI. I assume we would need two > different input translation profiles for it. Please correct me if I am > wrong. > > So I have two different questions. > 1. Can unity deal with the fact that IdPs are listed two times and > using different translation profiles? > 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are > always uses the path trough advanced and never trough the basic AAI? If I understood this correctly those are basically two federations (two XMLs with metadata) Basic and Advanced, in Advanced I'll find all IdPs from Basic (same SAML entityIds), right? If so how do you envision a choice which one is going to be used for authentication of a user who happens to be in IdP which is member of both? There should be a choice (so user can select) or simply always use the advanced one? Best, Krzysztof |
|
From: Marcus H. <ha...@ki...> - 2019-11-12 09:44:03
Attachments:
smime.p7s
|
On 11/12/19 10:15, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 11.11.2019 o 14:48, Sander Apweiler pisze: > > Hi Krzysztof, > > > > the DFN AAI offers different trust levels for the IdP federation based > > on the identity vetting. Every IdP is in the basic one but not all are > > in the advanced one (higher identity vetting). If we want to support > > both federations, unity will find IdPs two times. One in basic and one > > in advanced. > > > > We want to store some Assurance information to the users, based on the > > federation. Because the users of an IdP from DFN advanced have a high > > identity vetting instead of basic AAI. I assume we would need two > > different input translation profiles for it. Please correct me if I am > > wrong. > > > > So I have two different questions. > > 1. Can unity deal with the fact that IdPs are listed two times and > > using different translation profiles? > > 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are > > always uses the path trough advanced and never trough the basic AAI? > > If I understood this correctly those are basically two federations (two XMLs > with metadata) Basic and Advanced, in Advanced I'll find all IdPs from Basic > (same SAML entityIds), right? Otherway round: All the advanced IdPs are also in Basic. > If so how do you envision a choice which one is going to be used for > authentication of a user who happens to be in IdP which is member of both? > There should be a choice (so user can select) or simply always use the > advanced one? It's the same entity ID. I.e. our IdP qualifies for Advanced. Therefore it is in Advanced. But therefore the same entity is also in Basic. -- Marcus. |
|
From: Krzysztof B. <kb...@un...> - 2019-11-12 09:38:44
|
W dniu 12.11.2019 o 10:22, Marcus Hardt pisze: > On 11/12/19 10:15, Krzysztof Benedyczak wrote: >> Hi Sander, >> >> W dniu 11.11.2019 o 14:48, Sander Apweiler pisze: >>> Hi Krzysztof, >>> >>> the DFN AAI offers different trust levels for the IdP federation based >>> on the identity vetting. Every IdP is in the basic one but not all are >>> in the advanced one (higher identity vetting). If we want to support >>> both federations, unity will find IdPs two times. One in basic and one >>> in advanced. >>> >>> We want to store some Assurance information to the users, based on the >>> federation. Because the users of an IdP from DFN advanced have a high >>> identity vetting instead of basic AAI. I assume we would need two >>> different input translation profiles for it. Please correct me if I am >>> wrong. >>> >>> So I have two different questions. >>> 1. Can unity deal with the fact that IdPs are listed two times and >>> using different translation profiles? >>> 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are >>> always uses the path trough advanced and never trough the basic AAI? >> If I understood this correctly those are basically two federations (two XMLs >> with metadata) Basic and Advanced, in Advanced I'll find all IdPs from Basic >> (same SAML entityIds), right? > Otherway round: All the advanced IdPs are also in Basic. Yes, sure - typo. |
|
From: Sander A. <sa....@fz...> - 2019-11-12 10:51:32
Attachments:
smime.p7s
|
Hi Krzysztof, On Tue, 2019-11-12 at 10:15 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 11.11.2019 o 14:48, Sander Apweiler pisze: > > Hi Krzysztof, > > > > the DFN AAI offers different trust levels for the IdP federation > > based > > on the identity vetting. Every IdP is in the basic one but not all > > are > > in the advanced one (higher identity vetting). If we want to > > support > > both federations, unity will find IdPs two times. One in basic and > > one > > in advanced. > > > > We want to store some Assurance information to the users, based on > > the > > federation. Because the users of an IdP from DFN advanced have a > > high > > identity vetting instead of basic AAI. I assume we would need two > > different input translation profiles for it. Please correct me if I > > am > > wrong. > > > > So I have two different questions. > > 1. Can unity deal with the fact that IdPs are listed two times and > > using different translation profiles? > > 2. If 1 is yes, who we could ensure that IdPs from advanced AAI are > > always uses the path trough advanced and never trough the basic > > AAI? > > If I understood this correctly those are basically two federations > (two > XMLs with metadata) Basic and Advanced, in Advanced I'll find all > IdPs > from Basic (same SAML entityIds), right? > > If so how do you envision a choice which one is going to be used for > authentication of a user who happens to be in IdP which is member of > both? There should be a choice (so user can select) or simply always > use > the advanced one? If the IdP is part of the advanced class, it should be always used the advanced. There should be no user selection, because user will always end at the same IdP. Cheers, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-11-18 08:03:54
|
Hi Sander, W dniu 12.11.2019 o 11:51, Sander Apweiler pisze: >> If I understood this correctly those are basically two federations >> (two >> XMLs with metadata) Basic and Advanced, in Advanced I'll find all >> IdPs >> from Basic (same SAML entityIds), right? >> >> If so how do you envision a choice which one is going to be used for >> authentication of a user who happens to be in IdP which is member of >> both? There should be a choice (so user can select) or simply always >> use >> the advanced one? > If the IdP is part of the advanced class, it should be always used the > advanced. There should be no user selection, because user will always > end at the same IdP. I had to verify what the answer is. So unfortunately this won't work in reliable way: there is no way currently in Unity to specify which SAML metadata is overriding another one. Actually the picture is quite complex as also in Unity you can define manually (not via metadata) your trusted IdPs. Those guys are guaranteed to take precedence over all metadata based, but entries are actually merged. I.e. if metadata brings more details about IdP it will be added to the manually defined one, but no setting will be changed. However wrt to the order of metadata provided IdPs there are no ways to control it - the first one will win, but is rather random which one becomes the first. Best, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2019-11-18 08:08:09
Attachments:
smime.p7s
|
Hi Krzysztof, I guessed that it is not possible. Thank you very much for your investigation to this. Best regards, Sander On Mon, 2019-11-18 at 09:03 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 12.11.2019 o 11:51, Sander Apweiler pisze: > > > If I understood this correctly those are basically two > > > federations > > > (two > > > XMLs with metadata) Basic and Advanced, in Advanced I'll find all > > > IdPs > > > from Basic (same SAML entityIds), right? > > > > > > If so how do you envision a choice which one is going to be used > > > for > > > authentication of a user who happens to be in IdP which is member > > > of > > > both? There should be a choice (so user can select) or simply > > > always > > > use > > > the advanced one? > > > > If the IdP is part of the advanced class, it should be always used > > the > > advanced. There should be no user selection, because user will > > always > > end at the same IdP. > > I had to verify what the answer is. > > So unfortunately this won't work in reliable way: there is no way > currently in Unity to specify which SAML metadata is overriding > another > one. Actually the picture is quite complex as also in Unity you can > define manually (not via metadata) your trusted IdPs. Those guys are > guaranteed to take precedence over all metadata based, but entries > are > actually merged. I.e. if metadata brings more details about IdP it > will > be added to the manually defined one, but no setting will be > changed. > However wrt to the order of metadata provided IdPs there are no ways > to > control it - the first one will win, but is rather random which one > becomes the first. > > Best, > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Sander A. <sa....@fz...> - 2019-11-29 09:57:31
Attachments:
smime.p7s
|
Hi Krzysztof, I had a deeper look into the metadata file of the basic federation. There is an attribute which indicates if an IdP is only basic or advanced: <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml:AttributeValue>advanced</saml:AttributeValue> Do you know a way to use this information later in unity? Cheers, Sander On Mon, 2019-11-18 at 09:06 +0100, Sander Apweiler wrote: > Hi Krzysztof, > > I guessed that it is not possible. Thank you very much for your > investigation to this. > > Best regards, > Sander > > On Mon, 2019-11-18 at 09:03 +0100, Krzysztof Benedyczak wrote: > > Hi Sander, > > > > W dniu 12.11.2019 o 11:51, Sander Apweiler pisze: > > > > If I understood this correctly those are basically two > > > > federations > > > > (two > > > > XMLs with metadata) Basic and Advanced, in Advanced I'll find > > > > all > > > > IdPs > > > > from Basic (same SAML entityIds), right? > > > > > > > > If so how do you envision a choice which one is going to be > > > > used > > > > for > > > > authentication of a user who happens to be in IdP which is > > > > member > > > > of > > > > both? There should be a choice (so user can select) or simply > > > > always > > > > use > > > > the advanced one? > > > > > > If the IdP is part of the advanced class, it should be always > > > used > > > the > > > advanced. There should be no user selection, because user will > > > always > > > end at the same IdP. > > > > I had to verify what the answer is. > > > > So unfortunately this won't work in reliable way: there is no way > > currently in Unity to specify which SAML metadata is overriding > > another > > one. Actually the picture is quite complex as also in Unity you > > can > > define manually (not via metadata) your trusted IdPs. Those guys > > are > > guaranteed to take precedence over all metadata based, but entries > > are > > actually merged. I.e. if metadata brings more details about IdP it > > will > > be added to the manually defined one, but no setting will be > > changed. > > However wrt to the order of metadata provided IdPs there are no > > ways > > to > > control it - the first one will win, but is rather random which > > one > > becomes the first. > > > > Best, > > Krzysztof > > > > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-11-30 18:24:54
|
Hi Sander, W dniu 29.11.2019 o 10:57, Sander Apweiler pisze: > Hi Krzysztof, > I had a deeper look into the metadata file of the basic federation. > There is an attribute which indicates if an IdP is only basic or > advanced: > > <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml:AttributeValue>advanced</saml:AttributeValue> > > Do you know a way to use this information later in unity? If this is metadata's attribute then Unity offers no feature allowing you to process it. So either way we would need an additional feature to support your case. Do you want to use this attribute to filter IdPs from some metadata documents? Cheers Krzysztof |
|
From: Sander A. <sa....@fz...> - 2019-12-02 07:17:32
Attachments:
smime.p7s
|
Hi Krzysztof, yes we want to set different level of assurance (within translation profile), based on this attribute. This attribute indicates how the identity vetting was done at the organisations. Cheers, Sander On Sat, 2019-11-30 at 19:24 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 29.11.2019 o 10:57, Sander Apweiler pisze: > > Hi Krzysztof, > > I had a deeper look into the metadata file of the basic federation. > > There is an attribute which indicates if an IdP is only basic or > > advanced: > > > > <saml:Attribute Name="http://aai.dfn.de/loa/degree-of-reliance" > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > > <saml:AttributeValue>advanced</saml:AttributeValue> > > > > Do you know a way to use this information later in unity? > > If this is metadata's attribute then Unity offers no feature > allowing > you to process it. So either way we would need an additional feature > to > support your case. Do you want to use this attribute to filter IdPs > from > some metadata documents? > > Cheers > Krzysztof > > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-12-04 20:36:13
|
Hi Sander, W dniu 02.12.2019 o 08:17, Sander Apweiler pisze: > Hi Krzysztof, > > yes we want to set different level of assurance (within translation > profile), based on this attribute. This attribute indicates how the > identity vetting was done at the organisations. I've looked into this metadata too (as found here https://doku.tid.dfn.de/en:metadata) So in fact I think you in the end don't want to use 2 metadata sources, merged by Unity, but only one: the basic metadata which includes both advanced and basic idps. And the only feature missing is to parse the SAML metadata extension with IDP attributes, and expose it for the user logging through such IdP. Is it all correct? If so this is perhaps not very complex task, but certainly longer. We would expose those in the context of input profile of SAML authenticator (as a new variable, e.g. idpAttrs). So you can either create a condition on it or just use it as-is for some attribute value. We will also need to implement IdP side support for it - to be able to automate testing. Does it sound correct to you? Cheers, Krzysztof |
|
From: Sander A. <sa....@fz...> - 2019-12-05 06:15:50
Attachments:
smime.p7s
|
Good morning Krzysztof, On Wed, 2019-12-04 at 21:36 +0100, Krzysztof Benedyczak wrote: > Hi Sander, > > W dniu 02.12.2019 o 08:17, Sander Apweiler pisze: > > Hi Krzysztof, > > > > yes we want to set different level of assurance (within translation > > profile), based on this attribute. This attribute indicates how the > > identity vetting was done at the organisations. > > I've looked into this metadata too (as found here > https://doku.tid.dfn.de/en:metadata) > > So in fact I think you in the end don't want to use 2 metadata > sources, > merged by Unity, but only one: the basic metadata which includes > both > advanced and basic idps. And the only feature missing is to parse > the > SAML metadata extension with IDP attributes, and expose it for the > user > logging through such IdP. Is it all correct? Yes this is correct. > > If so this is perhaps not very complex task, but certainly longer. > We > would expose those in the context of input profile of SAML > authenticator > (as a new variable, e.g. idpAttrs). So you can either create a > condition > on it or just use it as-is for some attribute value. We will also > need > to implement IdP side support for it - to be able to automate > testing. > > Does it sound correct to you? This is almost correct, but in this case the DFN set this attribute in the metadata not the IdP. Cheers, Sander > > Cheers, > Krzysztof -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt, Prof. Dr. Sebastian M. Schmidt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
|
From: Krzysztof B. <kb...@un...> - 2019-12-08 22:04:41
|
W dniu 05.12.2019 o 07:15, Sander Apweiler pisze: >> If so this is perhaps not very complex task, but certainly longer. >> We >> would expose those in the context of input profile of SAML >> authenticator >> (as a new variable, e.g. idpAttrs). So you can either create a >> condition >> on it or just use it as-is for some attribute value. We will also >> need >> to implement IdP side support for it - to be able to automate >> testing. >> >> Does it sound correct to you? > This is almost correct, but in this case the DFN set this attribute in > the metadata not the IdP. Sure - I meant that the attribute is not the user's (SAML assertion subject's) attribute, but should be obtained from IdP settings. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X