Present

Minutes

Getting up to speed

  • Albert reported on a chat on SeamlessAccess Slack about how SeamlessAccess processes trustinfo metadata.
  • Björn: XML encoded Base64, implemented in pyFF which creates a JSON discovery file, shipped to service (JSON MDQ server). Then either magic button on javascript on service page queries info about entities. Now looking to implement JSON version of trustinfo.

Profiles

We have talked defining profiles for SPs to use. In fact, the demo page at https://deploy-preview-275--thiss.netlify.app/ implements profile (listed here) for use in the button.

Benefits:

  • keep metadata size low because the entity attribute will contain only a URI to the profile, not the full blob
  • cleaner metadata
  • some uses cases are very easy to sovle with this (for example, only showing IdPs which are part of a specific Consortium)
  • some parts of the original trustinfo spec are specific to the metadata consumer (md_source is the clearest example) and profiles make this completely transparent to the SP

Disadvantages

  • Hard to implement fine-grained control through profiles (such as explicitly adding or removing individual IdPs; or an entity list which changes relatively often, such as an SP which only lists IdPs that it's done pre-integration checks with). Need to have many profiles, or to define combination rules.

We always come back to the question: how does one define the profiles? At the metadata consuming site? But as there are hundreds of SPs using SeamlessAccess, the mechanism that allows the SP to inform SeamlessAccess is crucial to determine. If SPs need to login to upload their profile, there's another authn/authz system that needs to be developed. Therefore we concluded that for the mechanism to scale, it has to be through the entity attribute.

Global profiles

Talked about defining profiles per-federation and including those in the EntitiesDescriptor of that federation's eduGAIN upstream. Yes, you can add an entity attribute to the EntitiesDescriptor. Would that get processed correctly by federation operators, eduGAIN intermediaries, the ultimate metadata consumer? And we wold still have to define combination rules for a global profile and fine-grained control.

Summary

  • Agree that entity-selection-profile a good name ... not tied to IdPs ... but we need to get the logical combo defined
  • Starting to get consensus towards 2-step standardisation process: the attribute and then the content and combination rules
  • No labels

1 Comment

  1. Adding a comment about the size of the entity attribute

    • There's an overhead for the entity attribute envelope. The size increase varies depending on whether the entity already has other entity attributes, but say 256 characters max.
    • If the AttributeValue is a URI, the value can be relatively small. 50 characters or thereabouts
    • If the AttributeValue includes the whole filter, it's going to be 512 characters or more