geant edugain data protection "code of conduct" workshop
DESCRIPTION
GEANT eduGAIN Data Protection "Code of Conduct" Workshop. Dieter Van Uytvanck d [email protected] Brussels. We, the Service Providers. CLARIN SPs – www.clarin.eu/spf DARAH SPs More general: DASISH community EUDAT community . CLARIN SPs. Dutch IDF. Finish IDF. …. User. - PowerPoint PPT PresentationTRANSCRIPT
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
GEANT eduGAIN Data Protection "Code of Conduct" Workshop
Dieter Van [email protected]
Brussels
1
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
We, the Service Providers
• CLARIN SPs – www.clarin.eu/spf • DARAH SPs• More general:
• DASISH community• EUDAT community
2
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
German IDF
Dutch IDFFinish IDF
…
User
Depositor
EU IDF(GEANT/eduGain)
CLARINERIC CLARIN Service
Provider Organization
CLARIN SPs
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
The ideal world…
4
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
1. wants to access
I would like to use a CLARIN
service…
Identity Provider 2. redire
cts to
7. uses
Service Provider
Discovery Service
6. redirects to resource for authorization check
3. User selects IdP
5. User enters
credentials
4. redirects to
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
Back to reality
• Main problems:• Not enough (worst case: no) attributes are
released• Opt-in at the side of the Identity Providers• No support for “exotic” SAML profiles like ECP
at the side of the providers
6
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
1. wants to access
I would like to use a CLARIN
service…
Identity Provider 2. redire
cts to
7. uses
Service Provider
Discovery Service
6. send attributes for authorization check
3. User selects IdP
5. User enters
credentials
4. redirects to
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
1. wants to access
I would like to use a CLARIN
service…
Identity Provider
2. access denied
Service ProviderError
"Universiteit van Tilburg" is not in the list of organisations that have requested access for
the service "CATALOG (CLARIN)". If you require access you need to contact your organization's ICT department regarding this service; when they agree, they can contact SURFfederatie to include your
organization in the list.
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
University ICT dept.
Faculty ICT dept.
Research Group ICT dept.
But which ICT department?
contact
contact
contact
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
And what to ask for?
From: [email protected]: [email protected]: Component Registry
Dear support team,
I would like to access the CLARIN component registry but get an error message:
"Universiteit van Tilburg" is not in the list of organisations that have requested access for the service "CATALOG (CLARIN)"
What should I do now?
Best regards,Christian
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
… to summarize
• Logging in to an SP for the first time:• Takes a while (asking for permission!)• Depends on a non-standardized workflow
• Depending on the reaction of the researcher• Depending on the reaction of the IT helpdesk
• Adds to the bureaucratic burden that AAI was supposed to address
• Takes more effort for the user than creating a new ad-hoc account
• Scalability problem: many SPs and IdPs (CLARIN e.g. – S * I times permission requests)
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
Exotic SAML profiles
• CLARIN and DARIAH want to use web service trust delegation
• This has been tested by DARIAH and works …
• … but depends on the IdP, who has to configure the ECP SAML profile correctly
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
Summarizing our needs
• Less problematic attribute release policy (eduGAIN code of conduct = good initiative!)
• Get rid of opt-in for IdPs• Try to configure the ECP profile by default
at the side of IdP
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
Temporary workaround
• For CLARIN: the CLARIN IdP• In practice: running our own federation
• Not what we want to do!• Gold standard for attributes:
• eduPersonPrincipleName (EPTID)• Common name• Organisation (schacHomeOrganisation)• Mail• eduPersonScopedAffiliation
eduGAIN Code of Conduct Workshop, 2012-02-09, Brussels
Practical questions about CoC
• What about trust delegation?• Web service A calls web service B on behalf
of user X• How long can a Service Provider store
attributes?