Enhancement for SAML trust: Configure and setup InCommon's R&S bundle #1
Comments
|
I don't see how to watch this issue or add my +1 but let me point to a document that shows how to configure a Shib IdP to release the R&S attribute bundle. |
|
We're a Gluu customer and we'd like to support the R&S functionality with InCommon as well. Just adding my +1 here. |
|
Do you see the 'notifications' button in the right hand column under 'Assignee'? Subscribe to watch this issue. |
|
We are also a Gluu customer and want to support R&S functionality. Please consider this our +1. |
|
We are a Gluu customer as well and may want to support R&S functionality someday, this is our +1. |
|
As a Gluu customer and participant in R&S this would be important to us when we move our main IdP functionality off of Shib and into our Gluu IdP |
|
We are a Gluu customer and would like to see this added. +1 |
|
Ok, duly noted. We're going to try and get this into the 2.2 release. Its too late for 2.1, which is in testing right now, and will be released prior to 3/31. |
|
As a gluu customer I too am interested in this functionality. +1 |
|
We did put this into the 2.2 release schedule. ETA is end of April for this release. |
|
Unfortunately this did not make it into our newest release. We are expediting this feature request immediately. Thanks everyone for your patience! |
|
The R&S bundle is now supported in our latest Gluu Server 2.3 release. Please open a ticket on our support forum as needed. |
Ref. Jira ticket: http://ox.gluu.org/jira/browse/OXTRUST-156
Requirement analysis: how is it possible to establish InCommon's R&S bundle.
Please talk to me if it's not clear to you.
Request email:
Could you please take a look at the attached requirement analysis for R&S bundle activation? Seems like not hard enough.
What do you think?
I had to read a fair amount of documentation to be able to answer.
The way I see it the core problem is that the "ox" platform defines trust relationships solely by entityID, even for entities already part of (nominally) trusted federations. There is no way for the user to say in the "Add Trust Relationship" dialog "Metadata Type: Federation; Federation Name: InCommon; Specify by Entity Attribute; Entity Attribute Name: http://macedir.org/entity-category ; Entity Attribute Value: http://id.incommon.org/category/research-and-scholarship" to specify the trusted entity or entities.
This page explains clearly why one would want to specify an attribute release policy (part of the "Trust Relationships" configuration in ox): https://spaces.internet2.edu/display/InCFederation/Configure+a+Shibboleth+IdP+to+Support+R+and+S
As things currently stand, we cannot do that ourselves, as Puppet will force-overwrite the altered configuration during the next refresh.
wiki: https://spaces.internet2.edu/x/aAbvAQ
On Thu, Mar 27, 2014 at 11:58 AM, Tom wrote:
An IDP may not releasing sufficient attributes to allow access to GENI. The InCommon metadata lists a set of attributes we would like to receive.
In brief, we require 'eppn', and that's why access was denied. We strongly desire 'mail' (email address), but we can work around it if you cannot release it. It just makes it harder for each individual on your campus to access GENI.
Other attributes we would like to receive include 'sn', 'givenName', 'displayName', 'affiliation'.
The GENI Experimenter Portal is an InCommon Research and Scholarship (R&S) service provider. It's probably much easier for you to enable that on your IdP, and has the added benefit of allowing members of your campus/community access to a range of InCommon-based services that have been vetted by InCommon. Please consider this route, as it benefits the broadest range of people and is the easiest for you to enable and maintain.
More information on R&S, including how to enable it, is available at https://spaces.internet2.edu/x/aAbvAQ
For debugging, please feel free to use https://portal.geni.net/secure/env.php to view what attributes you are releasing to us. They will show up on this page between the "Shib-" variables and the "HTTP_" variables. When both 'eppn' and 'mail' are listed your users will be able to access the GENI portal directly.
Please let me know if you have any questions. I am happy to help.
The text was updated successfully, but these errors were encountered: