Institution-wide Shibboleth groups: consider switching from "Shib-Identity-Provider" to "scope" of eppn

[pdurbin]

Institution-wide Shibboleth groups were implemented in #1401 and we got some feedback about our approach in https://help.hmdc.harvard.edu/Ticket/Display.html?id=194659

"I looked [your InCommon registration form] over, and it seems OK, aside from one thing -- in the question about use of attribute information, you say:

We use "Shib-Identity-Provider" to put users in groups per Identity Provider
(i.e. "Harvard Users"). These groups can be assigned roles which have permissions.

Are you sure you want to grant permissions based simply on whether they have, say, a [redacted university name] user account? In any case, I believe that it would be preferable to use something like the "scope" part of the ePPN (e.g. @[redacted].edu in our case) to identify the user's organization for this purpose, instead of relying on Shib-Identity-Provider."

I know @bencomp and others outside the US don't use eppn at all so I should at least check with him about this. Related is #1422

The eppn values we get from Harvard do end with "@harvard.edu". The "Shib-Identity-Provider" value is "https://fed.huit.harvard.edu/idp/shibboleth"

[pdurbin]

instead of relying on Shib-Identity-Provider

By using "Shib-Identity-Provider" we are tying ourselves to the Shibboleth implementation of SAML. SAML alternatives to Shibboleth have been enumerated most recently at https://docs.google.com/document/d/1DdLVuh8_e_2DINO1xCTj28h35cAwnD0QdevOnEuTo_I/edit?usp=sharing

[bencomp]

If I understand correctly, this suggestion is an addition to #1515?

I had another look at some old Shibboleth logs and it appears we do receive EPPN values, but I'm not sure that it is included in every request. Also, I haven't seen the values and don't know if the scope part of the EPPN ever changes, e.g. when "Universiteit X" decides to change their main Internet identity to "X University" and universiteitx.nl becomes xuniversity.nl.

[djbrooke]

@pdurbin can we close this one?

[pdurbin]

@djbrooke sure, I'll close it. I'm not sure if institution wide Shibboleth groups will for DANS or not due to their unique setup described in #2548 but since that issue has been closed I suppose this issue can be closed as well. DANS is very interested in #1515 which should be a solution for them some day. As far as being tied to Shibboleth as a SAML implementation, it would be a radical change to switch to something else. At #3406 I suggested alternatives but I think we should stick with Shibboleth for now.