Any SCHAC attributes we should add to default mappings?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Any SCHAC attributes we should add to default mappings?

Cantor, Scott E.
I'm not that familiar with the schema, the only one that's in the default file now is schacHomeOrganization (commented out).

I'll add whatever, let me know.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

Peter Schober
* Cantor, Scott <[hidden email]> [2018-06-08 17:11]:
> I'm not that familiar with the schema, the only one that's in the
> default file now is schacHomeOrganization (commented out).

We only added schacHomeOrganization in the past to enable the SP to
perform shibmd:Scope checking on its values. I.e., it's part of the
default attribute-policy.xml (with a new
AttributeValueMatchesShibMDScope rule), even though the map entry is
commented out by default.

(Scope checking wasn't even part of the original design, but it made
sense to do as established usage was consistent with published Scopes,
and some federations explicitly used this as drop-in substitute for
the scopes from ePSA or ePPN.)

Due to its similarly generic nature schacHomeOrganizationType would
probably have been next in line, but we failed to find external
standards or make up a taxonomy ourselfs that would cover all org
types.  Cf. the effort to get the "academic" entity category off the
ground, and that was only a single, very coarse "type".
(Also the use-cases presented were not sufficiently pressing /
convincing to warrant spending more effort.)

SCHAC is such a mixed bag of things, there's no commonly used subset.

-peter
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

Etienne Dysli-Metref
In reply to this post by Cantor, Scott E.
On 08/06/18 17:11, Cantor, Scott wrote:
> I'm not that familiar with the schema, the only one that's in the
> default file now is schacHomeOrganization (commented out).

We use schacHomeOrganization and schacHomeOrganizationType in SWITCHaai
for entities propagated to eduGAIN, so having these two would help.

  Etienne


--
To unsubscribe from this list send an email to [hidden email]

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

Davide Vaghetti
In reply to this post by Cantor, Scott E.


On 08/06/2018 17:11, Cantor, Scott wrote:
> I'm not that familiar with the schema, the only one that's in the default file now is schacHomeOrganization (commented out).
>
> I'll add whatever, let me know.

We use schacPersonalUniqueCode for conveying the Tax Identification
Number, which is useful in some use cases mainly related to the health
sector.

Some of our members also use schacPersonalUniqueID for internal use
cases, which given the nature of the attribute is not suprising.

Davide

>
> -- Scott
>

--
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw


--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

Davide Vaghetti
Sorry, I've confused one attribute for the other:

- schacPersonalUniqueID is the one used for the Tax Identification Number.

- schacPersonalUniqueCode is the one used in internal use cases
(student/employee local organization code).

Davide

On 11/06/2018 09:38, Davide Vaghetti wrote:

>
>
> On 08/06/2018 17:11, Cantor, Scott wrote:
>> I'm not that familiar with the schema, the only one that's in the default file now is schacHomeOrganization (commented out).
>>
>> I'll add whatever, let me know.
>
> We use schacPersonalUniqueCode for conveying the Tax Identification
> Number, which is useful in some use cases mainly related to the health
> sector.
>
> Some of our members also use schacPersonalUniqueID for internal use
> cases, which given the nature of the attribute is not suprising.
>
> Davide
>
>>
>> -- Scott
>>
>
>
>
--
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw


--
To unsubscribe from this list send an email to [hidden email]

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Any SCHAC attributes we should add to default mappings?

Cantor, Scott E.
Thanks, I'll get commented rules added before final release, keep any requests coming.

-- Scott

--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

Peter Schober
* Cantor, Scott <[hidden email]> [2018-06-11 16:49]:
> Thanks, I'll get commented rules added before final release, keep any requests coming.

Note that the shib dev list may not be the best forum to gauge usage
of SCHAC attributes. And most attributes will be used by someone,
somewhere, for some obscure use-case or another.

schacHomeOrganizationType still suffers from all the issues I
documented years ago, AFAICT:

"For schacHomeOrganizationType one finds different values in the old
registry, the new registry, the PDF specification and the LDAP schema
file. This is very confusing and should be harmonized and kept
consistent. The easiest way to achive this is to have a single version
(i.e., document) of the spec, also containing relevant bits from the
LDAP-schema." -- https://wiki.refeds.org/display/STAN/SCHAC+Plan

See the mess from only a few federations reporting their usage:
https://wiki.refeds.org/display/STAN/SchacHomeOrgType+usage
(Ignore everything with swissEduPersonHomeOrganizationType in it,
those are not SCHAC attributes and have nothing to do with the survey
or topic at hand.)

Earliest discussions I could find about this (e.g. "Vocabulary for
schacHomeOrganizationType") go back until 2006, so those issues have
been around for over a decade, with no signs of sudden improvements.

The most recent thread I could find is from 2014:
https://www.terena.org/mail-archives/schac/msg00543.html
which seems to suggest that
* schacHomeOrgType may not be suitable for authZ purposes since it was
  changed to be multi-valued,
* what's left of that use-case (in combination with ePA/ePSA) has
  been taken over by the "academic IDP" entity category, as said
  earlier. I.e, the "academic IDP" category has taken a subset of the
  larger schacHomeOrgType problem space and did somethign about
  it. (Which ironically also hasn't lead anywhere, AFAICT.)
 
Unless the inconsistencies in the controlled vocabulary are removed I
think one can only recommend against using this attribute in
large-scale deployments, esp internationally. Every thread about SCHAC
in the last 10 years seem to come to that conslusion, I have the
impression.

-peter
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

Peter Schober
* Peter Schober <[hidden email]> [2018-06-11 18:14]:
> schacHomeOrganizationType still suffers from all the issues I
> documented years ago, AFAICT:

It's also virtually undeployed today: Out of the 1992 SAML SPs in
eduGAIN only 15 SPs request schacHomeOrganizationType:

* 1 is a proxy/gateway of some kind, and
* 8 are test or demo ("Attribute Viewer") SPs

in both cases requesting all known attributes in the universe.
(Which likely is also the reason the remaining 6 request it.)

-peter
--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

jehan.procaccia@tem-tsp.eu
In reply to this post by Cantor, Scott E.
Hello

in my institution (French telecom higher education schools), we use shacUserStatus and shacProjectMembership .
if it can help .

Regards .

Jehan PROCACCIA
Ingénieur systemes et réseaux
Membre du comité de pilotage REVE:
Réseau d’Évry Val d'Essonne
+33160764436

9 rue Charles Fourier - 91011 Evry Cedex
[ https://www.imt-bs.eu/ | www.imt-bs.eu ] - [ https://www.imt-bs.eu/ | www.telecom-sudparis.eu ]

----- Mail original -----
De: "Peter Schober" <[hidden email]>
À: [hidden email]
Envoyé: Lundi 11 Juin 2018 18:13:48
Objet: Re: Any SCHAC attributes we should add to default mappings?

* Cantor, Scott <[hidden email]> [2018-06-11 16:49]:
> Thanks, I'll get commented rules added before final release, keep any requests coming.

Note that the shib dev list may not be the best forum to gauge usage
of SCHAC attributes. And most attributes will be used by someone,
somewhere, for some obscure use-case or another.

schacHomeOrganizationType still suffers from all the issues I
documented years ago, AFAICT:

"For schacHomeOrganizationType one finds different values in the old
registry, the new registry, the PDF specification and the LDAP schema
file. This is very confusing and should be harmonized and kept
consistent. The easiest way to achive this is to have a single version
(i.e., document) of the spec, also containing relevant bits from the
LDAP-schema." -- https://wiki.refeds.org/display/STAN/SCHAC+Plan

See the mess from only a few federations reporting their usage:
https://wiki.refeds.org/display/STAN/SchacHomeOrgType+usage
(Ignore everything with swissEduPersonHomeOrganizationType in it,
those are not SCHAC attributes and have nothing to do with the survey
or topic at hand.)

Earliest discussions I could find about this (e.g. "Vocabulary for
schacHomeOrganizationType") go back until 2006, so those issues have
been around for over a decade, with no signs of sudden improvements.

The most recent thread I could find is from 2014:
https://www.terena.org/mail-archives/schac/msg00543.html
which seems to suggest that
* schacHomeOrgType may not be suitable for authZ purposes since it was
  changed to be multi-valued,
* what's left of that use-case (in combination with ePA/ePSA) has
  been taken over by the "academic IDP" entity category, as said
  earlier. I.e, the "academic IDP" category has taken a subset of the
  larger schacHomeOrgType problem space and did somethign about
  it. (Which ironically also hasn't lead anywhere, AFAICT.)
  
Unless the inconsistencies in the controlled vocabulary are removed I
think one can only recommend against using this attribute in
large-scale deployments, esp internationally. Every thread about SCHAC
in the last 10 years seem to come to that conslusion, I have the
impression.

-peter
--
To unsubscribe from this list send an email to [hidden email]


--
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Any SCHAC attributes we should add to default mappings?

Davide Vaghetti
In reply to this post by Cantor, Scott E.

On 11/06/2018 16:48, Cantor, Scott wrote:
> Thanks, I'll get commented rules added before final release, keep any requests coming.

Thank you for the useful addition.

Davide

>
> -- Scott
>

--
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw

PGP KEY
https://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0x7A1B3BA18C4E0A4D
--
To unsubscribe from this list send an email to [hidden email]