This is to capture issues and requirements around the naming of entities across federations.
- Federations accepting certifications from 3rd parties
- If a Federation publishes a LoA claim in its meta-data based on one or more 3rd party assurances eg Kantara LoA 2 IAF + OSIS ICAM LoA 2 Infocard profile, how do the various parties assured that they are referring to the same Entity so that the meta-data can be produced in an automated way.
- Entities belonging to multiple federations publishing meta-data
- A entity may need to choose different entityID for each federation they belong to if RP/SP are importing meta-data from multiple sources eg OIX, InCommon, and Kantara. This creates a issue for the RP/SP as a user coming from the same IdP will appear to be a different user depending on what trust Framework LoA the RP/SP was requiring. This happens when different Federations are certifying different trust frameworks and a given IdP belongs to multiple federations to get certified.
3 Comments
Scott Cantor
FWIW, the Shibboleth guidance on this is at https://spaces.internet2.edu/display/SHIB2/EntityNaming
I'm a strong advocate of NOT varying names based on relationships. That leads to problems and has no advantages other than serving poorly thought out application assumptions.
John Bradley
I agree, We do however need to deal with how to reconcile meta-data from multiple sources.
One solution is Entities not being listed multiple places. That will require more thought about how certifications are indicated in meta-data.
Signing something and putting it in meta-data to prove a certification is relatively easy however revocation is the hard part.
Perhaps the signed object points to a revocation list or some other way of checking validity.
The simple URL for LoA works well if you trust the signer of the meta-data to validate it, however different federations will be abele to make different Trust framework assertions leading to people belonging to multiple federations.
I am trying to inspire you to solve the problem
Leif Johansson
Having new names for each source scares me. There is some work in the GEANT3 (gn3-jra3-t2 for those who care) project to define a minimal common semantic for a metadata aggregator. I think I've successfully lobbied those guys to bring that work-item out of the GEANT closet and present it somewhere (here or the SSTC I suppose would be the obvious choices). The write-up is being done by Andreas Åkre Solberg (of simpleSAMLphp). Part of that spec is what do do (as an aggregator) when getting the same entity from multiple sources.