eduPersonEntitlements and regex

[trsau]

From ticket: #3066 and #3073 (Now closed).

How do we have a IdP release an eduPersonEntitlement to and SP based on a regex?

Detail of the ticket...

Jan 30, 2015
Hi Tim,

Sorry it has taken a while to get back to you on this issue. We have discussed the problem of restricting the release of eduPersonEntitlements that is scalable and have identified a option that may prove useful in that you wont need to maintain a local attribute-filter.xml for talis.

We are planning on providing a option for SPs such a Talis to request eduEntitlement values based on a Regex string. This will allow any string that begins with "http://{tenancyUrl}/constraint" to be sent to Talis, and every other value to be blocked. The resulting attribute-filter rule will look something like...

  <afp:AttributeRule attributeID="eduPersonEntitlement">
           <afp:PermitValueRule xsi:type="basic:AttributeValueRegex" regex="^http://{tenancyUrl}/constraint.*$" />
  </afp:AttributeRule>

So for each organisation that uses Talis a specif entitlement regex would be added to the Federation Registry.

An FR enhancement request has been made but I am unable to tell you when it will be implemented. For now I will put this ticket on hold and advise you when the change has occurred.
Thanks,
Terry.

29 Jan, 2015

Hi Tim,

I have spoken to the folk at Deakin University who are using Talis Aspire. For the moment they are adding a local attribute-filter to allow the release of the eduPersonEntitlement to Talis.

The AAF will be discussing this issue internally next week to see if there is a solution that meets your requirements and ensures that services only receive the appropriate entitlement values from IdPs.

I will put this ticket on-hold and update you when we have more information.
Thanks,
Terry.

27 Jan, 2015
Thanks Terry,

We'll get that tested.

Cheers,

Tim

27 Jan, 2015
Hi Tim,

Sorry for the delay, there was a public holiday in Australia on Monday.

I have granted you administrative access to the Talis Aspire service in the Federation Registry. I have also added the eudPersonEntitlement to the list of attributes requested by your SP but have not assigned it any values. As the Federation Registry currently works you must specify the exact values that your SP will possibly receive. This obviously does not work for your SP. I will discuss options for the Federation Registry but think the only solution is to have IdPs add a local attribute-filter rule for the Talis Aspire SP.
Thanks.
Terry.

23 Jan, 2015

Hi Terry,

Thanks for that - I've now completed the user registration.

On the eduPersonEntitlement - each customer will be expected to send different values according to the users role and what that role should be scoped to in our system. We have no way of being able to guess in advance what the full list of possible values will be, as this is dictated by the modules/units/courses that a organisation is offering. You can see more on this here: http://knowledge.talis.com/articles/a-devolved-constraints-mini-guide/

Customers who use this functionality through other federations are able to selectively release attributes to us based on our entityID in their IDP's configuration. So we would only ever see values deliberately released to us.

Thanks

Tim

23 Jan, 2015
Hi Tim,

I have created an account for you in the AAF Virtual Home. You will receive an email detailing how to finalize the account creation. Once you have finalize the account creation you can login to FR. Let me know when you have completed this step and I will assign you admin access to the Talis Aspire service.

In the AAF the release of the eduPersonEntitlement attribute also requires all expected values to also be registered. Are you able to supply the list of values that your SP is expecting. This has been done so your SP will only receive values from list of expected values and not all entitlements that have been issued to a user by an organisation.
Thanks,
Terry.

22 Jan, 2015
Thanks Terry,

If you could make myself the admin in place of Chris Clarke, that would be great. Chris Clarke is our CTO but doesn't have so much involvement with the authentication side of things these days.

I wasn't sure where I needed to create an account in order to be able to login though.

The attribute we need to add is the freindlyName="eduPersonEntitlement" attribute. Our metadata for this is here: http://login.talisaspire.com/entity it should be an optional attribute.

Thanks

Tim

22 Jan, 2015
Hi Tim,

There are several options. First I see that Chris Clarke is currently assigned the role of administrator for this service. He can login the the AAF Federation Registry and make the change. If he is no longer the Administrator, then we can change the administrator. To do this have the new administrator login to FR then let us know who the person is (can be done using this ticket if you wish) and we can make them the administrator. This person can then make the change. The second option is to let us know which additional attribute your service require and we can make the change on your behalf. If you require the eduPersonEntitlement attribute then you need to also provide all possible values that your service provider requires.
Thanks,

Hello,
Talis Education Ltd have a service provider registered in the AAF. This was setup quite some time ago and we have noticed that our attribute request section is incomplete as it is not requesting an optional attribute that some of our customers need to send us.

I wasn't personally involved in this initial setup, so am not sure how I should go about updating our service provider configuration.

What do you need from me in order to make this change? our SP is http://login.talisaspire.com/entity

Many thanks,
Tim
Terry.