entity descriptors from multiple registrars

[Tom Scavo]

On Thu, Sep 18, 2014 at 9:59 AM, Andy Bennett <andyjpb at knodium.com> wrote:
>
>> I definitely have use cases: two NSF-funded R&S SPs where the NSF
>> dollars are intended to be used for US research, exclusively. My need
>> is real and immediate. Without a solution, extending our local
>> implementation of R&S to the international research community is
>> essentially blocked.
>
> Having thought about this over lunch, I'm guessing that your assumption
> is, given you have to be a US academic institution to register an IDP in
> InCommon, that an InCommon IDP authentication authorizes the principal
> as someone who is a US academic researcher?

Yes, basically.

> Given that those SPs don't want to serve principals from other
> federations, why can't you use the InCommon metadata only in the SP
> configuration?

Assumptions about the entities comprising a given metadata aggregate
are breaking down as we speak. Interfederation, in particular eduGAIN,
are challenging any preconceived ideas we have about the nature of the
aggregate. To make matters worse, there is a pilot project spinning up
(also as we speak) that focuses on per-entity metadata, so clearly any
significance we attach to the aggregate itself may not hold in the
future.

> Would it be possible to accept a *.edu scope in an affiliation attribute
> to identify US registered academic principals?

Maybe. An entity attribute would be better, but like Scott says, we
need to better understand the use case.

> How strict do you need to be? Would it suffice to have a self
> certification during first login?

Right, that's a good question. The short answer is I don't know. I'll
keep plugging away at this use case and see what gives.

Thanks,

Tom