Closed marisastrong closed 7 years ago
vyruss
commented
7 years ago Hi @alexstuart, do you have any ideas on why the UK Fed displays non-UK institutions on its WAYF page and how we can possibly filter this list (especially since it's on the UK Fed and not our site)?
alexstuart
commented
7 years ago The UK federation CDS (Central Discovery Service) displays all IdPs that are contained in the UK federation aggregate. The list therefore includes IdPs registered by the UK federation and those imported via eduGAIN. There's a little more information at https://www.ukfederation.org.uk/content/Documents/EduGAINParticipation#discovery. As I understand it, the aim is to have a comprehensive list, and there are no plans to deploy a UK federation CDS with only those IdPs registered by the UK federation.
There are advantages to offloading discovery to the UK federation's CDS: you don't have to manage a list of IdPs; you don't have to deploy your own discovery service; you can use the UK federation's MDQ (Metadata Query) service to reduce SP start-up time and required memory.
So, I have to ask: why must DMPOnline Roadmap only show the UK federation-registered organizations in its discovery service? Just because there are IdPs listed doesn't mean that access will be granted. Even if the CDS lists all IdPs in all federations, you can manage access at the SP, using something like the RegistrationAuthority EntityMatcher and a decent error handling page.
Alternatively, if DMPOnline Roadmap must only provide an obvious login link for specified IdPs (whether the criterion is that the organization has an IdP registered by the UK federation, or whether there's a curated list of acceptable IdPs) then you will have to deploy your own discovery service on the SP:
You could also do something like using the Shibboleth Embedded Discovery Service and create a filtered feed of IdPs within the SP.
You can build your own discovery interface from the list of IdPs that you are happy to accept authentication statements from, and build login links based on the RequestInitiator that's configured in the SP, and the URL-encoded entityID of each IdP of interest. It looks like that's the model that DMPTool uses. For example, you could use the following link to automatically direct someone to the University of Edinburgh IdP: https://dmponline-test.dcc.ac.uk/Shibboleth.sso/Login?entityID=https%3A%2F%2Fidp.ed.ac.uk%2Fshibboleth and this one would redirect to the University of Glasgow IdP: https://dmponline-test.dcc.ac.uk/Shibboleth.sso/Login?entityID=https%3A%2F%2Fidp.gla.ac.uk%2Fshibboleth.
marisastrong
commented
7 years ago Hi @alexstuart - thanks for this explanation. It looks like for IdPs that shouldn't have access, DMPOnline should be handling them either with an error/notification page if they continue to use the UK federation CDS.
This issue is specific to the DMPOnline Roadmap service, not DMPTool.
on the test server, https://dmponline-test.dcc.ac.uk/, When selecting your institution for signin, the list that is displayed needs to be curated to only have UK Federation institutions. US institutions are appearing in this list but they are not configured as IdPs for the dmpOnline SP.
https://wayf.ukfederation.org.uk/DS-20160527/uk.ds?entityID=https%3A%2F%2Fdmponline-test.dcc.ac.uk%2Fshibboleth&return=https%3A%2F%2Fdmponline-test.dcc.ac.uk%2FShibboleth.sso%2FLogin%3FSAMLDS%3D1%26target%3Dss%253Amem%253A2571d8dd37fdc402c635f29ec30876d8dfddceb9db52ab89b73e17f4c230963b