The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
GOCDB/notifications
| Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
| Tools menu: | • Main page | • Instructions for developers | • AAI Proxy | • Accounting Portal | • Accounting Repository | • AppDB | • ARGO | • GGUS | • GOCDB |
| • Message brokers | • Licenses | • OTAGs | • Operations Portal | • Perun | • EGI Collaboration tools | • LToS | • EGI Workload Manager |
Use of eppn in EGI
Hi Ops/all,
Apologies for the lengthy text:
With the plans to include federated identity, sevices like GocDB will need to use an attribute supplied by an IdP to identify a user, usually either ‘eduPersonPrincipleName’ (eppn) or ‘eduPersonTargetedID’ (eptid). These attributes will be used instead of an x509 DN and will require changes to the output of the PI, changing CERTDN element to PRINCIPAL element in queries like get_user and get_site_contacts - GocDB needs to republish these attributes in its PI for use by the rest of the infrastructure (e.g. queried by Ops portal, used in accounting and so on).
Now, according to the rules of the UK Access Fed (similar rules apply in other feds), “The Service Provider must not disclose to third parties any Attribtues other than to any data processor of the service provider or where the relevent end user has give its prior informed consent to such disclosure. see [note2]” . (Where [note2] states: “The basic Rule is that attributes may only be used by the service requested by the user and only for the specified purposes. Service Providers that wish to use attributes in other ways (for example to provide direct user support) can arrange this either by obtaining positive informed consent from each individual End User, or by contract with Identity Providers who are then responsible for informing their End User.”)
Therefore, to use Attributes like the eppn in EGI we need to obtain ‘positive informed consent’ from the user that we can publish and make visible their data/eppn to EGI servcies and IGTF (we must expliclty include IGTF because any person/host with a valid IGTF cert can query the GocDB API for this info).
- Q. Any experts out there know if the sample notification/approval-dialog shown in the screen grab below provides adequate positive consent?
- Q. Assuming user clicks OK, do you know if there are any issues for EGI in re-publishing an eppn in the PI? (it then becomes readable to any other service/user who has a valid IGTF cert)
Follow on thought: Instead of using an eppn, GocDB could use the ‘eduPersonTargetedID’ (eptid) and re-publish that in the PI – the eptid is less of a security issue because its anonymous/opaque. However, since the eptid will be different for the same user across different SAML Service Providers, this provides little use when there is requirement to idenfity a particualr accountID across different SPs and organisations (this is the EGI requirement). However, if EGI had a single centralised/proxy IdP, it could be used to re-issue the same eptid consitently to all the underlying EGI servcies/systems. I think this would be far prefereable compared to services individually registering with federations and recieving different eptids per service.
- Q. Is this the longer term plan?
I’d be grateful for any thoughts/guidance on these matters.
Cheers,
David
