How to do flattening ? #37
Comments
|
We could define a bunch a "policies" for flattening, being the default "is_subset". Finally, we define an additional claim called "policy" being a JSON object, each key is a claim name, and the value is the policy name to apply: This would allow for further policies to be defined. Just an idea though :) |
|
I thought of two more: |
|
Another one would be |
|
IMO policy should be "is_superset", so lower MS could add policy to undefined claims, but cannot modify those already having a policy. |
|
Alternatively, if this was desired to allow more complexity, a policy could be a JSON object itself, having a name and a set of parameters, but IMO that would be too much complexity. |
|
Here is another set of policies: |
|
These are meant to allow a superior to require specific types of values being supplied, but not what those values have to be. This would support, for example, InCommon's Baseline Expectations program: https://spaces.at.internet2.edu/display/BE/Implementing+Baseline+Expectations+in+InCommon+Metadata |
|
Looks like we're about to define a domain specific language. |
Yeah :(. I would not think of it to be that complex, though.
In some previous comment I mentioned that "policies" should implicitly be of type "is_superset", so lower MS could add policies, but could not delete or modify existing ones. But all of this could be defined on a different document. It could even be defined just for a particular federation. Or a federation could just define on their SLA agreements how claims should be flattened (I think we already discussed this in Copenhagen, didn't we?). In any case, those were my 2 cents :) |
|
I don't believe in federations defining their own flattening functions. That would lead to an interoperability nightmare. |
|
@nckroy You must remember that a leaf entity in the general case may not know which federations it belongs to (and it shouldn't have to). |
|
Ok, thought a bit more along the claims request path and came up with these examples: OP metadata policy: RP metadata policy: The pattern should be obvious. The key words are:
Just an idea :-) |
|
Did a Proof-of-concept implementation and this is what I get: The Federation Operators policy: The organisations policy: The metadata statement from the RP: And the result after applying the policies: |
|
LGTM |
|
That's all the confirmation I needed :-) |
|
Looks great to me as well! Other considerations:
|
|
Davide, are you thinking certain elements like at least a technical contact should always be a MUST? What other elements would be MUSTs? Probably worth aligning with the new version of saml2int(?) https://kantarainitiative.github.io/SAMLprofiles/saml2int.html
…
On Jan 15, 2019 at 5:05 AM, <Davide Vaghetti ***@***.***)> wrote:
Looks great to me as well!
Other considerations:
it would be great to have a standard set of policies that MUST be implemented.
extensions to the standard set are possible through other specs or profiles.
a regex policy would probably be a useful addition to the standard set --- it should be applied to strings and list of strings.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub (#37 (comment)), or mute the thread (https://github.com/notifications/unsubscribe-auth/ADXL4JwKSQLaPqRyPvRF5TgfIC_VfnTiks5vDcQjgaJpZM4Z7GM3).
|
|
Roland, would it be possible for the Federation Operators policy to include a requirement to supply at least one contact that is an email address? Eventually, would it be possible for the Federation Operators policy to require at least one contact that is an email address, and a specific type, for example "Technical Contact"? |
|
You could do it with the regex policy Davide proposed, couldn't you?
El 15 ene. 2019 19:42, Nick Roy <[email protected]> escribió:
Roland, would it be possible for the Federation Operators policy to include a requirement to supply at least one contact that is an email address? Eventually, would it be possible for the Federation Operators policy to require at least one contact that is an email address, and a specific type, for example "Technical Contact"?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#37 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AB_G6K_gCvm8k4LY2gI7lkRonpQL_CHtks5vDiD1gaJpZM4Z7GM3>.
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
|
|
By using In https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#IndividualClaimsRequests there is the The only thing you can do is run a checking service that runs around and validates the metadata for all the RPs/OPs in the federation. |
|
The running around checking values thing is not going to scale. Can we include the essential part in the policies? Re:regular expressions, that has proven to be problematic for things like shibmd:Scope in the SAML world due to the proliferation of different regex implementations in different languages/frameworks.
…
On Jan 15, 2019 at 12:55 PM, <Roland Hedberg ***@***.***)> wrote:
By using regex as @daserzw (https://github.com/daserzw) proposes you can probably check that a contact is in fact an email address. But there is no way to demand that there is a value at all. At least not for the time being.
In https://openid.bitbucket.io/connect/openid-connect-core-1_0.html#IndividualClaimsRequests there is the verb essential but it's always up to the supplier of the information (in the case of claims requests the OP) to do as they pleases.There is no way to directly enforce anything.
The only thing you can do is run a checking service that runs around and validates the metadata for all the RPs/OPs in the federation.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub (#37 (comment)), or mute the thread (https://github.com/notifications/unsubscribe-auth/ADXL4Eu9pb_H-g_h9DWUM3MlCGp7N2Ynks5vDjJBgaJpZM4Z7GM3).
|
You can define the regex to be of a certain standard; see POSIX BRE, POSIX ERE, PCRE, etc. Pick one to dictate the valid expression -- ie, don't depend on an implementation or programming language..
why not numbers, too?
why a list of strings and not a list of list of strings? I guess, what we care about are the items of those lists, no matter how nested they are. Even though, I have no use case, should this be limited by the standard? What happens when the regex (or any rule for that matter) is applied to an incompatible value-type?
an empty value will not match the regex rule; but, I think what you're saying is that the rule will not be checked, if no such claim is in the response.
is
This allows you to implement this check (using Python's rulesets = [{"code"}, {"code", "id_token"}]
value = set("id_token code".split())
any(value.issubset(rs) for rs in rulesets)appropriate datatypes are there for other langs. |
|
@nckroy We can include This together with Andreas leading point: A leaf entry MUST, disregarding if it's an RP or an OP, have an identity that is independent on who it's going to talking to and which federations it belongs to. Will result in a leaf entity publishing: This is what I can do ! What it doesn't mean is that the metadata used in one context (an RP talking to an OP within the confines of one federation) is absolutely the same as in another context. But what it has meant so far is that an entity's basic view of itself is the same in all contexts. Whether an entity's metadata lives up to the expectations of a certain federation can be check by anyone that can collect the trust chain starting with the leaf entity and ending in the trust anchor of the federation. Such a check will definitely happen at run time when 2 parties are gathering metadata about each other. I guess the best one can do is have the members in the federation be responsible for the entities they own. |
I totally agree.
Maybe I'm missing your point, but usually regex does not know about arithmetic and/or quantity, right? So basically numbers will be treated as characters in a string.
Probably not, but consider that the less specific we are, the less clean and interoperable implementations will come out. So, for example you can have also a
IMO this is a very good question. I think there are two main strategies to deal with that:
|
Why not :-)
There is a fine line between having a solution that covers the 'known' universe of data types and one that covers everything we can think up. I've by design not considered JSON objects for instance !
It MUST fail !
Correct !
This is something I've always have though problematic with the standard. |
From the linked document:
I would say it is an unordered list; this differs from a set in the sense that it can contain duplicate entries. |
|
Well, what I've always been baffled about is that they actually explicitly registered multiple valued response types. Why not just say you can combine response types and that on the wire they must be represented as strings with space separated values. Separating the value (a set of values) and the encoding. |
|
I want us to use "subset_of": ["code", "code id_token"] |
|
I think |
metadata_policies = {"subset_of": ["code", "code id_token"]}
-subset_of_ruleset = Set([Set(rule.split()) for rule in metadata_policies["subset_of"]])
+subset_of_ruleset = [set(rule.split()) for rule in metadata_policies["subset_of"]]
value = set("id_token code".split())
any(value.issubset(rs) for rs in subset_of_ruleset) |
|
simpler is better ;-) |
One of the corner stones of this draft is to allow a trust anchor (federation operator) or for that matter any intermedia entity to limit/restrict the metadata of a leaf entity (e.g. RP/OP).
If for instance the trust anchor decides that the only allowed signing algorithms are elliptic curve algorithms then the evaluated metadata of a leaf entity must only contain such algorithms.
The first attempt at supporting this is what's in the draft right now. A simple system that allows a superior to state the limits of what a leaf entity's metadata can look like.
The reality is of course a bit more complex than what the model assumes.
Take the
contactsclaim as an example. Here you probably want the subordinates to add their contacts to the ones that are defined by superiors.Or imaging that a claim (there is none in OP or RP metadata to my knowledge) that has an integer as value. In some cases that value could be something on a scale in which case the superior might want to state you can't have a value >= 10 or < 5. In other cases the value would instead be one in a set and not something you could handle as a something on an ordinal scale.
It would be nice if we could find simple rules one for each value type disregarding what claim it was.
If we got into exceptions (like
contactsmentioned above) they would have to be very few anything else would be a disaster.The text was updated successfully, but these errors were encountered: