Feature #3919

Use more data to look up IDP

Added by Peter Schober 2 months ago. Updated about 2 months ago.

Status:ResolvedStart date:2019-09-10
Priority:NormalDue date:
Assignee:Lukas Hämmerle% Done:

0%

Category:-
Target version:-

Description

IDPs could also be looked up from additional fields in SAML metadata, including:
  • the entityID itself
    This will usually contain a DNS domain as part of its value (whether in a URL or URN) and so also searching in the entityID would have a high chance of finding the IDP with the least amount of typing (e.g. "univie" for my employer). The Shibboleth EDS has been doing this for years.
  • shibmd:Scope elements
    This can contain additional domains which may have the (desirable) side effect of also matching other DNS names an organisation may be using e.g. for email domains. Essentially it constitutes yet another (verified!) data point of "stuff" that maps uniquely to one (or very few) IDP.

A quick test shows that this is not implemented today:

  • entityID: The Catholic Private University Linz has ku-linz as part of their entityID (and endpoint URLs) which is short and easy to type, but entering that into the SWITCHways does not find this IDP.
  • Scope: The FHV IDP has multiple shibmd:Scope elements, including e.g. schlosshofen.at but cannot be found by entering that in the SWITCHwayf input field.

History

#1 Updated by Thomas Lenggenhager 2 months ago

Peter Schober wrote:

IDPs could also be looked up from additional fields in SAML metadata, including:
  • the entityID itself
    This will usually contain a DNS domain as part of its value (whether in a URL or URN) and so also searching in the entityID would have a high chance of finding the IDP with the least amount of typing (e.g. "univie" for my employer). The Shibboleth EDS has been doing this for years.

Better add <mdui:DomainHint> to the metadata for really relevant domains instead of relying on the search in entityID.
The entityID is a technical identifier that should be fully fully hidden to the user and therefore be ignored for user searches.

#2 Updated by Thomas Lenggenhager 2 months ago

Oh, I just noticed that the WAYF does not search in <mdui:DomainHint>... So I vote for adding that instead of entityID ;-)

#3 Updated by Peter Schober 2 months ago

I don't follow your reasoning for not (also) taking the entityID into account for searches:

  • It is always available (it's the only thing guaranteed to always be available, really)
  • Due to its ubiquity and prominence in SAML deployments its ownership (right to use by the entity) has likely been verified in the strongest possible way, so the data is very trustworthy. (Whether the same vetting process has been applied to mdui:DomainHint is unknown and depends on local MRPS etc.)
  • There is no need for the subject to know the entityID or that something even exists. The subject does not have to care about any at all, s/he will simply benefit from having the IDP found when entering parts of the IDPs entityID string, e.g. "univie".
    (But that's a good reminder for the implementation: The search here has to be "anywhere within the string" and not be anchored to the start of the string!)
  • The Shibboleth EDS does it, so it can't be all wrong ;)

Note that I'm not arguing against (also) implementing searches in mdui:DomainHint but I think including the entityID has only upsides.

#4 Updated by Lukas Hämmerle 2 months ago

I'm inclined to add all values as keywords: entity, scopes and DomainHints
As Peter says, entityID and scopes are more likely to be available than DomainHint.

#5 Updated by Lukas Hämmerle about 2 months ago

  • Status changed from New to Resolved
  • Assignee set to Lukas Hämmerle

Is implemented with commit:00927b2
Shib Scopes and MDUI DomainHints are added as keywords as well.

#6 Updated by Peter Schober about 2 months ago

Lukas Hämmerle wrote:

Is implemented with commit:00927b2
Shib Scopes and MDUI DomainHints are added as keywords as well.

I'm happy to confirm that this now works with:

  • EntityDescriptor/@entityID
  • shibmd:Scope
  • mdui:Keywords
  • mdui:DomainHints

Thanks a lot! I find the UX is much improved with these changes (provided the Metadata provides the respective data, and chances are now much higher due to looking in more places). SWITCHwayf is now the leading SAMLDS in this regard! ;)

Also available in: Atom PDF