...
Today administrators of identity provider (IdP) middleware in the InCommon Federation configure attribute release policy based on the identity (entityID) of service providers (SPs). I’m happy to say those days are numbered. A new approach to user attribute release based on entity attributes has arrived. This new technique promises to scale better, by relieving administrators from the burden of having to rely on policy files that are inherently difficult to maintain.
This idea isn’t new. Access control based on user attributes (as opposed to user identifiers) remains the holy grail of identity and access management systems throughout the enterprise. Unfortunately, federation has only made this problem worse, howevernot better.
At the level of the federation entity (i.e., the IdP or the SP), the stars have aligned so that policy based on entity attributes is a reality:
- A SAML V2.0 Metadata Extension for Entity Attributes already exists and is being deployed around the world as we speak.
- SAML middleware increasingly supports entity attributes at both the IdP and the SP, and at the discovery service as well. Shibboleth is leading the way in this area. The Shibboleth IdP, for instance, has supported entity attributes since v2.3.4.
- Federation operators everywhere are beginning to decorate entity descriptors in SAML metadata with entity attributes of significant value.
The Research & Scholarship (R&S) Category in the InCommon Federation is an initial effort along these lines. To support R&S, IdP administrators configure for attribute release once, for all R&S SPs, both present and future.
...