Attribute-based Policy Configuration at Scale

Today administrators of identity provider (IdP) middleware in the InCommon Federation configure attribute release policy based on the identity (entityID) of service providers (SPs). I’m happy to say those days are numbered. A new approach to user attribute release based on entity attributes has arrived. This new technique promises to scale better, by relieving administrators from the burden of having to rely on policy files that are inherently difficult to maintain.

This idea isn’t new. Access control based on user attributes (as opposed to user identifiers) remains the holy grail of identity and access management systems throughout the enterprise. Unfortunately, federation has only made this problem worse, not better.

At the level of the federation entity (i.e., the IdP or the SP), the stars have aligned so that policy based on entity attributes is a reality:

The Research & Scholarship (R&S) Category in the InCommon Federation is an initial effort along these lines. To support R&S, IdP administrators configure for attribute release once, for all R&S SPs, both present and future.

The kicker, however, will most certainly be self-asserted entity attributes. Once administrators are able to tag their metadata with arbitrary entity attributes, they will certainly do so in unique and interesting ways. In the same way metadata tagging has been found to increase the value of other types of information (research papers, blog articles, photographs, etc.), self-asserted entity attributes will cause the information content of SAML metadata to skyrocket.

The sooner we get there, the better.