Log in


The Canadian Access Federation collaboration area
  • Discussion
  • CAF
  • Invitation for your feedback on Shibboleth 3 & related federation topics for upcoming idweek.

Invitation for your feedback on Shibboleth 3 & related federation topics for upcoming idweek.

If you have an item that you would like CAF to advocate for or want to

indicate interest on your behalf, this is your opportunity to take

advantage of our presence at the Internet2 hosted Idweek[1]  next week.

This is part of what we do as the CAF operator to help stay current and

are always looking at how to improve our services.


If you would like to know what the Shibboleth consortium is planning,

please check out the software project roadmap[2] and other Future

Activities[3] pages.  If you have a specific ask, these items are a good

first stop to help relate or link your feedback to deliverables. Absence

of your item from the topics is an interesting datapoint as well.


CAF already has active interest in these areas:

- improvements to Single Log Out

- supporting non Web uses for SSO

- Mobile Apps & Federated SSO, any common pieces to leverage?

- Discovery Service enhancements(not necessarily limited to Shib3 work)

- ways to automate attribute release (entity categories topic? Other ways?)

- devops automation for maintaining the software stack & related




The Shibboleth SAML implementation improvements are only one of the many

topics we track and collaborate on. REFEDS(Research and Education

Federations) is also meeting at idweek and is another invaluable group

where CAF actively engages with other federations about identity related

topics like:


- how can attribute release be improved(more sites doing release) and made

easier to manage at scale?

- how can deployment of IdPs and Sps be simplified and effort reduced?

- how can we more easily inter federate and tap into other services?

- what is going on regarding authorization practices and is there emerging

best practices?

- are there any centralized services for groups or other authorization


- what are other up and coming technologies?

And others.


The agenda for REFEDS is here[4] and if you have questions or have a topic

that you would like CAF to check into at REFEDS or the Advanced Camp

sessions that we will be in, please feel free to reach out on or off list.


If there is interest in one or more of these topics for a deep dive, we

can schedule some topics for a webex or keep the conversation going on the

list as well.







Chris Phillips

Technical Architect, Canadian Access Federation | CANARIE|











  • Corey Scholefield 1632 days ago

    Hi Chris, I wanted to spark some discussion here about handling authorization for access to a service, when the SP doesn't implement any authorization mechanism.  

    For the current case in hand, I'm going to take 2 steps : 

    1) advocate to the SP that they *should* handle an authorization hook, via standards-track attributes like: eduPersonAffiliation, eduPersonEntitlement, or isMemberOf.  I like the recommendations in the Cloud Services Cookbook along these lines :

    2) research an approach to handling authorization on the IDP side.  Presumably there is a best-practices approach to handling this case that can evaluate user-attribute values, and apply the access-control decision via a post-authentication action in the IDP, or a mod to the IDP login flow ?

    Perhaps this community would have tips that we can share here ? 


    Corey S.