Hi Raoul,
I wonder whether the Attribute Aggregation feature of the Dutch SURFconext identity hub is basically addressing that kind of problem (not sure how easy that is to arrange for in non-hub-and-spoke federations). Any identity and attribute set can be augmented with more attributes via attribute providers that get looked up at the moment an authentication happens…
Thanks for the links - I didn't know this solution yet. We came to a solution using the SimpleAttributeAggregation-Feature of the Service-Provider and a stand-alone Attribute Provider. We connect the users using the eduPersonUniqueId. But the workflow is quite similar: the user have to register themself for one of our special information services (i.e. the CrossAsia-Protal https://crossasia.org/). Than they can connect their login at their home institution with the account for CrossAsia via ePUId. But the users don't go directly to the third-party providers - here we are using a proxy which authenticates toward the users via SAML and towards to the provider via IP. My fear is with RA21 the use of proxies will end and so we will need a SAML-only solution.
If you are interested in further details of our solution, there's a video-presentation https://doi.org/10.5446/18808 (I'm sorry it is only in german).
What kind of software is SURFconext?
Regards,
Gerrit
-- Gerrit Gragert, M.A. Ltg. IT-Services fuer die Digitale Bibliothek Abt. IDM 2.3
Staatsbibliothek zu Berlin - Preußischer Kulturbesitz Potsdamer Str. 33 10785 Berlin
Tel.: +49 30 266-43 22 30 Fax: +49 30 266-33 20 01 mailto:gerrit.gragert@sbb.spk-berlin.de http://www.staatsbibliothek-berlin.de