By Mikkel Hald, 16/09/24
In identity federations within research and education, it is quite common for a particular user attribute to have multiple simultaneous values. Example attributes are eduPersonEntitlement, with each simultaneously present value indicating a right the user has or a group she belongs to, and eduPersonAssurance, where each concurrent value denotes an aspect of the user account's quality at the user organisation (“level of assurance”). And many services need to receive this kind of multivalued attributes.
Unfortunately, the login systems of several of the federation's user organisations technically are only able to issue login tokens with a single value per attribute – e.g. Microsoft's EntraID, popular with many IT departments. Such cases of an organisation's login system not supporting the sector's established standard are, of course, problematic when cutting off its users from access to services necessary for their work within the organisation. For example, researchers who need access to the LUMI supercomputer – or radiography students who need to use the SECTRA service.
But now, WAYF comes to the rescue – launching a facility able to produce to the federation's services the desired multivalued attributes that user organisations using e.g. EntraID are not able to produce natively. It's a very simple facility, requiring of the organisation only that it is able to send single-value attributes: If the organisation wants the service requested by the user to receive e.g. the attribute eduPersonAssurance with the values
at the same time, it can obtain this simply by sending, in its login response to WAYF, e.g. the following three attributes:- the attribute eduPersonAssurance75 with the value 2;
- the attribute eduPersonAssuranceassign with the value https://refeds.org/assurance/eppn-unique-no-reassign; and
- the attribute eduPersonAssuranceD71 with the value https://refeds.org/assurance/IAL/medium
– upon receiving which WAYF will generate the desired data for the service. That is, when receiving an attribute whose name's initial part is the name of an attribute supported by WAYF (e.g. when receiving an attribute with the name eduPersonAssuranceD71), WAYF will pass on to the service the value of the attribute received as a value of the recognised supported attribute (here, eduPersonAssurance). And if receiving more than one attribute in this way corresponding to a single supported attribute (e.g. eduPersonAssurance75 and eduPersonAssuranceassign), WAYF will pass on the values of these attributes as concurrent values of the one supported attribute recognised (i.e. eduPersonAssurance here).
This facility has already been implemented and so is now accessible to any user organisation unable to send attributes with multiple simultaneous values. There are other ways to solve this issue; but initially, we'll try and make do with a mechanism as simple as possible.