From d88f092663d44478e7d85022c800a6a785b65b0c Mon Sep 17 00:00:00 2001 From: Heather Flanagan Date: Thu, 25 Feb 2021 08:45:16 -0800 Subject: [PATCH 1/3] Create MultilateralFederation.md --- src/scenarios/MultilateralFederation.md | 60 +++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 src/scenarios/MultilateralFederation.md diff --git a/src/scenarios/MultilateralFederation.md b/src/scenarios/MultilateralFederation.md new file mode 100644 index 0000000..a36872e --- /dev/null +++ b/src/scenarios/MultilateralFederation.md @@ -0,0 +1,60 @@ +## Multilateral Federation - WAYF Discovery Services +Supporting the use of a central SAML IdP Discovery and Persistence service in a multilateral federation scenario. + +### Summary + +#### Contributor +- Name: Heather Flanagan +- Organization: Spherical Cow Consulting +- Email: hlf@sphericalcowconsulting.com +- Name: Nicole Roy +- Organization: University Corporation for Advanced Internet Development dba Internet2 +- Email: nroy@internet2.edu +- Name: Leif Johansson +- Organization: SUNET +- leifj@sunet.se + +#### Protocol +- Name: SAML +- Grant/flow (if applicable): This scenario makes use of the SAML front-channel bindings defined in OASIS SAML v2.0, specifically the Web Browser SSO Profile, Identity Provider Discovery Profile, and on rare occasions, Single Logout Profile contained in the "Profiles for the OASIS SecurityAssertion Markup Language (SAML)V2.0". Additional context for the use of these profiles and flows in the multilateral SAML federation space used in the global research and education sector is specified in the Kantara Initiative profiles. +- Reference: , , + +#### Browser Features Required +- 1st party Cookie +- 3rd party cookies +- Redirect with link decoration +- Persistent Local Storage +- cross-domain postMessage + +##### Target Audience +This is a use case currently and very actively in use in the academic community, including scholarly resource providers such as Elsevier and SpringerNature (publishers) and academic identity federation services such as the GÉANT Trusted Certificate Service. + +#### Adoption +Higher Education, Scholarly Publishing, Federation Certificate Services. See: + +| Org | URL | +| --- | --- | +| American Chemical Society (ACS) | pubs.acs.org | +| Elsevier's ScienceDirect | www.sciencedirect.com | +| GÉANT Trusted Certificate Service (TCS) |wiki.geant.org - click on platform links | +| Nature.com | nature.com | +| SAFIRE Test Service Provider | testsp.safire.ac.za | SUNET | edusign.sunet.se | +| SWAMID | wiki.swamid.se - click on Login button | +| Taylor & Francis | https://www.tandfonline.com/doi/full/10.1080/00049158.2020.1819009 | +| Wiley Online Library | onlinelibrary.wiley.com | + + +### Description Of The Flow +A full design of the data flows used to support a central SAML discovery service are available here: + + +### Intended User Experience +SeamlessAccess allows SPs to populate a common login button with the user’s previous choice of IdP as found in their browser’s local storage. The goal is to minimize the number of times a user has to go through an IdP discovery process. The IdP is identified by a public descriptor that can’t be used for user tracking - in the case of SAML a so-called entityID (which is essentially the public URL of the IdP). Browser local storage does not contain any PII or trackable information. + +The goal of this flow is to enable users to have a privacy-preserving, non-tracked method to log into a web resource using their institutional credentials, with a very simple and straightforward UX that looks to the user a lot like the “Log In With X” button, but avoids a recurring “NASCAR” problem by being backed with a SAML IdP discovery service based on search, so that the user may find their IdP once, and then be automatically logged in with that one IdP in the future, without IdPs or RPs being able to collude to gain information about the user. As such, the flow persists the user’s IdP choice in browser local storage. The user can easily change their IdP selection whenever they want. + +### Privacy Considerations +The information that is persisted following the IdP discovery flow is not PII (e.g., an email address or a personal identifier) but is typically the public identifier of the IdP (i.e., the entityID). Further, that information is persisted in the user’s own browser local storage. + +### Miscellaneous +In some situations, the institution hosting the IdP controls the consent for information release; RPs are not allowed to directly ask the user for information. For instance, GDPR section 6 lists the set of conditions under which personal information may be processed. One of those is “free and informed consent”. In most cases where the data subject is acting outside the purely personal sphere (as in consumer identity), consent cannot be freely given. For instance, if a grad student is tasked to write a piece of code and the official policy is to use GitHub then the GitHub consent screen is arguably illegal in the EU since the user is not able to deny consent. Similar situations arise in all federation use-cases and it is for this reason very uncommon for R&E services in the EU to rely on consent as a legal foundation for processing PII. \ No newline at end of file From 3d5e7a670cf9306b6fee1437a2d3d699ffa495b2 Mon Sep 17 00:00:00 2001 From: Heather Flanagan Date: Tue, 23 Mar 2021 11:28:19 -0700 Subject: [PATCH 2/3] Update MultilateralFederation.md Updated required features, updated link to diagram --- src/scenarios/MultilateralFederation.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/scenarios/MultilateralFederation.md b/src/scenarios/MultilateralFederation.md index a36872e..068d46d 100644 --- a/src/scenarios/MultilateralFederation.md +++ b/src/scenarios/MultilateralFederation.md @@ -20,11 +20,7 @@ Supporting the use of a central SAML IdP Discovery and Persistence service in a - Reference: , , #### Browser Features Required -- 1st party Cookie -- 3rd party cookies -- Redirect with link decoration -- Persistent Local Storage -- cross-domain postMessage +- cross-origin access through POST message ##### Target Audience This is a use case currently and very actively in use in the academic community, including scholarly resource providers such as Elsevier and SpringerNature (publishers) and academic identity federation services such as the GÉANT Trusted Certificate Service. @@ -45,7 +41,9 @@ Higher Education, Scholarly Publishing, Federation Certificate Services. See: ### Description Of The Flow -A full design of the data flows used to support a central SAML discovery service are available here: +A full design of the data flows used to support a central SAML discovery service are available here: + +This flow writes to browser local storage via a dedicated component which loads a non-displayed iFrame. ### Intended User Experience From d4a878f918a88f49008c05bab1fd468d584cbbc5 Mon Sep 17 00:00:00 2001 From: Heather Flanagan Date: Wed, 24 Mar 2021 13:53:02 -0700 Subject: [PATCH 3/3] significant revisions removing any protocol dependencies; added a better sequence diagram link to the description of the flow --- ...teralFederation.md => cross-origin-discovery.md} | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) rename src/scenarios/{MultilateralFederation.md => cross-origin-discovery.md} (69%) diff --git a/src/scenarios/MultilateralFederation.md b/src/scenarios/cross-origin-discovery.md similarity index 69% rename from src/scenarios/MultilateralFederation.md rename to src/scenarios/cross-origin-discovery.md index 068d46d..d663b1c 100644 --- a/src/scenarios/MultilateralFederation.md +++ b/src/scenarios/cross-origin-discovery.md @@ -1,5 +1,5 @@ -## Multilateral Federation - WAYF Discovery Services -Supporting the use of a central SAML IdP Discovery and Persistence service in a multilateral federation scenario. +## Protocol-Independent Cross-Origin Domain IdP Discovery +Supporting the use of a central IdP Discovery and Persistence service in a multilateral federation scenario. ### Summary @@ -15,12 +15,11 @@ Supporting the use of a central SAML IdP Discovery and Persistence service in a - leifj@sunet.se #### Protocol -- Name: SAML -- Grant/flow (if applicable): This scenario makes use of the SAML front-channel bindings defined in OASIS SAML v2.0, specifically the Web Browser SSO Profile, Identity Provider Discovery Profile, and on rare occasions, Single Logout Profile contained in the "Profiles for the OASIS SecurityAssertion Markup Language (SAML)V2.0". Additional context for the use of these profiles and flows in the multilateral SAML federation space used in the global research and education sector is specified in the Kantara Initiative profiles. -- Reference: , , +- n/a #### Browser Features Required - cross-origin access through POST message +- iFrames ##### Target Audience This is a use case currently and very actively in use in the academic community, including scholarly resource providers such as Elsevier and SpringerNature (publishers) and academic identity federation services such as the GÉANT Trusted Certificate Service. @@ -41,7 +40,7 @@ Higher Education, Scholarly Publishing, Federation Certificate Services. See: ### Description Of The Flow -A full design of the data flows used to support a central SAML discovery service are available here: +A full design of the data flows used to support a central discovery service are available here: This flow writes to browser local storage via a dedicated component which loads a non-displayed iFrame. @@ -49,7 +48,7 @@ This flow writes to browser local storage via a dedicated component which loads ### Intended User Experience SeamlessAccess allows SPs to populate a common login button with the user’s previous choice of IdP as found in their browser’s local storage. The goal is to minimize the number of times a user has to go through an IdP discovery process. The IdP is identified by a public descriptor that can’t be used for user tracking - in the case of SAML a so-called entityID (which is essentially the public URL of the IdP). Browser local storage does not contain any PII or trackable information. -The goal of this flow is to enable users to have a privacy-preserving, non-tracked method to log into a web resource using their institutional credentials, with a very simple and straightforward UX that looks to the user a lot like the “Log In With X” button, but avoids a recurring “NASCAR” problem by being backed with a SAML IdP discovery service based on search, so that the user may find their IdP once, and then be automatically logged in with that one IdP in the future, without IdPs or RPs being able to collude to gain information about the user. As such, the flow persists the user’s IdP choice in browser local storage. The user can easily change their IdP selection whenever they want. +The goal of this flow is to enable users to have a privacy-preserving, non-tracked method to log into a web resource using their institutional credentials, with a very simple and straightforward UX that looks to the user a lot like the “Log In With X” button, but avoids a recurring “NASCAR” problem by being backed with an IdP discovery service based on search, so that the user may find their IdP once, and then be automatically logged in with that one IdP in the future, without IdPs or RPs being able to collude to gain information about the user. As such, the flow persists the user’s IdP choice in browser local storage. The user can easily change their IdP selection whenever they want. ### Privacy Considerations The information that is persisted following the IdP discovery flow is not PII (e.g., an email address or a personal identifier) but is typically the public identifier of the IdP (i.e., the entityID). Further, that information is persisted in the user’s own browser local storage.