03 - HEXAA: An External Attribute Authority solution for Research Collaborations

Mihály Héder (MTA Sztaki), István Tétényi (MTA Sztaki), Kristóf Bajnok (NIIFI)

Higher Education External Attribute Authorities (HEXAA) is a GN3+ open-call project that both investigates the requirements for an external attribute authority and identifies possible use cases within different research user groups. HEXAA builds primarily upon the Security Assertion Markup Language (SAML) Attribute Request facility. HEXAA also builds upon the results of the EduGAIN project and considers the requirements of worldwide research communities. Our project thus aims to bridge existing gaps in research collaboration with HEXAA in order to achieve the secure, flawless collaboration of research communities.

In our view there is a critical deficiency in technical and organizational models of federated attribute handling. The model currently in use at many scientific communities derives from the concept that Identity Providers (IdP) are the sole sources of the required attributes of the Service Providers (SP). However, this model cannot accommodate real-world attribute requirements. Originally, the primary roles of IdPs were to solve the authentication problem, to provide a cross-institutional identifier, and to affirm institutional affiliation. An IdP’s scope of authority is thus limited to standard, though widespread, attributes that focus on the context of institutional attributes and, in some cases, a limited number of non-standard institutional attributes that have local significance only.

Users are very rarely in a position to extend the set of attributes possibly required for a specific project or research activity. As a result, an IdP cannot provide attributes that do not belong to its scope of attribute context and, in practice, to its well-defined institutional profile. This limitation applies to not only authoritative attributes, such as group or role membership information and entitlements, but also to project-specific attributes, such as user settings for a particular system used in the project.

The HEXAA solution frees the IdPs from handling the project-related attributes while empowers the research communities to collaborate with their own set of attributes relying solely on the SAML standard. The outcome of HEXAA project will be an open source software that acts as a standard SAML Attribute Authority compatible with Shibboleth and simpleSAMLphp. The software itself is written in php and is based on our contribution to ssp.

Download file