Responsible for this page: André Moreira.
Last content check: 08-06-2017
Purpose
This page describes how to request changes to the IdP blacklist of the CLARIN SPF AAI, while providing an overview of the current status of the blacklist and ongoing blacklist requests.
People
André Moreira - SPF AAI operator and blacklist maintainer
Dieter Van Uytvanck - SPF AAI general manager
General workflow
Changes to the IdP blacklist can be requested if an SP operator objects, or has doubts about the inclusion of certain IdP(s) in the CLARIN SPF AAI. Either because this IdP looks suspicious or by any other technical or organizational reason. By default, all available IdPs are included in the CLARIN SPF AAI when the respective national federation joins CLARIN, so in other for an IdP to be removed, a request must be made to the central office by means of a trac ticket. The process is the same when an SP operator intends to to re-add a previously blacklisted IdP.
- Someone finds a suspicious IdP.
- Someone (with a CLARIN "developer" account) creates a TRAC ticket targeting the AAI IdP Blacklist component, to request the removal of this IdP. (The central office will take on this ticket.)
- TTF-AAI will review the requirements and comments whether any violations have been found.
- The central office closes the ticket and if there is a violation, CLARIN's pyFF configuration is updated to blacklist the IdP in question.
Creating a blacklist request
Changes to the CLARIN IdP blacklist must be requested via TRAC according to the following guidelines:
- Make sure there isn't a previous ticket regarding the same issue in the AAI IdP Blacklist ticket list.
- Create a new ticket in trac.clarin.eu with the following header details:
- Type: task.
- Component: AAI IdP Blacklist.
- Owner: < default >.
- Fill in the summary field including the target IdP name and briefly describing the issue.
- Select the ticket's desired priority.
- (optional) Insert any relevant email address in the CC field.
- (optional) Add some appropriate keywords e.g. idp blacklist aai spf.
- On the ticket description make sure to include:
- The entityID of the IdP in question.
- The motivation for the request
- Date and time of any previous login attempt via the IdP in question (if known).
As an example, you can use as guidance any previously issued ticket of the AAI IdP Blacklist component.
Open tickets (ongoing blacklist requests)
| Ticket | Summary | Priority | Owner | Reporter |
|---|---|---|---|---|
| #1008 | Suspicious IdP UNICON | critical | ||
| #1081 | TU-Dresden not releasing attributes | minor |
Status
Current blacklist
| entityID | Federation | Date Blacklisted | Reason | Notes |
|---|---|---|---|---|
| https://login-idp.libraries.ch/idp/shibboleth | SWITCHaai | 06/02/2023 | Allows creation of accounts to anyone. ref | |
| https://idp.protectnetwork.org/protectnetwork-idp | eduGAIN | <unknown> | <unknown> | - |
| https://idp.painless-security.com/idp/shibboleth | eduGAIN | <unknown> | <unknown> | - |
| https://idp1.proofidcloud.co.uk/idp/shibboleth | eduGAIN | <unknown> | <unknown> | - |
| https://umbrellaid.org/idp/shibboleth | eduGAIN | 03/01/2019 | Allows creation of free, unverified accounts | - |
| https://sso-demo.proofidcloud.co.uk/idp/pingfederate | eduGAIN | <unknown> | <unknown> | - |
| https://idp.umons.ac.be/idp/shibbolethe | Belnet | <unknown> | <unknown> | - |
| https://openidp.aco.net/saml | ACOnet | <unknown> | <unknown> | - |
