In order to allow access from all over the world, LINDAT/CLARIN service provider is a member of several identity federations including CLARIN SPF and eduGAIN. Unfortunately, some of these federations include identity providers who do not guarantee their users to be real people (e.g., you can trace the account to an email but not to a person). We try to keep our services as open as possible but there are cases (e.g., signing licenses in our repository) where anonymous users are forbidden.

For that reason we choose to exclude users from test IdPs and from IdPs that let you create your accounts online with no further background check.

We are blocking the following IdPs:

  • https://openidp.aco.net/saml
  • https://idp.protectnetwork.org/protectnetwork-idp
  • Everyone having entity category http://refeds.org/category/hide-from-discovery

The implementation in shibboleth is illustrated below (snippets from shibbolet2.xml)

<!-- CLARIN SPF - Metadata about all IdPs in participating Identity Federations -->
<MetadataProvider type="XML" uri="https://infra.clarin.eu/aai/prod_md_about_spf_idps.xml">
    <MetadataFilter type="Blacklist">
        <Exclude>https://openidp.aco.net/saml</Exclude>
    </MetadataFilter>
</MetadataProvider>

<!-- edugain -->
<MetadataProvider type="XML" uri="https://metadata.eduid.cz/entities/edugain+idp">
    <MetadataFilter type="Blacklist">
    	<Exclude>https://idp.protectnetwork.org/protectnetwork-idp</Exclude>
    </MetadataFilter>

    <MetadataFilter type="Blacklist" matcher="EntityAttributes">
        <saml:Attribute Name="http://macedir.org/entity-category" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
    	    <saml:AttributeValue>http://refeds.org/category/hide-from-discovery</saml:AttributeValue>
        </saml:Attribute>
    </MetadataFilter>
</MetadataProvider>