Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] edugain validator

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] edugain validator


Chronological Thread 
  • From: Ian Young <ian AT iay.org.uk>
  • To: Janusz Ulanowski <janusz.ulanowski AT HEANET.IE>
  • Cc: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] edugain validator
  • Date: Fri, 9 Aug 2013 14:26:06 +0100
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT iay.org.uk
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>


On 9 Aug 2013, at 13:24, Janusz Ulanowski <janusz.ulanowski AT HEANET.IE> wrote:

> I would like add validator which will be run transparently and and call
> internal_process or external validator and raises warning or doesn't allow
> to join if metadata is not valid against Edugain or other Federation's
> requirements.

eduGAIN and its participant federations are two different questions, and you
need to separate them.

eduGAIN is a system for exchanging metadata. It therefore properly has very
simple validity rules which are documented in the upstream metadata profile
and checked by the eduGAIN validator. The idea is that eduGAIN should be
able to exchange anything that's not harmful, either in use now or that we
invent in the future.

Individual federations will in general have stricter standards for metadata
they republish. Those standards aren't documented by federations today so
they are hard to check for. They may also change as federations get a
clearer idea of what they are prepared to re-publish. At the moment, I
suspect many federations don't perform much validation on metadata they get
from eduGAIN, but as everyone clearly has somewhat different ideas of what
should be valid for their members I'd expect that to change. I also don't
expect it to be possible to come up with a useful set of rules everyone is
prepared to agree to validate against, again because everyone has different
ideas as to what is appropriate for their members.

For example, several of the entities in the current eduGAIN aggregate don't
pass UK federation tests, and as a result we wouldn't republish those
entities. Common issues include:

* mdui:Logo locations that are http:// rather than https://

* AssertionConsumerLocation locations, likewise

* SAML 1 SP entities that don't support Browser/POST

* SAML 2 SP entities without key material

Other federations presumably feel differently about some or all of those
validation "failures", or they wouldn't be publishing them in the first
place. None of those are contrary to the eduGAIN profile, and I would *not*
expect eduGAIN to refuse to transit those entities.

As I've mentioned to people in a few different contexts, I'd like (at least
in principal) to make the UK test set available publicly somewhere for people
to run things against, if only because we probably have the largest
validation ruleset around. If I get some free time, maybe that will happen
before the end of the year. What I *don't* expect is that everyone will
agree with all of the results.

> It would be very use full if there would be another URL for Edugain
> Validator which could accept POST containing providers's metadata and
> validate it.

I agree, but see above: I don't think that can ever give you any assurance
other than that eduGAIN will relay the metadata in question. There will
still potentially be issues that arise on republication by each participant
federation.

-- Ian



Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page