An open discussion list for topics related to the eduGAIN interfederation service.

[Ian Young <ian AT iay.org.uk>]

On 9 Aug 2013, at 13:24, Janusz Ulanowski <janusz.ulanowski AT HEANET.IE> wrote:

> I would like add validator which will be run transparently and and call 
> internal_process or external validator and raises warning or doesn't allow 
> to join if metadata is not valid against Edugain or other Federation's 
> requirements.

eduGAIN and its participant federations are two different questions, and you 
need to separate them.

eduGAIN is a system for exchanging metadata.  It therefore properly has very 
simple validity rules which are documented in the upstream metadata profile 
and checked by the eduGAIN validator.  The idea is that eduGAIN should be 
able to exchange anything that's not harmful, either in use now or that we 
invent in the future.

Individual federations will in general have stricter standards for metadata 
they republish.  Those standards aren't documented by federations today so 
they are hard to check for.  They may also change as federations get a 
clearer idea of what they are prepared to re-publish.  At the moment, I 
suspect many federations don't perform much validation on metadata they get 
from eduGAIN, but as everyone clearly has somewhat different ideas of what 
should be valid for their members I'd expect that to change.  I also don't 
expect it to be possible to come up with a useful set of rules everyone is 
prepared to agree to validate against, again because everyone has different 
ideas as to what is appropriate for their members.

For example, several of the entities in the current eduGAIN aggregate don't 
pass UK federation tests, and as a result we wouldn't republish those 
entities.  Common issues include:

* mdui:Logo locations that are http:// rather than https://

* AssertionConsumerLocation locations, likewise

* SAML 1 SP entities that don't support Browser/POST

* SAML 2 SP entities without key material

Other federations presumably feel differently about some or all of those 
validation "failures", or they wouldn't be publishing them in the first 
place.  None of those are contrary to the eduGAIN profile, and I would *not* 
expect eduGAIN to refuse to transit those entities.

As I've mentioned to people in a few different contexts, I'd like (at least 
in principal) to make the UK test set available publicly somewhere for people 
to run things against, if only because we probably have the largest 
validation ruleset around.  If I get some free time, maybe that will happen 
before the end of the year.  What I *don't* expect is that everyone will 
agree with all of the results.

> It would be very use full if there would be another URL  for Edugain 
> Validator which could accept POST containing providers's metadata and 
> validate it.

I agree, but see above: I don't think that can ever give you any assurance 
other than that eduGAIN will relay the metadata in question.  There will 
still potentially be issues that arise on republication by each participant 
federation.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature