An open discussion list for topics related to the eduGAIN interfederation service.

[Janusz Ulanowski <janusz.ulanowski AT heanet.ie>]

On 09/08/13 14:26, Ian Young wrote:
> On 9 Aug 2013, at 13:24, Janusz Ulanowski <janusz.ulanowski AT HEANET.IE> wrote:
>
> > I would like add validator which will be run transparently and and call 
> > internal_process or external validator and raises warning or doesn't allow to 
> > join if metadata is not valid against Edugain or other Federation's 
> > requirements.
>
> eduGAIN and its participant federations are two different questions, and you 
> need to separate them.
>
> eduGAIN is a system for exchanging metadata.  It therefore properly has very 
> simple validity rules which are documented in the upstream metadata profile 
> and checked by the eduGAIN validator.  The idea is that eduGAIN should be 
> able to exchange anything that's not harmful, either in use now or that we 
> invent in the future.
>
> Individual federations will in general have stricter standards for metadata 
> they republish.  Those standards aren't documented by federations today so 
> they are hard to check for.  They may also change as federations get a 
> clearer idea of what they are prepared to re-publish.  At the moment, I 
> suspect many federations don't perform much validation on metadata they get 
> from eduGAIN, but as everyone clearly has somewhat different ideas of what 
> should be valid for their members I'd expect that to change.  I also don't 
> expect it to be possible to come up with a useful set of rules everyone is 
> prepared to agree to validate against, again because everyone has different 
> ideas as to what is appropriate for their members.
>
> For example, several of the entities in the current eduGAIN aggregate don't 
> pass UK federation tests, and as a result we wouldn't republish those 
> entities.  Common issues include:
>
> * mdui:Logo locations that are http:// rather than https://
>
> * AssertionConsumerLocation locations, likewise
>
> * SAML 1 SP entities that don't support Browser/POST
>
> * SAML 2 SP entities without key material
>
> Other federations presumably feel differently about some or all of those validation 
> "failures", or they wouldn't be publishing them in the first place.  None of 
> those are contrary to the eduGAIN profile, and I would *not* expect eduGAIN to refuse 
> to transit those entities.
>
> As I've mentioned to people in a few different contexts, I'd like (at least 
> in principal) to make the UK test set available publicly somewhere for people 
> to run things against, if only because we probably have the largest 
> validation ruleset around.  If I get some free time, maybe that will happen 
> before the end of the year.  What I *don't* expect is that everyone will 
> agree with all of the results.
>
> > It would be very use full if there would be another URL  for Edugain 
> > Validator which could accept POST containing providers's metadata and 
> > validate it.
>
> I agree, but see above: I don't think that can ever give you any assurance 
> other than that eduGAIN will relay the metadata in question.  There will 
> still potentially be issues that arise on republication by each participant 
> federation.
>
>         -- Ian
Hi,
Thanks Ian and others for response.
As there is already edugain validator so adding feature to generate 
response in xml format could simplify writing client-tools.
I still think it could save time for us as federation operators before 
final review.
Best regards,
Janusz

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature