edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Janusz Ulanowski <janusz.ulanowski AT heanet.ie>
- To: Ian Young <ian AT iay.org.uk>, edugain-discuss AT geant.net
- Subject: Re: [eduGAIN-discuss] edugain validator
- Date: Mon, 12 Aug 2013 12:34:11 +0100
- List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
- List-id: eduGAIN discussion list <edugain-discuss.geant.net>
On 09/08/13 14:26, Ian Young wrote:
Hi,
On 9 Aug 2013, at 13:24, Janusz Ulanowski <janusz.ulanowski AT HEANET.IE> wrote:
I would like add validator which will be run transparently and and call
internal_process or external validator and raises warning or doesn't allow to
join if metadata is not valid against Edugain or other Federation's
requirements.
eduGAIN and its participant federations are two different questions, and you
need to separate them.
eduGAIN is a system for exchanging metadata. It therefore properly has very
simple validity rules which are documented in the upstream metadata profile
and checked by the eduGAIN validator. The idea is that eduGAIN should be
able to exchange anything that's not harmful, either in use now or that we
invent in the future.
Individual federations will in general have stricter standards for metadata
they republish. Those standards aren't documented by federations today so
they are hard to check for. They may also change as federations get a
clearer idea of what they are prepared to re-publish. At the moment, I
suspect many federations don't perform much validation on metadata they get
from eduGAIN, but as everyone clearly has somewhat different ideas of what
should be valid for their members I'd expect that to change. I also don't
expect it to be possible to come up with a useful set of rules everyone is
prepared to agree to validate against, again because everyone has different
ideas as to what is appropriate for their members.
For example, several of the entities in the current eduGAIN aggregate don't
pass UK federation tests, and as a result we wouldn't republish those
entities. Common issues include:
* mdui:Logo locations that are http:// rather than https://
* AssertionConsumerLocation locations, likewise
* SAML 1 SP entities that don't support Browser/POST
* SAML 2 SP entities without key material
Other federations presumably feel differently about some or all of those validation
"failures", or they wouldn't be publishing them in the first place. None of
those are contrary to the eduGAIN profile, and I would *not* expect eduGAIN to refuse
to transit those entities.
As I've mentioned to people in a few different contexts, I'd like (at least
in principal) to make the UK test set available publicly somewhere for people
to run things against, if only because we probably have the largest
validation ruleset around. If I get some free time, maybe that will happen
before the end of the year. What I *don't* expect is that everyone will
agree with all of the results.
It would be very use full if there would be another URL for Edugain
Validator which could accept POST containing providers's metadata and
validate it.
I agree, but see above: I don't think that can ever give you any assurance
other than that eduGAIN will relay the metadata in question. There will
still potentially be issues that arise on republication by each participant
federation.
-- Ian
Thanks Ian and others for response.
As there is already edugain validator so adding feature to generate response in xml format could simplify writing client-tools.
I still think it could save time for us as federation operators before final review.
Best regards,
Janusz
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Peter Schober, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Tomasz Wolniewicz, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Ian Young, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 08/12/2013
- Re: [eduGAIN-discuss] edugain validator, Tomasz Wolniewicz, 12-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 12-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Tomasz Wolniewicz, 12-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 08/12/2013
Archive powered by MHonArc 2.6.19.