Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] edugain validator

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] edugain validator


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: Janusz Ulanowski <janusz.ulanowski AT heanet.ie>
  • Cc: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] edugain validator
  • Date: Mon, 12 Aug 2013 14:14:11 +0200
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

Hi Janusz,
we want to use that validator as the part of MDS, therefore we must have a way of an automated way of controlling the result anyway. Maja has always coded stuff in this direction, so finishing this is no bid deal. We always thought that having a proper result code would be sufficient, but Maja declares that she will also add the detailed output. Therefore you would get something like:

<xml>
<returncode>code</returncode>
<message>
<error>
error message
</error>
<warning>
warning message
</warning>
</message>
</xml>

You could test both an individial entityDescriptor and the whole entitiesDescriptor set, but this would require setting a flag in your post.

Is this close to what you had in mind?

Tomasz



W dniu 2013-08-12 13:34, Janusz Ulanowski pisze:
On 09/08/13 14:26, Ian Young wrote:

On 9 Aug 2013, at 13:24, Janusz Ulanowski <janusz.ulanowski AT HEANET.IE> wrote:

I would like add validator which will be run transparently and and call internal_process or external validator and raises warning or doesn't allow to join if metadata is not valid against Edugain or other Federation's requirements.

eduGAIN and its participant federations are two different questions, and you need to separate them.

eduGAIN is a system for exchanging metadata. It therefore properly has very simple validity rules which are documented in the upstream metadata profile and checked by the eduGAIN validator. The idea is that eduGAIN should be able to exchange anything that's not harmful, either in use now or that we invent in the future.

Individual federations will in general have stricter standards for metadata they republish. Those standards aren't documented by federations today so they are hard to check for. They may also change as federations get a clearer idea of what they are prepared to re-publish. At the moment, I suspect many federations don't perform much validation on metadata they get from eduGAIN, but as everyone clearly has somewhat different ideas of what should be valid for their members I'd expect that to change. I also don't expect it to be possible to come up with a useful set of rules everyone is prepared to agree to validate against, again because everyone has different ideas as to what is appropriate for their members.

For example, several of the entities in the current eduGAIN aggregate don't pass UK federation tests, and as a result we wouldn't republish those entities. Common issues include:

* mdui:Logo locations that are http:// rather than https://

* AssertionConsumerLocation locations, likewise

* SAML 1 SP entities that don't support Browser/POST

* SAML 2 SP entities without key material

Other federations presumably feel differently about some or all of those validation "failures", or they wouldn't be publishing them in the first place. None of those are contrary to the eduGAIN profile, and I would *not* expect eduGAIN to refuse to transit those entities.

As I've mentioned to people in a few different contexts, I'd like (at least in principal) to make the UK test set available publicly somewhere for people to run things against, if only because we probably have the largest validation ruleset around. If I get some free time, maybe that will happen before the end of the year. What I *don't* expect is that everyone will agree with all of the results.

It would be very use full if there would be another URL for Edugain Validator which could accept POST containing providers's metadata and validate it.

I agree, but see above: I don't think that can ever give you any assurance other than that eduGAIN will relay the metadata in question. There will still potentially be issues that arise on republication by each participant federation.

-- Ian



Hi,
Thanks Ian and others for response.
As there is already edugain validator so adding feature to generate response in xml format could simplify writing client-tools.
I still think it could save time for us as federation operators before final review.
Best regards,
Janusz




--
Tomasz Wolniewicz
twoln AT umk.pl http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576






Archive powered by MHonArc 2.6.19.

Top of Page