An open discussion list for topics related to the eduGAIN interfederation service.

[Tomasz Wolniewicz <twoln AT umk.pl>]

Hi Janusz,
   we want to use that validator as the part of MDS, therefore we must 
have a way of an automated way of controlling the result anyway. Maja 
has always coded stuff in this direction, so finishing this is no bid 
deal. We always thought that having a proper result code would be 
sufficient, but Maja declares that she will also add the detailed 
output. Therefore you would get something like:

<xml>
<returncode>code</returncode>
<message>
<error>
error message
</error>
<warning>
warning message
</warning>
</message>
</xml>

You could test both an individial entityDescriptor and the whole 
entitiesDescriptor set, but this would require setting a flag in your post.

Is this close to what you had in mind?

Tomasz



W dniu 2013-08-12 13:34, Janusz Ulanowski pisze:
> On 09/08/13 14:26, Ian Young wrote:
> > On 9 Aug 2013, at 13:24, Janusz Ulanowski 
> > <janusz.ulanowski AT HEANET.IE> wrote:
> >
> > > I would like add validator which will be run transparently and and 
> > > call internal_process or external validator and raises warning or 
> > > doesn't allow to join if metadata is not valid against Edugain or 
> > > other Federation's requirements.
> >
> > eduGAIN and its participant federations are two different questions, 
> > and you need to separate them.
> >
> > eduGAIN is a system for exchanging metadata.  It therefore properly 
> > has very simple validity rules which are documented in the upstream 
> > metadata profile and checked by the eduGAIN validator.  The idea is 
> > that eduGAIN should be able to exchange anything that's not harmful, 
> > either in use now or that we invent in the future.
> >
> > Individual federations will in general have stricter standards for 
> > metadata they republish.  Those standards aren't documented by 
> > federations today so they are hard to check for.  They may also 
> > change as federations get a clearer idea of what they are prepared to 
> > re-publish.  At the moment, I suspect many federations don't perform 
> > much validation on metadata they get from eduGAIN, but as everyone 
> > clearly has somewhat different ideas of what should be valid for 
> > their members I'd expect that to change.  I also don't expect it to 
> > be possible to come up with a useful set of rules everyone is 
> > prepared to agree to validate against, again because everyone has 
> > different ideas as to what is appropriate for their members.
> >
> > For example, several of the entities in the current eduGAIN aggregate 
> > don't pass UK federation tests, and as a result we wouldn't republish 
> > those entities.  Common issues include:
> >
> > * mdui:Logo locations that are http:// rather than https://
> >
> > * AssertionConsumerLocation locations, likewise
> >
> > * SAML 1 SP entities that don't support Browser/POST
> >
> > * SAML 2 SP entities without key material
> >
> > Other federations presumably feel differently about some or all of 
> > those validation "failures", or they wouldn't be publishing them in 
> > the first place.  None of those are contrary to the eduGAIN profile, 
> > and I would *not* expect eduGAIN to refuse to transit those entities.
> >
> > As I've mentioned to people in a few different contexts, I'd like (at 
> > least in principal) to make the UK test set available publicly 
> > somewhere for people to run things against, if only because we 
> > probably have the largest validation ruleset around. If I get some 
> > free time, maybe that will happen before the end of the year.  What I 
> > *don't* expect is that everyone will agree with all of the results.
> >
> > > It would be very use full if there would be another URL  for Edugain 
> > > Validator which could accept POST containing providers's metadata 
> > > and validate it.
> >
> > I agree, but see above: I don't think that can ever give you any 
> > assurance other than that eduGAIN will relay the metadata in 
> > question.  There will still potentially be issues that arise on 
> > republication by each participant federation.
> >
> >     -- Ian
> Hi,
> Thanks Ian and others for response.
> As there is already edugain validator so adding feature to generate 
> response in xml format could simplify writing client-tools.
> I still think it could save time for us as federation operators before 
> final review.
> Best regards,
> Janusz

--
Tomasz Wolniewicz
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576