edugain-discuss AT lists.geant.org
Subject: An open discussion list for topics related to the eduGAIN interfederation service.
List archive
- From: Janusz Ulanowski <janusz.ulanowski AT heanet.ie>
- To: Tomasz Wolniewicz <twoln AT umk.pl>
- Cc: edugain-discuss AT geant.net
- Subject: Re: [eduGAIN-discuss] edugain validator
- Date: Mon, 12 Aug 2013 14:12:51 +0100
- List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
- List-id: eduGAIN discussion list <edugain-discuss.geant.net>
Hi Tomasz,
That exactly what I need and I'm pretty sure it will be use full for others.
Thanks very much,
Janusz
On 12/08/13 13:14, Tomasz Wolniewicz wrote:
Hi Janusz,
we want to use that validator as the part of MDS, therefore we must
have a way of an automated way of controlling the result anyway. Maja
has always coded stuff in this direction, so finishing this is no bid
deal. We always thought that having a proper result code would be
sufficient, but Maja declares that she will also add the detailed
output. Therefore you would get something like:
<xml>
<returncode>code</returncode>
<message>
<error>
error message
</error>
<warning>
warning message
</warning>
</message>
</xml>
You could test both an individial entityDescriptor and the whole
entitiesDescriptor set, but this would require setting a flag in your post.
Is this close to what you had in mind?
Tomasz
W dniu 2013-08-12 13:34, Janusz Ulanowski pisze:
On 09/08/13 14:26, Ian Young wrote:
Hi,
On 9 Aug 2013, at 13:24, Janusz Ulanowski
<janusz.ulanowski AT HEANET.IE> wrote:
I would like add validator which will be run transparently and and
call internal_process or external validator and raises warning or
doesn't allow to join if metadata is not valid against Edugain or
other Federation's requirements.
eduGAIN and its participant federations are two different questions,
and you need to separate them.
eduGAIN is a system for exchanging metadata. It therefore properly
has very simple validity rules which are documented in the upstream
metadata profile and checked by the eduGAIN validator. The idea is
that eduGAIN should be able to exchange anything that's not harmful,
either in use now or that we invent in the future.
Individual federations will in general have stricter standards for
metadata they republish. Those standards aren't documented by
federations today so they are hard to check for. They may also
change as federations get a clearer idea of what they are prepared to
re-publish. At the moment, I suspect many federations don't perform
much validation on metadata they get from eduGAIN, but as everyone
clearly has somewhat different ideas of what should be valid for
their members I'd expect that to change. I also don't expect it to
be possible to come up with a useful set of rules everyone is
prepared to agree to validate against, again because everyone has
different ideas as to what is appropriate for their members.
For example, several of the entities in the current eduGAIN aggregate
don't pass UK federation tests, and as a result we wouldn't republish
those entities. Common issues include:
* mdui:Logo locations that are http:// rather than https://
* AssertionConsumerLocation locations, likewise
* SAML 1 SP entities that don't support Browser/POST
* SAML 2 SP entities without key material
Other federations presumably feel differently about some or all of
those validation "failures", or they wouldn't be publishing them in
the first place. None of those are contrary to the eduGAIN profile,
and I would *not* expect eduGAIN to refuse to transit those entities.
As I've mentioned to people in a few different contexts, I'd like (at
least in principal) to make the UK test set available publicly
somewhere for people to run things against, if only because we
probably have the largest validation ruleset around. If I get some
free time, maybe that will happen before the end of the year. What I
*don't* expect is that everyone will agree with all of the results.
It would be very use full if there would be another URL for Edugain
Validator which could accept POST containing providers's metadata
and validate it.
I agree, but see above: I don't think that can ever give you any
assurance other than that eduGAIN will relay the metadata in
question. There will still potentially be issues that arise on
republication by each participant federation.
-- Ian
Thanks Ian and others for response.
As there is already edugain validator so adding feature to generate
response in xml format could simplify writing client-tools.
I still think it could save time for us as federation operators before
final review.
Best regards,
Janusz
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Peter Schober, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Tomasz Wolniewicz, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Ian Young, 09-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 12-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Tomasz Wolniewicz, 12-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 08/12/2013
- Re: [eduGAIN-discuss] edugain validator, Tomasz Wolniewicz, 12-Aug-2013
- Re: [eduGAIN-discuss] edugain validator, Janusz Ulanowski, 12-Aug-2013
Archive powered by MHonArc 2.6.19.