An open discussion list for topics related to the eduGAIN interfederation service.

[Janusz Ulanowski <janusz.ulanowski AT heanet.ie>]

Hi Tomasz,
That exactly what I need and I'm pretty sure it will be use full for others.
Thanks very much,
Janusz

On 12/08/13 13:14, Tomasz Wolniewicz wrote:
> Hi Janusz,
>     we want to use that validator as the part of MDS, therefore we must
> have a way of an automated way of controlling the result anyway. Maja
> has always coded stuff in this direction, so finishing this is no bid
> deal. We always thought that having a proper result code would be
> sufficient, but Maja declares that she will also add the detailed
> output. Therefore you would get something like:
>
> <xml>
> <returncode>code</returncode>
> <message>
> <error>
> error message
> </error>
> <warning>
> warning message
> </warning>
> </message>
> </xml>
>
> You could test both an individial entityDescriptor and the whole
> entitiesDescriptor set, but this would require setting a flag in your post.
>
> Is this close to what you had in mind?
>
> Tomasz
>
>
>
> W dniu 2013-08-12 13:34, Janusz Ulanowski pisze:
> > On 09/08/13 14:26, Ian Young wrote:
> > > On 9 Aug 2013, at 13:24, Janusz Ulanowski
> > > <janusz.ulanowski AT HEANET.IE> wrote:
> > >
> > > > I would like add validator which will be run transparently and and
> > > > call internal_process or external validator and raises warning or
> > > > doesn't allow to join if metadata is not valid against Edugain or
> > > > other Federation's requirements.
> > >
> > > eduGAIN and its participant federations are two different questions,
> > > and you need to separate them.
> > >
> > > eduGAIN is a system for exchanging metadata.  It therefore properly
> > > has very simple validity rules which are documented in the upstream
> > > metadata profile and checked by the eduGAIN validator.  The idea is
> > > that eduGAIN should be able to exchange anything that's not harmful,
> > > either in use now or that we invent in the future.
> > >
> > > Individual federations will in general have stricter standards for
> > > metadata they republish.  Those standards aren't documented by
> > > federations today so they are hard to check for.  They may also
> > > change as federations get a clearer idea of what they are prepared to
> > > re-publish.  At the moment, I suspect many federations don't perform
> > > much validation on metadata they get from eduGAIN, but as everyone
> > > clearly has somewhat different ideas of what should be valid for
> > > their members I'd expect that to change.  I also don't expect it to
> > > be possible to come up with a useful set of rules everyone is
> > > prepared to agree to validate against, again because everyone has
> > > different ideas as to what is appropriate for their members.
> > >
> > > For example, several of the entities in the current eduGAIN aggregate
> > > don't pass UK federation tests, and as a result we wouldn't republish
> > > those entities.  Common issues include:
> > >
> > > * mdui:Logo locations that are http:// rather than https://
> > >
> > > * AssertionConsumerLocation locations, likewise
> > >
> > > * SAML 1 SP entities that don't support Browser/POST
> > >
> > > * SAML 2 SP entities without key material
> > >
> > > Other federations presumably feel differently about some or all of
> > > those validation "failures", or they wouldn't be publishing them in
> > > the first place.  None of those are contrary to the eduGAIN profile,
> > > and I would *not* expect eduGAIN to refuse to transit those entities.
> > >
> > > As I've mentioned to people in a few different contexts, I'd like (at
> > > least in principal) to make the UK test set available publicly
> > > somewhere for people to run things against, if only because we
> > > probably have the largest validation ruleset around. If I get some
> > > free time, maybe that will happen before the end of the year.  What I
> > > *don't* expect is that everyone will agree with all of the results.
> > >
> > > > It would be very use full if there would be another URL  for Edugain
> > > > Validator which could accept POST containing providers's metadata
> > > > and validate it.
> > >
> > > I agree, but see above: I don't think that can ever give you any
> > > assurance other than that eduGAIN will relay the metadata in
> > > question.  There will still potentially be issues that arise on
> > > republication by each participant federation.
> > >
> > >     -- Ian
> > Hi,
> > Thanks Ian and others for response.
> > As there is already edugain validator so adding feature to generate
> > response in xml format could simplify writing client-tools.
> > I still think it could save time for us as federation operators before
> > final review.
> > Best regards,
> > Janusz

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature