An open discussion list for topics related to the eduGAIN interfederation service.

[Ian Young <ian AT iay.org.uk>]

On 5 Dec 2013, at 10:50, Dick Visser <visser AT terena.org> wrote:

> UKfederation started to include eduGain metadata, so our own IdP
> started to come in through UKfederation.

Sorry to spoil your day ;-)

Yes, we started republishing eduGAIN-acquired entities in our production 
metadata last night. They had been included in our "test" aggregate for some 
time before that.

> I managed to fix this by blacklisting our own IdP entityID for the
> ukfederation entry in the metarefresh module.
> 
> This has happened before, so I guess I'm better off by blacklisting it
> in every metadata source.
> This would prevent the same thing from happening when some federation
> that we're member of at some point in the future starts to include our
> own IdP.

Manual blacklisting is obviously viable only in the short term.

Medium term, you're going to want to establish some kind of general 
precedence or priority rule, so that "local" always wins over "remote". It's 
probably also worth imposing an ordering over your various remote feeds as 
well, so that if an entity appears in multiple feeds there is at least 
predictable behaviour.

I suppose you could automatically generate blacklists from each feed to be 
applied to the ones lower down in your list, if there isn't a way of doing 
this directly in the software you're using.

Long term, of course, we need to get to a point where you don't have to pull 
every metadata source in the world in order to serve your community. This is 
of course exactly the point of eduGAIN, but it means actively *leaving* some 
federations (and asking the IdPs left behind to participate in 
interfederation) to push things in the right direction. That transition will 
take a while, but the desired end result is that as an SP you should only 
need "membership" in one eduGAIN participant federation.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature