edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs

From: Ian Young <ian AT iay.org.uk>
To: Dick Visser <visser AT terena.org>
Cc: edugain-discuss AT geant.net
Subject: Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs
Date: Thu, 5 Dec 2013 12:24:23 +0000
Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT iay.org.uk
List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
List-id: eduGAIN discussion list <edugain-discuss.geant.net>

On 5 Dec 2013, at 11:56, Dick Visser <visser AT terena.org> wrote:

> Our IdP has this metadata:
> https://login.terena.org/idp/saml2/idp/metadata.php
>
> SURFnet publishes a modified version of this in their SURFconext IdP
> feed at https://engine.surfconext.nl/authentication/proxy/idps-metadata.
>
> The most important difference is are the endpoints. Ours just go to
> the IdP, while SURFnet's copy lists SURFconext.
> That copy is also included in Edugain, and now also in UKfed.

I think the simplest approach to your particular problem is going to be to
ask SURFnet *not* to export that version of your metadata but the original
version instead. They should certainly be able to do the former, but if they
can't do the latter then I'd suggest you ask one of the other eduGAIN
participants to export the base version instead (assuming that you've
registered with at least one other eduGAIN participant; if not, I note that
TERENA is a UKf member so we could probably help you with that).

> Instead of leaving the blacklisting up to the party consumer the metadata
> feed.
> It would be nice to have metadata URLs accept a
> blacklist/do-not-include parameter, so that this this process can be
> done centrally.

It's always nice to throw a snail^Wproblem over the wall into someone else's
garden, and sometimes it is even appropriate.

> So instead of requesting http://mds.edugain.org, manually fiddling to
> sift our what you don't want, you could request:
>
> http://mds.edugain.org/?exclude=https%3A%2F%2Flogin.terena.org%2Fidp%2Fsaml2%2Fidp%2Fmetadata.php

Leaving aside Peter's point (that end entities aren't intended to pull the
eduGAIN MDS feed directly) the problem with this particular idea is that it
is pretty expensive to provide dynamic customised metadata in this way.
You're asking for on-demand production and signing of a potentially very
large aggregate determined by each caller. I think it's very unlikely that we
will see federations deploying a model like that any time soon.

Querying for metadata for individual entities and pre-defined collections is
another matter, of course, but those don't help you here.

-- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, (continued)
- Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, Ian Young, 05-Dec-2013
- Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, Peter Schober, 05-Dec-2013
  - Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, Ian Young, 05-Dec-2013
    - Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, Nicole Harris, 05-Dec-2013
    - Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, Dick Visser, 05-Dec-2013
      - Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, Peter Schober, 05-Dec-2013
      - Re: [eduGAIN-discuss] IdPs in multiple federations: not listed on all configured powerdisco tabs, Ian Young, 12/05/2013