An open discussion list for topics related to the eduGAIN interfederation service.

[Glenn Wearen <glenn.wearen AT heanet.ie>]

But trusted metadata + released attributes does not equate to successful login? 

That's why I said 'reasonably assume' ;-)

The only way this can be achieved is if you know which resources every IdP subscribes too...and that's a shifting concept.

In the case of subscription-only resources, the resource owner has the ability to manage (with JAGGER)  a circle of trust containing only its subscribers. Our central WAYF will adjust the list of IdP's accordingly, but we push SP's to do their own discovery (following Refeds guidelines).  Admittedly, SP's availing of this feature tend not to be in the publishing business. 

I feel it's a big ask to expect SP's to filter metadata by their own means, hence the circle of trust concept in JAGGER.

Glenn

8F6826A1-F3FE-4148-A8D5-3DE647C598E0 AT heanet.ie">

Our approach in Edugate (implemented in JAGGER) is to provide metadata tailored for each SP (and IdP) based on circles of trust, where eduGAIN is one such circle. We've yet to tailor the metadata for SP's where we know the IdP has set an attribute release policy to match the SP's requirements; but we'll get there eventually.

That's a lot of work :-)

The real problem is this example below is that SCRAN is relying on the UK federation central WAYF which does not make any of these distinctions.  The solution would either be to say the central WAYFs are borked in the age of edugain, or to ensure that federations and services implement elegant fail messages so that users are well informed...which fits in with Brook's comments below.

Although we have to weigh up the likelihood of a user from the Czech Republic finding scran.ac.uk, clicking on 'shibboleth users' (another broken problem) and then finding the UK federation WAYF and finding their IdP in it. 

8F6826A1-F3FE-4148-A8D5-3DE647C598E0 AT heanet.ie">

Glenn

HEAnet Limited, Ireland's Education and Research Network - 

1st Floor, 5 George's Dock, IFSC, Dublin 1

Registered in Ireland, no 275301  tel: +353-1-6609040  fax: +353-1-6603666

On 5 Feb 2014, at 09:14, Brook Schofield wrote:

Jan,

this is both intentional and a bug. This isn't dissimilar to the DFN-AAI publishing of its metadata into eduGAIN, acutally the reverse of this situation.

I'm sure others will write a much more elegant response than mine - but I've already received an email from a publisher connected to UK Federation that was interested in the metadata entries of other countries appearing in their metadata feed.

This publisher selectively includes IdPs that have subscribed - so the didn't have a problem - but they wanted to ensure that those IdPs could get access to their service.

UK Federation announced that it would become a full production participant of eduGAIN in early December 2013:

   https://lists.incommon.org/sympa/arc/interfed/2013-10/msg00010.html (message is pasted twice so you can stop reading when déjà vu sets in)

So again it's intentional. If eduID.cz IdPs are interested in accessing Scran or any other services within the UK Federation then you should contact the organisation and encourage their participation in eduGAIN (which they can do by contacting the UK Federation helpdesk - which will fix the bug - at least for that organisation).

-Brook

On 5 February 2014 09:54, Jan Tomášek <jan.tomasek AT cesnet.cz> wrote:
Hello,

we have discovered that UK federation republishes all entities from eduGAIN into their metadata:
        http://metadata.ukfederation.org.uk/ukfederation-metadata.xml
but they are not doing oposite. So entites from UK federation are not being republished into eduGAIN.

I think this could confuse users. By a short experimenting I've found SP https://www.scran.ac.uk/ which offer login by using CESNET, Univerzita Karlova v Praze, ... IdP but those login will always fail because https://www.scran.ac.uk/ is not being exported into eduGAIN, our IdP doesn't know about https://www.scran.ac.uk/ and refuses login. Poor user, poor IdP admin who has to explain to users.

Is this intentional or is this a bug?

--
--------------------------------------------------------------
Jan Tomasek aka Semik           work: CESNET, z.s.p.o.
http://www.tomasek.cz/                Zikova 4, 160 00 Praha 6
                                      Czech Republic
phone(work): +420 234 680 279         http://www.cesnet.cz/

--

===================================================
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488    Fax +31 20 530 4499    Mob +31 65 155 3991
www.terena.org

-- 
----------------
Project Development Officer
TERENA
Singel 468 D
Amsterdam, 1017 AW
The Netherlands

T: +31(0)20 5304488
F: +31(0)20 5304499 

mob: +31(0)646 105395