An open discussion list for topics related to the eduGAIN interfederation service.

[Tomasz Wolniewicz <twoln AT umk.pl>]

I believe this was discussed many times and the general agreement was 
that authentication errors are bad reputation for the SP.
Anybody can put your IdP name on their discovery services, it does not 
matter if eduGAIN exists or not. If they want to mess up things for 
their customers then this is essentially their (SP) problem. If I were 
in the shoes of the SP, I might complain about the problem caused by the 
central WAYF system or would ask to be exported to eduGAIN, but this is 
the internal problem of the UK Federation.

I think that what matters for eduGAIN is that if IdPs get exported to 
eduGAIN then they MUST also consume eduGAIN metadata. Then the proper 
eduGAIN enabled SPs will at least not suffer from bad errors (which of 
course does not mean that people will be able to log in, but as we well 
know there is little we can do about that).

Tomasz


W dniu 2014-02-05 15:57, Jan Tomášek pisze:
> Hello Alex,
>
> On 02/05/2014 10:34 AM, Alex Stuart wrote:
> > This is intentional behaviour. The UK federation imports eduGAIN
> > entities and re-publishes them into its production metadata aggregate.
> > However we operate an opt-in to export metadata to eduGAIN rather than
> > export the whole aggregate. This arrangement means the opt-in is a
> > straightforward administrative decision rather than one that requires
> > reconfiguring the entity.
> >
> > So, yes, users accessing SPs via the UK federation central discovery
> > service, or an unfiltered embedded discovery service, will be allowed to
> > choose IdPs that haven't exchanged metadata. That's a side-effect of
> > decreased friction for the entity operators, and whether this is a
> > bug/feature depends on your point of view.
>
> You decreased friction to your entity operators on expenses of any 
> other federation/entity operators.
>
> Situation 1:
>
> User A wants to use SP1.uk and see that SP1.uk is not eduGAIN enabled. 
> He asks admins of SP1.uk to become part of eduGAIN, after done he can 
> access service. Or maybe not because of that administrative stuff.
>
> Situation 2:
>
> User A wants to use SP1.uk and see that SP1.uk offers him with his 
> well know IdP. He tries to login as usual and ends with error. He will 
> very likely complain at his local support. Which can do nothing 
> different than ask admins of SP1.uk.
>
> So what is better? Offer think which we know it can't work. Or to 
> offer those services where did our best to be sure all will be working 
> for user?
>
> Communication started from point of sorting an error (2). Or standard 
> request for accessing cool service (1).
>
>
> To me is this like broadcasting eduroam and not being connected to 
> hierarchy.

--
Tomasz Wolniewicz
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576