Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] ALL eduGAIN entities in UK federation?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] ALL eduGAIN entities in UK federation?


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] ALL eduGAIN entities in UK federation?
  • Date: Wed, 05 Feb 2014 16:08:28 +0100
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

I believe this was discussed many times and the general agreement was that authentication errors are bad reputation for the SP.
Anybody can put your IdP name on their discovery services, it does not matter if eduGAIN exists or not. If they want to mess up things for their customers then this is essentially their (SP) problem. If I were in the shoes of the SP, I might complain about the problem caused by the central WAYF system or would ask to be exported to eduGAIN, but this is the internal problem of the UK Federation.

I think that what matters for eduGAIN is that if IdPs get exported to eduGAIN then they MUST also consume eduGAIN metadata. Then the proper eduGAIN enabled SPs will at least not suffer from bad errors (which of course does not mean that people will be able to log in, but as we well know there is little we can do about that).

Tomasz


W dniu 2014-02-05 15:57, Jan Tomášek pisze:
Hello Alex,

On 02/05/2014 10:34 AM, Alex Stuart wrote:
This is intentional behaviour. The UK federation imports eduGAIN
entities and re-publishes them into its production metadata aggregate.
However we operate an opt-in to export metadata to eduGAIN rather than
export the whole aggregate. This arrangement means the opt-in is a
straightforward administrative decision rather than one that requires
reconfiguring the entity.

So, yes, users accessing SPs via the UK federation central discovery
service, or an unfiltered embedded discovery service, will be allowed to
choose IdPs that haven't exchanged metadata. That's a side-effect of
decreased friction for the entity operators, and whether this is a
bug/feature depends on your point of view.

You decreased friction to your entity operators on expenses of any other federation/entity operators.

Situation 1:

User A wants to use SP1.uk and see that SP1.uk is not eduGAIN enabled. He asks admins of SP1.uk to become part of eduGAIN, after done he can access service. Or maybe not because of that administrative stuff.

Situation 2:

User A wants to use SP1.uk and see that SP1.uk offers him with his well know IdP. He tries to login as usual and ends with error. He will very likely complain at his local support. Which can do nothing different than ask admins of SP1.uk.

So what is better? Offer think which we know it can't work. Or to offer those services where did our best to be sure all will be working for user?

Communication started from point of sorting an error (2). Or standard request for accessing cool service (1).


To me is this like broadcasting eduroam and not being connected to hierarchy.


--
Tomasz Wolniewicz
twoln AT umk.pl http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University,
pl. Rapackiego 1, Torun pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750 fax: +48-56-622-1850 tel kom.: +48-693-032-576






Archive powered by MHonArc 2.6.19.

Top of Page