An open discussion list for topics related to the eduGAIN interfederation service.

[Nicole Harris <harris AT terena.org>]

On 05/02/2014 15:57, Jan Tomášek wrote:
> Hello Alex,
>
> On 02/05/2014 10:34 AM, Alex Stuart wrote:
> > This is intentional behaviour. The UK federation imports eduGAIN
> > entities and re-publishes them into its production metadata aggregate.
> > However we operate an opt-in to export metadata to eduGAIN rather than
> > export the whole aggregate. This arrangement means the opt-in is a
> > straightforward administrative decision rather than one that requires
> > reconfiguring the entity.
> >
> > So, yes, users accessing SPs via the UK federation central discovery
> > service, or an unfiltered embedded discovery service, will be allowed to
> > choose IdPs that haven't exchanged metadata. That's a side-effect of
> > decreased friction for the entity operators, and whether this is a
> > bug/feature depends on your point of view.
>
> You decreased friction to your entity operators on expenses of any 
> other federation/entity operators.
>
> Situation 1:
>
> User A wants to use SP1.uk and see that SP1.uk is not eduGAIN enabled. 
> He asks admins of SP1.uk to become part of eduGAIN, after done he can 
> access service. Or maybe not because of that administrative stuff.
No.  The workflow should be that an institution can ask its local 
federation to make a service available to its users.  The local 
federation can chose to do this via edugain or by asking the SP to 
become a member.  Any scenario where an end-user is asking a service to 
'sign up to edugain' is going to cause chaos and should not be 
encouraged.  End users should not know about edugain.
> Situation 2:
>
> User A wants to use SP1.uk and see that SP1.uk offers him with his 
> well know IdP. He tries to login as usual and ends with error. He will 
> very likely complain at his local support. Which can do nothing 
> different than ask admins of SP1.uk.
>
> So what is better? Offer think which we know it can't work. Or to 
> offer those services where did our best to be sure all will be working 
> for user?
>
> Communication started from point of sorting an error (2). Or standard 
> request for accessing cool service (1).
>
>
> To me is this like broadcasting eduroam and not being connected to 
> hierarchy.

This happens in any scenario where a central WAYF is being used and has 
always been true of central WAYFs - which is where elegant failure 
messages come in. This is not something new that has arrived with the 
introduction of edugain metadata.


--
----------------
Project Development Officer
TERENA
Singel 468 D
Amsterdam, 1017 AW
The Netherlands

T: +31(0)20 5304488
F: +31(0)20 5304499

mob: +31(0)646 105395