Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] ALL eduGAIN entities in UK federation?

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] ALL eduGAIN entities in UK federation?


Chronological Thread 
  • From: Nicole Harris <harris AT terena.org>
  • To: Jan Tomášek <jan.tomasek AT cesnet.cz>, edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] ALL eduGAIN entities in UK federation?
  • Date: Wed, 05 Feb 2014 16:09:05 +0100
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>

On 05/02/2014 15:57, Jan Tomášek wrote:
Hello Alex,

On 02/05/2014 10:34 AM, Alex Stuart wrote:
This is intentional behaviour. The UK federation imports eduGAIN
entities and re-publishes them into its production metadata aggregate.
However we operate an opt-in to export metadata to eduGAIN rather than
export the whole aggregate. This arrangement means the opt-in is a
straightforward administrative decision rather than one that requires
reconfiguring the entity.

So, yes, users accessing SPs via the UK federation central discovery
service, or an unfiltered embedded discovery service, will be allowed to
choose IdPs that haven't exchanged metadata. That's a side-effect of
decreased friction for the entity operators, and whether this is a
bug/feature depends on your point of view.

You decreased friction to your entity operators on expenses of any other federation/entity operators.

Situation 1:

User A wants to use SP1.uk and see that SP1.uk is not eduGAIN enabled. He asks admins of SP1.uk to become part of eduGAIN, after done he can access service. Or maybe not because of that administrative stuff.
No. The workflow should be that an institution can ask its local federation to make a service available to its users. The local federation can chose to do this via edugain or by asking the SP to become a member. Any scenario where an end-user is asking a service to 'sign up to edugain' is going to cause chaos and should not be encouraged. End users should not know about edugain.

Situation 2:

User A wants to use SP1.uk and see that SP1.uk offers him with his well know IdP. He tries to login as usual and ends with error. He will very likely complain at his local support. Which can do nothing different than ask admins of SP1.uk.

So what is better? Offer think which we know it can't work. Or to offer those services where did our best to be sure all will be working for user?

Communication started from point of sorting an error (2). Or standard request for accessing cool service (1).


To me is this like broadcasting eduroam and not being connected to hierarchy.

This happens in any scenario where a central WAYF is being used and has always been true of central WAYFs - which is where elegant failure messages come in. This is not something new that has arrived with the introduction of edugain metadata.


--
----------------
Project Development Officer
TERENA
Singel 468 D
Amsterdam, 1017 AW
The Netherlands

T: +31(0)20 5304488
F: +31(0)20 5304499

mob: +31(0)646 105395






Archive powered by MHonArc 2.6.19.

Top of Page