An open discussion list for topics related to the eduGAIN interfederation service.

[Lukas Hämmerle <lukas.haemmerle AT switch.ch>]

Hello Olivier

Find some comments inline.


> Until now French IdPs and SPs had to opt-in to get their metadata 
> included to eduGAIN metadata. 

The same is (still) the case for most other federations.

Generally, there are often two aspects involved in Opt-in:
* Legal/policy opt-in
  E.g. an organisation has to sign some additional document before their
  IdP/SPs are expose to eduGAIN.
  Ideally, this step is not needed because it is already allowed by the
  federation policy.

* Technical opt-in
  E.g. loading interfederation metadata, configuring
  additional attributes, etc.


> We now consider to change our workflow.
> 
>     The plan is to move to eduGAIN opt-out for our IdPs only;

I find this a reasonable approach and definitely something that other
federations should consider. Comparing to other (past) approaches where
a whole federation was opted-in with brute force without providing them
eduGAIN metadata and attribute filters in turn, this is certainly the
much more sensible way to do it.

It's also better this way because it only focuses on the IdPs which
solves the chicken-and-egg issue. If all IdPs are in eduGAIN by default,
there is already an egg :-)



>     opt-in would still apply to French SPs willing to join eduGAIN.

This assumes that the legal/policy opt-in is needed, which of course
makes this approach a lot easier.


>     By default, all French IdP metadata would be published in eduGAIN 
> upstream metadata.

This will double the number of IDP EntityDescriptors immediately, which
is good :-)


>     We would also include eduGAIN SPs metadata into our federation metadata 
> file (renater-metadata.xml).

There might be a risk for SPs that are not properly authenticating
federated users. Having an Apache rule like:

AuthType Shibboleth
ShibRequestSetting requireSession true
require valid-user

will also allow all eduGAIN users to access a service. This of course
might be intended and in general shouldn't cause problems but it
probably might be wise to announce this properly on your federation
mailing list in advance with the hint how to change the authorisation
rules to allow only FER users on a service (maybe using a SupAnn attribute).


>     Our federation registry will let IdP admins perform eduGAIN opt-out if 
> they wish.

Good, this still gives them choice and they have to become active
themselves if they are for some reason not happy with this change.


>     We already publish attribute filters for Shibboleth IdPs; a new 
> attribute-filter file would include all eduGAIN SPs (or the ones that are 
> CoC compliant).

This then would solve the attribute release problem.


> We foresee this change will increase interest in eduGAIN as an AAI 
> infrastructure and will limit support to eduGAIN SPs for RENATER.

I agree.


> ON the other end:
> 
>     the attribute release issues remains until IdPs use the attribute 
> filters we will provide

Do you have an idea how many IdPs use the filters RENATER provides
(percentage)?


>     we end up mixing national and international SPs in our national 
> metadata file.

What you could consider is introducing an inner EntitiesDescriptor
element (allows to easier creating attribute filters that apply to all
eduGAIN entities) or to provide another metadata file with
French-entities only.
I would opt for the second option. This again, would require admins who
would like to opt-out to become active.


Best Regards
Lukas

-- 
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT GN3plus Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle AT switch.ch, http://www.switch.ch