An open discussion list for topics related to the eduGAIN interfederation service.

[Olivier Salaün <olivier.salaun AT renater.fr>]

Le 19/02/14 16:33, Thomas Lenggenhager a écrit :

5304CEBE.90907 AT switch.ch">

Hi Olivier,

Two observations:
1) Would you start with an opt-out period first, so that IdP admins
could put their opt-out check mark in your federation registry, before
you start publishing the IdPs to eduGAIN? That way, one could avoid of
having to remove IdPs after they were visible for some time already.

Having a transition period of that kind makes a lot of sense. We will keep this good idea :)

5304CEBE.90907 AT switch.ch">

2) Responsibilities and risks: FER provides attribute filters. To what
extent the IdP admins can influence them individually? If you add the
attribute requirements of all eduGAIN SPs into the filters, I think FER
may take responsibility for the data export. If you limit it to the SPs
with CoC and/or R&S entity category, that might reduce the risk FER takes.

Our federation technical framework only make the use of the renater-attribute-filters-national.xml attribute filter mandatory. This attribute filter would not include attribute release rules for eduGAIN SPs. We would build an additional renater-attribute-filters-edugain.xml file that IdPs would be free to use. Limiting attribute filter rules we publish to eduGAIN SPs who comply to the CoC is probably the right approach because it guarantees that the data processor is in EU/EEA.

We don't see the R&S entity category as a useful information for French IdPs because it does not tell where data is processed. The new Refeds CoC would be more useful for us.

5304CEBE.90907 AT switch.ch">

Thomas

On 18.02.14 16:41, Olivier Salaün wrote:

Hi all,

Discussions during the last TF-EMC2 OpenSpace in Zurich made me realize
RENATER's articulation with eduGAIN needed to be changed and I hope to
get some feedback from this group regarding this change.
 
Until now French IdPs and SPs had to opt-in to get their metadata
included to eduGAIN metadata. We know this workflow does not scale
because our IdP admins are not familiar with eduGAIN SPs use cases and
it would take us a huge effort to convince IdP admins to opt-in for eduGAIN.

We now consider to change our workflow.

  * The plan is to move to eduGAIN opt-out for our IdPs only;
  * opt-in would still apply to French SPs willing to join eduGAIN.
  * By default, all French IdP metadata would be published in eduGAIN
    upstream metadata.
  * We would also include eduGAIN SPs metadata into our federation
    metadata file (renater-metadata.xml).
  * Our federation registry will let IdP admins perform eduGAIN opt-out
    if they wish.
  * We already publish attribute filters for Shibboleth IdPs; a new
    attribute-filter file would include all eduGAIN SPs (or the ones
    that are CoC compliant).


We foresee this change will increase interest in eduGAIN as an AAI
infrastructure and will limit support to eduGAIN SPs for RENATER.
ON the other end:

 1. the attribute release issues remains until IdPs use the attribute
    filters we will provide
 2. we end up mixing national and international SPs in our national
    metadata file.


I look forward to get your feedback :)

--

Olivier Salaün GIP RENATER Etudes et Projets Applicatifs (EPA) Tél : +33 2 23 23 71 27

http://www.renater.fr