An open discussion list for topics related to the eduGAIN interfederation service.

[Mikael Linden <mikael.linden AT csc.fi>]

Hi Olivier,

 

In my opinion,

 

1. SP opt-in is better than SP opt-out i.e. SP admin needs to actively decide if the service can be made available for the international audience

- there may be language issues (e.g. the service is not available in English)

- there may be other issues with the target users (e.g. the service is licenced or otherwise targeted only for a certain country)

- there may be attribute issues (e.g. federations populate or interpret some attributes differently and the SP needs to take that into account first)

- there may be LoA issues (e.g. the SP admins are not happy that there are test IdPs in eduGAIN metadata)

 

2. An opt-out policy for IdPs sounds better i.e. exporting IdPs to eduGAIN automatically

- however, the risk for the IdPs is that an attribute release leads to a data protection problem

- therefore, I would make sure that the IdPs are configured to release attributes only to the GÉANT Code of Conduct enabled SPs (or has bilaterally agreed with the SP) before they are exported to eduGAIN. The easiest way to do it is to use opt-in policy, instead. J

 

3. I think and metadata publishing and consumption should be symmetric, anything else leads to confusion

- if an IdP is exported to eduGAIN, there should be some guarantees that the IdP is also consuming eduGAIN metadata (this is important because otherwise the user will see a log-in error message)

- is an SP is exported to eduGAIN, there should be some guarantees that the SP also consumes eduGAIN metadata (this is less important because otherwise the user just sees his/her IdP missing in the SP disco)

 

In my federation, the federation agreement says that the federation operator makes sure that all federation participants have signed the federation agreement. The Haka federation metadata IS the list of Haka federation participants. Therefore, we must use opt-in – we cannot blindly inject eduGAIN metadata into the Haka federation metadata (I think that is a feature, not a bug).

 

Cheers,

mikael

 

From: Olivier Salaün [mailto:olivier.salaun AT renater.fr]
Sent: 18. helmikuuta 2014 17:41
To: edugain-discuss AT geant.net
Subject: [eduGAIN-discuss] RENATER moving to eduGAIN opt-out for IdPs

 

Hi all,

Discussions during the last TF-EMC2 OpenSpace in Zurich made me realize RENATER's articulation with eduGAIN needed to be changed and I hope to get some feedback from this group regarding this change.
 
Until now French IdPs and SPs had to opt-in to get their metadata included to eduGAIN metadata. We know this workflow does not scale because our IdP admins are not familiar with eduGAIN SPs use cases and it would take us a huge effort to convince IdP admins to opt-in for eduGAIN.

We now consider to change our workflow.

• The plan is to move to eduGAIN opt-out for our IdPs only;
• opt-in would still apply to French SPs willing to join eduGAIN.
• By default, all French IdP metadata would be published in eduGAIN upstream metadata.
• We would also include eduGAIN SPs metadata into our federation metadata file (renater-metadata.xml).
• Our federation registry will let IdP admins perform eduGAIN opt-out if they wish.
• We already publish attribute filters for Shibboleth IdPs; a new attribute-filter file would include all eduGAIN SPs (or the ones that are CoC compliant).

We foresee this change will increase interest in eduGAIN as an AAI infrastructure and will limit support to eduGAIN SPs for RENATER.
ON the other end:

1. the attribute release issues remains until IdPs use the attribute filters we will provide
2. we end up mixing national and international SPs in our national metadata file.

I look forward to get your feedback :)

--

 

Olivier Salaün GIP RENATER Etudes et Projets Applicatifs (EPA) Tél : +33 2 23 23 71 27

http://www.renater.fr