An open discussion list for topics related to the eduGAIN interfederation service.

[Nicole Harris <harris AT terena.org>]

On 21/02/2014 07:29, Mikael Linden wrote:

Hi Olivier,

 

In my opinion,

 

1. SP opt-in is better than SP opt-out i.e. SP admin needs to actively decide if the service can be made available for the international audience

- there may be language issues (e.g. the service is not available in English)

- there may be other issues with the target users (e.g. the service is licenced or otherwise targeted only for a certain country)

- there may be attribute issues (e.g. federations populate or interpret some attributes differently and the SP needs to take that into account first)

- there may be LoA issues (e.g. the SP admins are not happy that there are test IdPs in eduGAIN metadata)

Aren't these all true of just being in a federation?  Appearance of an entity in the metadata is never a guarantee that you can access it - you may have to subscribe, write a new attribute release policy etc. etc.  I'm not saying all of these aren't valid points, just that edugain does not change or alter them.

Having said that, I'd probably agree that SP opt-in is sensible in the short to medium term but I'd hope that in the long term opt-out would be the default setting.

 

2. An opt-out policy for IdPs sounds better i.e. exporting IdPs to eduGAIN automatically

- however, the risk for the IdPs is that an attribute release leads to a data protection problem

- therefore, I would make sure that the IdPs are configured to release attributes only to the GÉANT Code of Conduct enabled SPs (or has bilaterally agreed with the SP) before they are exported to eduGAIN. The easiest way to do it is to use opt-in policy, instead. 

Well, IdPs are always at the end of the day responsible for their attribute release policy and shouldn't automatically release to 'things that appear in metadata' so again, I don't think that edugain changes this again either. 

 

3. I think and metadata publishing and consumption should be symmetric, anything else leads to confusion

- if an IdP is exported to eduGAIN, there should be some guarantees that the IdP is also consuming eduGAIN metadata (this is important because otherwise the user will see a log-in error message)

- is an SP is exported to eduGAIN, there should be some guarantees that the SP also consumes eduGAIN metadata (this is less important because otherwise the user just sees his/her IdP missing in the SP disco)

I ran an informal survey at the Open Space meetings in Zurich and it is very clear that this is not happening.  At the moment there are three separate steps that do not line-up:

a) Entity being published to edugain (either by opt-in or opt-out).
b) Federation publishing edugain metadata back to its constituency.  (as a separate aggregate, within federation metadata, by configuration)
c) Entity consuming edugain. 

There are problems at step b) as not all federations are automatically making all edugain metadata available locally, particularly where entities need to be configured in hub and spoke federations.  Where federations are choosing to publish a separate edugain stream, there does not always seem to be any correlation between ensuring that entities that have 'opted in' to be published are 'opted in' to consuming the stream. 

 

In my federation, the federation agreement says that the federation operator makes sure that all federation participants have signed the federation agreement. The Haka federation metadata IS the list of Haka federation participants. Therefore, we must use opt-in – we cannot blindly inject eduGAIN metadata into the Haka federation metadata (I think that is a feature, not a bug).

As we've seen, many federations do not so closely couple the idea of a member agreeing to membership of a federation and publication of metadata.  I think considering the 2 as separate processes is helpful in the long run if we want to progress interfederation at scale. 

I'd hope that no-one would blindly inject edugain metadata in to anything :-)  The work that Ian is doing with the UK federation is really interesting in this respect, creating a series of reasons why individual entities might get chucked out before being published back to the UK (and more importantly contacting federations and organisations - including TERENA - where entity data has failed the tests).  

This is just a matter of where you place the focus of effort on the metadata - is it in getting consent from people to opt-in and then hopefully making sure they are consuming as well, or is it on the relative 'quality' of the metadata itself and leaving the provisioning questions to the entities? I'm guessing this will depend on and reflect where current preferences are within any federation so I think we will continue to see a mixed economy.

hth

Nicole

 

Cheers,

mikael

 

From: Olivier Salaün [mailto:olivier.salaun AT renater.fr]
Sent: 18. helmikuuta 2014 17:41
To: edugain-discuss AT geant.net
Subject: [eduGAIN-discuss] RENATER moving to eduGAIN opt-out for IdPs

 

Hi all,

Discussions during the last TF-EMC2 OpenSpace in Zurich made me realize RENATER's articulation with eduGAIN needed to be changed and I hope to get some feedback from this group regarding this change.
 
Until now French IdPs and SPs had to opt-in to get their metadata included to eduGAIN metadata. We know this workflow does not scale because our IdP admins are not familiar with eduGAIN SPs use cases and it would take us a huge effort to convince IdP admins to opt-in for eduGAIN.

We now consider to change our workflow.

The plan is to move to eduGAIN opt-out for our IdPs only; opt-in would still apply to French SPs willing to join eduGAIN. By default, all French IdP metadata would be published in eduGAIN upstream metadata. We would also include eduGAIN SPs metadata into our federation metadata file (renater-metadata.xml). Our federation registry will let IdP admins perform eduGAIN opt-out if they wish. We already publish attribute filters for Shibboleth IdPs; a new attribute-filter file would include all eduGAIN SPs (or the ones that are CoC compliant).

We foresee this change will increase interest in eduGAIN as an AAI infrastructure and will limit support to eduGAIN SPs for RENATER.
ON the other end:

the attribute release issues remains until IdPs use the attribute filters we will provide we end up mixing national and international SPs in our national metadata file.

I look forward to get your feedback :)

--

 

Olivier Salaün

GIP RENATER
Etudes et Projets Applicatifs (EPA)
Tél : +33 2 23 23 71 27

http://www.renater.fr

 

-- 
----------------
Project Development Officer
TERENA
Singel 468 D
Amsterdam, 1017 AW
The Netherlands

T: +31(0)20 5304488
F: +31(0)20 5304499 

mob: +31(0)646 105395

Attachment: pngK6YFhVFzUH.png
Description: PNG image