An open discussion list for topics related to the eduGAIN interfederation service.

[Brook Schofield <schofield AT terena.org>]

Niels,

there are 26 services in eduGAIN and 2735 services globally that seem to have ZERO isRequired="true" and ZERO RequestAttributes in their metadata:

http://www.terena.org/~schofield/servicecatalogue/?fed=eduGAIN&type=SP&numreqattrs=0&numattrs=0
http://www.terena.org/~schofield/servicecatalogue/?type=SP&numreqattrs=0&numattrs=0
*usual disclaimer that this generates a large in-memory database in your browser and if you have as many tabs open as I usually do will cause slowness or crashes*

I'll update the metadata set that my tool uses and hopefully the numbers will go down (I've some some queries lately about this).

While this is true for some services that just want authN - I think that the bulk of these are pilot error rather than intentional.

Some federations seem to have default attribute release positions (possibly legacy, possibly a misreading of their policy by IdPs/SPs, possibly folklore, and Ian confirms that UKf has absent metadata in some instances) - which SPs believe are universally the case and causes problems with metadata exchanged via eduGAIN when they encounter IdPs that don't have these default positions.

SPs need to define what they want - which is especially true for those that want to sign up to the GÉANT DP CoCo.

It would be useful to clarify this (with further discussion on the list) and revise the metadata profile as necessary (and publish in formats accessible to a range of readers).

-Brook

On 27 March 2014 11:13, Niels van Dijk <niels.vandijk AT surfnet.nl> wrote:

Hi all,

I am wondering what to do with an eduGAIN SP that has no attribute
requirements in the metadata.

eduGAIN policy states:
(http://www.geant.net/service/eduGAIN/resources/Documents/eduGAIN_metadata_profile_v3.doc)

"NOTE on <md:RequestedAttribute>: Whenever a Service Provider needs
attributes it should list them as <md:RequestedAttribute> in the
<md:AttributeConsumingService> of its <md:SPSSODescriptor> element to
increase the chance that Identity Providers really release them."

Based on the above I assume that I can connect to this SP not releasing
any attributes. However, the note is a bit ambiguous:
- It does not state "MUST  list them"
- It spells "should" and not "SHOULD" as defined per RFC2119

What is expected behaviour from the IdP?

thanks!
Niels

--

===================================================
Brook Schofield, TERENA Project Development Officer
TERENA Secretariat, Singel 468 D, 1017 AW Amsterdam, The Netherlands
Tel +31 20 530 4488    Fax +31 20 530 4499    Mob +31 65 155 3991
www.terena.org