An open discussion list for topics related to the eduGAIN interfederation service.

[Lukas Hämmerle <lukas.haemmerle AT switch.ch>]

Sorry for joining this discussion a bit late (mail client did not
automatically check for new mails for this mail sub folder yet)...


> I wonder if this tool is interesting for the eduGAIN community in
> general, and if it could be provided/supported as part of the eduGAIN
> service.

Independent of the discussion about metadata usage rules (I like the
"Metadata wants to be free" statement ;-) ) and coming back to Mikael's
initial question:

Personally I am in favor and would support introducing a metadata
monitoring check tool of the kind like weblicht because it would help
increasing eduGAIN's overall service quality (as perceived by the end
user). In the first line, IMHO Identity Providers have to be monitored
for this. Service Provider are of less concern because if they don't
know an eduGAIN IdP, it's their own fault and consequently it's them how
show the user an error message.

Weblicht in its current state might be a bit confusing and there
certainly are aspects that can be improved. But generally, I would favor
a monitoring service that initiates a login (see below) on a given
test Service Provider in eduGAIN *with all Identity Providers* listed in
eduGAIN. The expected result should be a login form where a user could
authenticate. If an Identity Provider however does not have metadata for
the test Service Provider, it most likely will show an error message.

Because most Identity Providers either use Shibboleth and Simple SAML
PHP, detecting these errors should be feasible. For those Identity
Provider that output an error message, it can be assumed that they don't
consume eduGAIN metadata. The metadata check service then can either:

A. Inform the operator of the federation that registered this Identity
Provider. It would then be the duty of the federation operator to
contact the IdP administrators to fix the problem

B. Inform the technical contact (listed in eduGAIN metadata) of the
affected Identity Provider directly

The metadata check service should allow federation operators to choose
which behaviour they prefer, A or B.


Best Regards
Lukas

-- 
SWITCH
Lukas Hämmerle, Central Solutions
GÉANT Project Task Leader "Enabling Users"
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 05, direct +41 44 268 15 64
lukas.haemmerle AT switch.ch, http://www.switch.ch