Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] [eduGAIN-SG] issue on metadata flow

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] [eduGAIN-SG] issue on metadata flow


Chronological Thread 
  • From: Ian Young <ian AT iay.org.uk>
  • To: Tomasz Wolniewicz <twoln AT umk.pl>
  • Cc: idem-staff AT garr.it, edugain-tsg AT geant.net, edugain-discuss AT geant.net, marco Malavolti <marco.malavolti AT garr.it>
  • Subject: Re: [eduGAIN-discuss] [eduGAIN-SG] issue on metadata flow
  • Date: Mon, 7 Jul 2014 10:45:59 +0100
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>


On 7 Jul 2014, at 10:30, Tomasz Wolniewicz <twoln AT umk.pl> wrote:

> Ian, how do the members of your federation tell an eduGAIN entity form a
> proper UK Federation one? I would imagine that being a member of the UK
> Federation carries some additional guarantees for other UK members,
> therefore if I were a UK IDP I would much sooner release attributes to a UK
> registered SP then to a Polish one.

We ensure that all entities, whether UKf registered or imported through
eduGAIN, have RegistrationInfo/@registrationAuthority. We also ensure that no
entities imported through eduGAIN can have a registrationAuthority that
claims to be the UKf.

We sponsored the development of a Shibboleth V2 IdP extension:

https://github.com/ukf/mdrpi-match-idp-ext

This allows IdPs to allow registrationAuthority to be used as part of
attribute release policies if they think it's relevant. Of course one could
argue that trustworthiness for the purposes of attribute release is only
loosely connected with the source of the registration as long as we're
talking about eduGAIN participants. I wouldn't say that UKf IdPs should
necessarily regard Polish-registered SPs as inherently less trustworthy, but
we leave that kind of thing up to the individual IdP to decide. We provide
the information to be used, we don't dictate the policy.

> Assuming that SPs can tell which IDPs come from eduGAIN, I think that they
> should follow a requirement that before they start adding IDPs from eduGAIN
> they must first be exported to eduGAIN themselves.

Yes, SPs can tell which IdPs come from eduGAIN. The problem is that many SPs
-- even commercial SPs -- cut corners when designing their discovery
interface and just list everything, rather than for example just their
customers.

So the issue comes down to what you mean by "start adding IdPs from eduGAIN".
If adding an IdP to a discovery interface was something that happened as a
result of a conscious decision, I doubt that there would be a problem. In
this case, though, there is clearly no conscious decision being made and a
lot of junk of all kinds is appearing.

-- Ian



Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19.

Top of Page