An open discussion list for topics related to the eduGAIN interfederation service.

[Lalla Maria Laura Mantovani <marialaura.mantovani AT garr.it>]

At 11:05 07/07/2014, Ian Young wrote:

> Mon Jul 07 12:07:11 2014
> Signature verified
> ------------------------------------------------------------
>
>
> On 7 Jul 2014, at 09:47, Lalla Maria Laura Mantovani
> <
> marialaura.mantovani AT garr.it> wrote:
>
> > Why then these SPs knew the
> > metadata of these Italian IdPs? The reason is that the metadata of
> > Italian IdPs that opt-in to eduGAIN were included in the UKFederatation
> > Metadata. 
> > I don't understand if this happened because of a mistake in your
> > procedure, or this is a desired flow. 
>
> Yes, the presence of all eduGAIN entities in the UKf production aggregate
> is by design. We've talked about this on the lists before; we think it's
> better than the alternative.
>
> > I have to say that I don't like
> > that Italian end users got an error message that they don't understand
> > and we as italian federator operator can't do anything to help
> > them.
>
> We don't think that's optimal either. If those SPs are indeed of use to
> Italian users, then we should work to get those SPs exported into
> eduGAIN.

Which is the procedure to evaluate if an SP in UKF is of use to Italian
users?
Is this burden up to you as UK Federation?


> The last couple of times this
> has come up, though, this was just a result of someone trying out an SP
> that they had no reason to believe would give them access anyway.

In this case the SP must not show the IDP in the DS list. IMHO it is
self-defeating to make incurr the end user in a error that he doesn't
understand and give the impression that the federated access is broken or
doesn't work very well.

> I don't think that kind of case
> is as problematic.

Either two case are problematic in my view:
1. if the IDP in italy has right to access the SP, metadata should be in
place on both sides before the user  begin to use it. At present
the  IDP  has no possibility to know the SP's metadata.
2. if the IDP in italy has no right to access the SP, the SP's DS must
not show the IDP in its list. At present the SP shows the wrong IDP in
its DS list.

A different metadata aggregate for eduGAIN is useful because only SPs
that are really ready to consume international metadata and able to offer
their service to their international users will be in the game, and for
this reason opted in for eduGAIN.
If an SP is not able to offer a right service to their users, and it
shows unpredictable errors only because it is not able to correctly
manage the metadata, is better to stay out of the game.
At the end I believe that also the SP in question is unaware that he is
consuming additional metadata that UKfederation provides to him without
reciprocity. But if this reciprocity is not provided by the federation, I
no more understand which is the federation role.


> > Italian entities that opt-in
> > eduGAIN consume eduGAIN metadata. They didn't opt-in to UKFederation, so
> > they don't consume UKF metadata. For this, UK entities that didn't opt-in
> > eduGAIN must not consume eduGAIN metadata because acting in this way they
> > only cause errors.
>
> That's not the way our system works. We're aiming towards a future where
> all UKf entities are full participants in eduGAIN, so we don't want our
> entities to have to consume an additional aggregate in order to see
> entities imported from eduGAIN. We're not the only federation going down
> this route.

I agree on the aim of having full participants in eduGAIN, also in Italy
we aim at this. But this has to happen smoothly. We will have all of our
IdPs in eduGAIN by the end of this month and we have changed the policy
from opt-in to opt-out for IDPs. To reach this target we put in place a
stricter Metadata Profile

https://www.idem.garr.it/it/documenti/doc_download/263-idem-metadata-profile-v1-0-ita-eng

Different is for SPs. If SPs desire to opt-in in eduGAIN they must be
prepared to manage a different metadata set where a lot of IDPs are out
their interest and is up to them to discriminate which IDPs to keep and
which IDPs to discard. If the SP is not still able to manage metadata in
this way, Federation must assure that this SP doesn't consume metadata
that he don't know and don't ask for..


> > So please take away italian
> > entities from the ukfederation metadata.
>
> We can do that if you request it, but it would mean that no UKf entities
> AT ALL, whether opted in to eduGAIN or not, will see imported entities
> from your federation. That doesn't sound to me like the best
> solution.

I hope that you reconsider your decision taking in charge the control of
errors produced, else we can only give up to a mess of errors, instead of
controlling them.

lalla


> -- Ian