An open discussion list for topics related to the eduGAIN interfederation service.

[Ian Young <ian AT iay.org.uk>]

On 7 Jul 2014, at 12:05, Lalla Maria Laura Mantovani 
<marialaura.mantovani AT garr.it> wrote:

> Which is the procedure to evaluate if an SP in UKF is of use to Italian 
> users?
> Is this burden up to you as UK Federation?

I don't see deciding whether an SP is useful as a federation issue but as an 
question for the end user establishments. If one of your IdPs thinks an SP 
registered by the UKf would be useful to them, the conversation about making 
that happen can start in various different ways. In the end, it will probably 
involve (to some extent) both federations, the IdP and the SP.

> In this case the SP must not show the IDP in the DS list. IMHO it is 
> self-defeating to make incurr the end user in a error that he doesn't 
> understand and give the impression that the federated access is broken or 
> doesn't work very well.

I agree; the SP should not just list "everything", but only IdPs it knows it 
has a relationship with. As Nicole points out, though, this was already the 
case before eduGAIN and is already part of our recommendations. We can try 
and see whether issuing some additional guidance to our members would help, 
but I'm not confident that we can ever fully fix this problem.

> A different metadata aggregate for eduGAIN is useful because only SPs that 
> are really ready to consume international metadata and able to offer their 
> service to their international users will be in the game, and for this 
> reason opted in for eduGAIN.

I have already given some of the reasons we think that the other approach is 
superior. I realise you don't agree, and I respect your federation's right to 
make a different decision, but I'd ask you to give us the same consideration.

> I agree on the aim of having full participants in eduGAIN, also in Italy we 
> aim at this. But this has to happen smoothly. We will have all of our IdPs 
> in eduGAIN by the end of this month and we have changed the policy from 
> opt-in to opt-out for IDPs.

That is good news; thanks for sharing that. If that goes well I'm sure a 
number of other federations will be encouraged to follow.

> Different is for SPs. If SPs desire to opt-in in eduGAIN they must be 
> prepared to manage a different metadata set where a lot of IDPs are out 
> their interest and is up to them to discriminate which IDPs to keep and 
> which IDPs to discard. If the SP is not still able to manage metadata in 
> this way, Federation must assure that this SP doesn't consume metadata that 
> he don't know and don't ask for.

I don't see that this is any different than the situation within a single 
large federation. With a large number of SPs and a large number of IdPs, it 
will always be the case that many IdPs are not relevant to any given SP. That 
doesn't mean that it is the federation's job to separate out the ones which 
are. The federation should of course provide the information which *enables* 
the SP to do the right thing, and I think we do.

>>> So please take away italian entities from the ukfederation metadata.
>> 
>> We can do that if you request it, but it would mean that no UKf entities 
>> AT ALL, whether opted in to eduGAIN or not, will see imported entities 
>> from your federation. That doesn't sound to me like the best solution.
> 
> I hope that you reconsider your decision taking in charge the control of 
> errors produced, else we can only give up to a mess of errors, instead of 
> controlling them.

What you have suggested is that we stop republishing eduGAIN IdPs in our 
production aggregate and move to the kind of multiple aggregate setup you are 
using. This is a decision we made a long time ago, and still feel is the 
right one for us. I think that it is very unlikely that we will change it 
unless the current situation turns out to be completely untenable. Even then, 
I think out feeling would be that the best way to resolve this transitional 
issue would be to move past it rather than backing away in the way you 
suggest.

Of course we will keep the situation under review. In particular, I will make 
sure we discuss this at our next monthly meeting.

You originally asked specifically:

> So please take away italian entities from the ukfederation metadata.

I do not think this is a good idea. We can potentially comply with this 
request, but it would mean that as far as UKf members were concerned your 
federation was no longer part of eduGAIN. I hope you agree that this would be 
undesirable for all parties and I hope that you will wish to withdraw this 
request now that I have made the consequences clear. If you wish us to 
proceed, however, please confirm the request to Rhys and myself off-list and 
I will arrange for it to be discussed at our next monthly meeting.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature