Skip to Content.

edugain-discuss - [eduGAIN-discuss] RENATER moved to eduGAIN opt-out for Identity Providers

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive


[eduGAIN-discuss] RENATER moved to eduGAIN opt-out for Identity Providers


Chronological Thread 
    < Chronological >      < Thread >
  • From: Olivier Salaün <olivier.salaun AT renater.fr>
  • To: edugain-discuss AT geant.net
  • Subject: [eduGAIN-discuss] RENATER moved to eduGAIN opt-out for Identity Providers
  • Date: Tue, 22 Jul 2014 19:32:17 +0200
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>
Hello,

I thought our experience could be worth sharing in the list.

While joining eduGAIN we first considered having a single rule for French SPs and IdPs to join eduGAIN. We then realized that it would take many years and lots of effort to get a reasonable share of our IdPs join eduGAIN. Eventually we decided to keep opt-in for SPs and move to opt-out for IdPs, cf the thread "RENATER moving to eduGAIN opt-out for IdPs" we started in this list on 18/02/2014.

We moved to this organization on July 1st; we now publish 224 French IdPs to eduGAIN upstream.

It makes sense to have a different policy for SPs and IdPs because:
  • currently very few SPs are international services,
  • SP admins that join eduGAIN anyway need to customize their Discovery Service to show foreign IdPs,
  • IdP admins should consider eduGAIN as the natural extension of their national federation (a la eduroam). If not eduGAIN does not make much sense.
Opt-out leads to IdP metadata published by default in eduGAIN upstream, therefore we should ensure that they also automatically have eduGAIN SP metadata loaded. To achieve this we decided to include metadata for eduGAIN SPs directly into our renater-metadata.xml file.

In the end we publish the following sets of metadata:
  • renater-metadata.xml : national IdPs + national SPs + eduGAIN SPs
  • idps-renater-metadata.xml : national IdPs
  • sps-renater-metadata.xml : national SPs
  • idps-edugain-metadata.xml : eduGAIN IdPs
  • sps-edugain-metadata.xml : eduGAIN SPs
The instructions for the RENATER community is:
  • you run an IdP and you accept to be in eduGAIN: keep loading renater-metadata.xml file
  • you run an IdP and you opted-out for eduGAIN: load sps-renater-metadata.xml
  • you run an SP and you wish to join eduGAIN: load idps-renater-metadata.xml + idps-edugain-metadata.xml
  • you run an SP and you don't need eduGAIN: keep loading renater-metadata.xml file

Our federation registry has been adapted:

  • to allow SP admins to join eduGAIN,
  • to automatically add IdPs to eduGAIN,
  • to provide an eduGAIN opt-out option for IdP admins

Until now we've had 4 IdP admins opt-out for eduGAIN.

--


 
Olivier Salaün
Etudes et projets applicatifs
 
Tél : +33 2 23 23 71 27
Fax : +33 2 23 23 71 21
www.renater.fr
 		RENATER
263 Avenue du Gal Leclerc
35042 Rennes Cedex


PNG image


Archive powered by MHonArc 2.6.19.

Top of Page