Skip to Content.

edugain-discuss - Re: [eduGAIN-discuss] RENATER moved to eduGAIN opt-out for Identity Providers

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive


Re: [eduGAIN-discuss] RENATER moved to eduGAIN opt-out for Identity Providers


Chronological Thread 
    < Chronological >      < Thread >
  • From: Peter Schober <peter.schober AT univie.ac.at>
  • To: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] RENATER moved to eduGAIN opt-out for Identity Providers
  • Date: Tue, 22 Jul 2014 21:56:45 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass header.i= AT univie.ac.at
  • List-archive: <https://mail.geant.net/mailman/private/edugain-discuss/>
  • List-id: eduGAIN discussion list <edugain-discuss.geant.net>
  • Organization: ACOnet
Salut Olivier,

* Olivier Salaün <olivier.salaun AT renater.fr> [2014-07-22 19:34]:
> We moved to this organization on July 1st; we now publish 224 French
> IdPs to eduGAIN upstream.

Excellent news, congratulations. This makes a strong argument for
centrally managing and distributing attribute release policies, I
guess.
Why do I put it this way? Because I woultn't forsee a problem moving
all eduID.at IDPs into eduGAIN (providing opt-out), but it wouldn't
help a bit without support for service catgories and controlled,
automated attribute release in place at those IDPs. Which turns out to
be rather difficult and a long-winded process, from early experiences.

So far we have only exported IDPs to eduGAIN after (strongly)
recommending scalable attribute policies (i.e., based on entity
categories) to them, but we have not actually prevented any IDPs from
joining if they don't.

> The instructions for the RENATER community is:
>
> * you run an IdP and you accept to be in eduGAIN: keep loading
> renater-metadata.xml file
> * you run an IdP and you opted-out for eduGAIN: load
> sps-renater-metadata.xml
> * you run an SP and you wish to join eduGAIN: load
> idps-renater-metadata.xml + idps-edugain-metadata.xml
> * you run an SP and you don't need eduGAIN: keep loading
> renater-metadata.xml file

Jfyi, as a comparison: eduID.at publishes two (main) downstream feeds:

* aconet-registered.xml: contains all entities registered by ACOnet,
to be used by SPs that don't interfederate via eduID.at (and IDPs
that don't care, or "opt-out", in your model)
* aconet-interfed.xml: contains all of the above plus any
interfederated entities (from eduGAIN), to be used by /all/ IDPs and
by any interfederated SPs.

This covers all cases and seems to me is a bit easier to understand
too (with exactly /one/ metadata URL to load, ever), but YMMV.

Best regards,
-peter

Attachment: smime.p7s
Description: S/MIME cryptographic signature


Archive powered by MHonArc 2.6.19.

Top of Page