An open discussion list for topics related to the eduGAIN interfederation service.

[Kristof Bajnok <bajnokk AT niif.hu>]

Hi Ian,

On 2014-07-07 11:05, Ian Young wrote:
> On 7 Jul 2014, at 09:47, Lalla Maria Laura Mantovani
> <marialaura.mantovani AT garr.it <mailto:marialaura.mantovani AT garr.it>> wrote:
> 
>> Why then these SPs knew the metadata of these Italian IdPs? The reason
>> is that the metadata of Italian IdPs that opt-in to eduGAIN were
>> included in the UKFederatation Metadata.
>> I don't understand if this happened because of a mistake in your
>> procedure, or this is a desired flow.
> 
> Yes, the presence of all eduGAIN entities in the UKf production
> aggregate is by design. We've talked about this on the lists before; we
> think it's better than the alternative.
>
>> I have to say that I don't like that Italian end users got an error
>> message that they don't understand and we as italian federator
>> operator can't do anything to help them.
> 
> We don't think that's optimal either. If those SPs are indeed of use to
> Italian users, then we should work to get those SPs exported into eduGAIN.
> 
> The last couple of times this has come up, though, this was just a
> result of someone trying out an SP that they had no reason to believe
> would give them access anyway. I don't think that kind of case is as
> problematic.

Something very similar happened to me.

A colleague tried to login to the Janet v-scene video management portal.
It's not easy to determine whether the service is accessible to every
authenticated user or just the English ones. Even the plain manual
registration form offers "NIIF Institute" as a valid choice, most
probably it uses the same source of information. So the answer is: I
don't know, let's try it. But the received IdP (!) error causes false
hopes and misdirected complaints...

I have no objections of other federations redistributing our metadata,
however, if it is not bilateral, it certainly results in error messages
that are unparseable by mortals.

Why don't you simply publish your SP metadata and let the SP's access
control bail out with a (more likely) relevant error, if the service is
not available for the user? A possible answer is that many of the
services use authentication=authorisation. But how far a federation
should support this misbehaviour? In my opinion, the expected result
should be something like: "Based on the information provided to this
application about you, you are not authorized to use this resource". If
a service is unable to provide such an answer, it's their problem.

[After thinking a minute or two] But no, protecting SPs can not be the
cause. If I manually add v-scene SP to my IdP, I'll get back to the
application anyway. Then, why can't the UK SP metadata pieces simply go
to eduGAIN?

Sorry if it was asked before, RTFA is a legitimate answer for such an
old topic. (With a link, please.)

Kristof