An open discussion list for topics related to the eduGAIN interfederation service.

[Mikael Linden <mikael.linden AT csc.fi>]

Hi Olivier,

 

In the design of eduGAIN policy we intentionally reserved a right for participant federations to filter out SPs if needed. The reasoning was that it is possible that certain SPs can be illegal in some countries. I think the example was that on-line gambling was illegal in France (I’m not sure if that’s true anymore) and the French federation may have a legal obligation to filter out such SP, if it shows up in eduGAIN.

 

Of course the usefulness of eduGAIN becomes questionable if participant federations start to apply aggressive filtering policies. After all, the idea of an interfederation is to interfederate.

 

Cheers,

mikael

 

From: Olivier Salaün [mailto:olivier.salaun AT renater.fr]
Sent: 3. lokakuuta 2014 12:17
To: edugain-discuss AT geant.net
Subject: [eduGAIN-discuss] Filtering eduGAIN SPs

 

Hello,

Since July 2014 the French federation has adopted an opt-out for French IdPs to join eduGAIN. This implies that we include all eduGAIN SPs to our renater-metadata.xml metadata file. We recently had internal discussions at RENATER regarding eduGAIN SPs filtering.

Within our national federation we have a workflow for so-called partner organizations registration. Partner organizations are non E/R organizations running federated services for E/R users. The decision to accept a partner organization within our federation depends on the kind of service they propose to the E/R community; it should be somehow related to the activity of users within their E/R institution (access to documentation, software, outsourced internal services). For example we rejected https://www.myunidays.com/ request to join our federation. On the other hand MET <https://met.refeds.org/met/met/search_service/?entityid=uniday> tells me this SP has successfully joined other federations (Turkey, New Zeland, US, Ireland, DFN, UK, Australia). I am aware that each federation have its own policy/workflow regarding partner SPs acceptance.

In the current situation we might get https://www.myunidays.com/ SP  included in our federation metadata through eduGAIN and that's something we don't want. Therefore we consider setting up eduGAIN SPs filtering.

It seems that nothing in eduGAIN constitution forbids SAML entities filtering, as mentionned in chapter 3.3 of <http://www.geant.net/service/eduGAIN/resources/Documents/GN3-10-326%20eduGAIN_constitution%20v2.0.pdf>

An individual Participant Federation or Home Organisation MAY decide not to communicate with a Service Provider exchanged through eduGAIN. An individual Participant Federation or Service Provider MAY decide not to communicate with an Identity Provider exchanged through eduGAIN.

I'm curious to know if other federations are doing/considering filtering eduGAIN metadata too? If so what sort of filtering policies do you have?

Thanks.

--

Olivier Salaün Etudes et projets applicatifs
Tél : +33 2 23 23 71 27 Fax : +33 2 23 23 71 21 www.renater.fr	RENATER 263 Avenue du Gal Leclerc 35042 Rennes Cedex