An open discussion list for topics related to the eduGAIN interfederation service.

[Ian Young <ian AT iay.org.uk>]

On 3 Oct 2014, at 10:17, Olivier Salaün <olivier.salaun AT renater.fr> wrote:

I am aware that each federation have its own policy/workflow regarding partner SPs acceptance.

Right. The general approach taken by the eduGAIN policy suite is that there are no central rules as to what the participants may pass through to eduGAIN, except that the entities should be acceptable in their own local federation. This is bound to mean that some entities will be acceptable in one federation and not another, which in turn means that eduGAIN metadata may indeed end up with entities which some participants would not have permitted, or even find objectionable. I think those are two different cases, though; in most cases, I think we in the UKf are going to be content for this to happen under a "marge d'appréciation" (which is originally a French concept, I believe, before it was anglicised as "margin of appreciation") and only in exceptional circumstances would we want to take action to exclude something.

In the current situation we might get https://www.myunidays.com/ SP  included in our federation metadata through eduGAIN and that's something we don't want.

I don't want to talk too much about the particular case, but I would be interested in knowing in general terms why you feel that you need to exclude it from your metadata. Is there a general category this falls into which is problematic for you, or is this particular site exceptional?

It seems that nothing in eduGAIN constitution forbids SAML entities filtering

No, and that was something I personally felt very strongly about. It should always be at the discretion of each participant federation what they re-publish to their membership. You should be able to filter out or otherwise modify any metadata you get from eduGAIN, for any reason that makes sense to you.

Of course, eduGAIN is unlikely to be successful if we all throw away lots of eduGAIN metadata for different reasons, but I think it's important that we *can* do so if we feel that we need to.

I'm curious to know if other federations are doing/considering filtering eduGAIN metadata too? If so what sort of filtering policies do you have?

The UKf has quite a lot of filtering in place, and at the moment we are blocking something like 25-30 entities from eduGAIN. At present, these are all being automatically filtered on technical grounds rather than broader policy grounds, but we do have the ability to filter arbitrary entities should we ever be asked to do so. So far, that has not come up.

On the technical side, about half of those entities are being rejected because they have 1024-bit RSA keys, and most of the remainder because of SAML metadata errors of one kind or another. I try and keep the number down by reporting errors to the federation operators, and there are some historical cases where it's possible to automatically fix the broken metadata where I've just written code to do that rather than try and persuade everyone to fix things locally (e.g., the "mailto:" thing, or white space around URL elements).

-- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature