An open discussion list for topics related to the eduGAIN interfederation service.

[Jaime Pérez Crespo <jaime.perez AT uninett.no>]

On 29 Oct 2014, at 18:29 pm, Peter Schober <peter.schober AT univie.ac.at> wrote:
>> That given, how exactly would that force Feide to align its
>> practices with the spec? It reminds me of a different discussion I
>> had last week regarding the CoCo. You could say Feide willingly
>> aligns with the spec, but since Feide is not the holder of the
>> attributes… If we are “forced” to align, what does that mean? Should
>> we go to each and every institution out there and threaten them to
>> kick them out of Feide if they don’t include
>> eduPersonScopedAffiliation and schacHomeOrganization for all their
>> users? Should we do that then even for those users/institutions
>> where sHO, for instance, doesn’t have any semantics and cannot
>> actually have any value?
> 
> I regretted having typed "force" immediately when hitting send. It
> should have been "motivate" (you get to play with REFEDS R&S only if
> you comply).  And clearly this now is not about FEIDE qua "central
> IDP" doing anything, it about FEIDE as federation operator documenting
> and encouraging behaviour at institutions to help them interoperate
> with the outside world. Same as we "full mesh" types all do.

No worries Peter, I got your point and I even agree with you to some extent, 
but I wanted to point out that our capabilities as fedops are the same as in 
a mesh federation, even though we are H&S.

> Whether institutions connect LDAP servers to a cental FEIDE IDP, or
> connect LDAP server to their own IDP is immaterial here: You're in the
> same boat as all "full mesh" federations.
> So how come it should be more difficult for you (compared to most
> others) to get your institutions configured properly? That's the part
> I fail to get.

The thing is… All H&S federations will have that in common with mesh 
federations, unless the hub is not only a hub but a central directory. In our 
case, things are even harder than for most mesh federations, since we are H&S 
*and* we have one single IdP. *We* at Feide are the IdP. If I follow the 
example of R&S, then we have the following possibilities:

- We reject to provide some of the attributes required and therefore we are 
out of it. Our life is harder and miserable. Same for our institutions.
- We accept the R&S category in what relates to attribute release policy, but 
given that (some of) our institutions don’t provide certain attributes, we 
are kicked out of the REFEDS R&S. Our life is harder and miserable. So it is 
for all our institutions, regardless of them complying with the attribute 
policy or not.
- Again, we accept the R&S category, and we stay there *even though* some of 
our institutions don’t comply with the attribute policy. As a result, SPs in 
R&S won’t work for some of our institutions. The life of those institutions 
users is hard and miserable. So it is for the institution administrators, and 
subsequently the same for us as federation operators. It’s also like that for 
SP administrators who can’t get some of their potential clients to talk to 
them. Hence, our life in Feide is even harder and more miserable.

Of course I’m exaggerating a lot, but I think you can see my point. With the 
current scenario and technology, there’s no way out of this mess for us. Of 
course we could just manually adjust the attribute release policies per SP so 
that everyone gets what they need (and we can provide), but that doesn’t 
scale very well, right?

--
Jaime Pérez
UNINETT / Feide
mail: jaime.perez AT uninett.no
xmpp: jaime AT jabber.uninett.no

"Two roads diverged in a wood, and I, I took the one less traveled by, and 
that has made all the difference."
- Robert Frost