An open discussion list for topics related to the eduGAIN interfederation service.

[Olivier Salaün <olivier.salaun AT renater.fr>]

Hello,

I noticed that 108 SAML entities in eduGAIN MDS metadata have the hide-from-discovery entity category set.
I checked what kind of IdPs have this attribute set and it turns out that most of these IdPs have entityIDs looking like https://idp-test.xx or https://idp-dev.xx. I therefore suppose they are not production IdPs. I can also suppose that some of these IdPs allow login with test accounts.

I don't like the idea of eduGAIN metadata including non production SAML entities, especially IdPs, because it brings a risk of user impersonation for all production SPs. It sounds strange to mix test IdPs with production IdPs while we all talk LoA and try to convince institutions they should improve their identity management processes :-\

Since these IdPs are flagged as "hide-from-discovery" in eduGAIN metadata, I am able to filter them out, but 1) "hide-from-discovery" does not mean "test SAML entity", given the spec <https://refeds.org/category/hide-from-discovery/> and 2) it moves the filtering burden to downstream eduGAIN metadata processing, whereas it could be done by the registering federation.

Actually why do federation include such test IdPs in their eduGAIN upstream metadata? Are their real use cases?
Any chance these test IdPs would be removed from upstream eduGAIN metadata?

Regards.

--

Olivier Salaün Etudes et projets applicatifs
Tél : +33 2 23 23 71 27 Fax : +33 2 23 23 71 11 www.renater.fr	RENATER 263 Avenue du Gal Leclerc 35042 Rennes Cedex