Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] Test/dev IdPs in eduGAIN metadata

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] Test/dev IdPs in eduGAIN metadata


Chronological Thread 
  • From: Tomasz Wolniewicz <twoln AT umk.pl>
  • To: edugain-discuss AT geant.net
  • Subject: Re: [eduGAIN-discuss] Test/dev IdPs in eduGAIN metadata
  • Date: Fri, 17 Apr 2015 15:25:44 +0200
  • List-archive: <http://mail.geant.net/pipermail/edugain-discuss/>
  • List-id: "An open discussion list for topics related to the eduGAIN interfederation service." <edugain-discuss.geant.net>

Hi all,
  this can be seen as advertising for the entities database on https://technical.edugai.org, well so be it :). You can get all this date from there with no fuss. The search interface now also allows filtering with respect to SAML 2.0 support.

About test entities:

While currently there are 103 entities matching %test% in entityId, only 31 of them are IdPs, and 30 of these come form UK, the only remaining one is Spanish.
All 30 UK IdPs are marked as Hide-From-Discovery.

If you search for "Test" as a word in the entire entity, you come up with 71 IdPs, 66 of them come from UK and 64 of these have Hide-From-Discovery set.

In  all there are 108 IdPs marked with Hide from Discovery, 107 of them  come from UK.
Tomasz





W dniu 2015-04-16 o 13:57, Olivier Salaün pisze:
552FA3B6.204 AT renater.fr"> Hello,

I noticed that 108 SAML entities in eduGAIN MDS metadata have the hide-from-discovery entity category set.
I checked what kind of IdPs have this attribute set and it turns out that most of these IdPs have entityIDs looking like https://idp-test.xx or https://idp-dev.xx. I therefore suppose they are not production IdPs. I can also suppose that some of these IdPs allow login with test accounts.

I don't like the idea of eduGAIN metadata including non production SAML entities, especially IdPs, because it brings a risk of user impersonation for all production SPs. It sounds strange to mix test IdPs with production IdPs while we all talk LoA and try to convince institutions they should improve their identity management processes :-\

Since these IdPs are flagged as "hide-from-discovery" in eduGAIN metadata, I am able to filter them out, but 1) "hide-from-discovery" does not mean "test SAML entity", given the spec <https://refeds.org/category/hide-from-discovery/> and 2) it moves the filtering burden to downstream eduGAIN metadata processing, whereas it could be done by the registering federation.

Actually why do federation include such test IdPs in their eduGAIN upstream metadata? Are their real use cases?
Any chance these test IdPs would be removed from upstream eduGAIN metadata?

Regards.

--


 
Olivier Salaün
Etudes et projets applicatifs
 
Tél : +33 2 23 23 71 27
Fax : +33 2 23 23 71 11
www.renater.fr
RENATER
263 Avenue du Gal Leclerc
35042 Rennes Cedex



-- 
Tomasz Wolniewicz    
          twoln AT umk.pl        http://www.home.umk.pl/~twoln

Uczelniane Centrum Informatyczne   Information&Communication Technology Centre
Uniwersytet Mikolaja Kopernika     Nicolaus Copernicus University,
pl. Rapackiego 1, Torun               pl. Rapackiego 1, Torun, Poland
tel: +48-56-611-2750     fax: +48-56-622-1850       tel kom.: +48-693-032-576

Attachment: pngn4GJAmd2Dw.png
Description: PNG image




Archive powered by MHonArc 2.6.19.

Top of Page