Skip to Content.
Sympa Menu

edugain-discuss - SV: [eduGAIN-discuss] Assessment of Russia/RUNNet AAI for eduGAIN membership

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

SV: [eduGAIN-discuss] Assessment of Russia/RUNNet AAI for eduGAIN membership


Chronological Thread 
  • From: Pål Axelsson <pax AT sunet.se>
  • To: Brook Schofield <brook.schofield AT geant.org>, edugain-discuss AT lists.geant.org
  • Cc: Порхачев Василий <porhachev AT runnet.ru>, "Ilya V. Vasiliev" <vasilyev AT runnet.ru>, Peter Schober <peter.schober AT univie.ac.at>, Guy Halse <guy AT tenet.ac.za>
  • Subject: SV: [eduGAIN-discuss] Assessment of Russia/RUNNet AAI for eduGAIN membership
  • Date: Wed, 11 Apr 2018 20:42:25 +0200
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (2048-bit key) header.d=sunet-se.20150623.gappssmtp.com

Hi,

 

Better late than never have I read through the documents for RUNNetAAI and have some comments.

 

The first comment is on future proofing. I think it would be good to change the name of RUNNetAAI Technology Profile to RUNNetAAI SAML Technology Profile to open up for inclusion of new federation protocols in the future.

 

Under section 4.3 in the RUNNetAAI Technology Profile it’s stated that 1024 bit RSA keys are the minimum key length. As a new federation there is no reason why not to demand key lengths of at least 2048.

 

Under section 5.3 in the RUNNetAAI Technology Profile you’re describing that all Identity Providers SHOULD assert the attribute eduPersonAffliation. If you look into the entity category REFEDS Research and Scholarship they recommend the use of eduPersonScopedAffiliation in an interfederated environment instead due to that is home organisation specific.

 

In section 5.4 of the Metadata Registration Practice Statement it should be good to require the shibmd:Scope element in metadata for Identity Providers due to that is the only way a Service Provider in an interfederated environment often automatically  checks that an scoped attribute in attribute release, e.g. eduPersonPrincipalName and eduPersonScopedAffiliation, is belonging to the asserting Identity Provider, i.e. fulfilling the requirements you’ve described in section 5.1 in the same document.

 

Under section 5.4 of the Metadata Registration Practice Statement I would recommend that you add mdui:Logo. Furthermore, I would recommend that for Identity Providers that will be available in an interfederation environment you should also require the use of English names, descriptions, logos and so on.

 

Under section 5.4 of the Metadata Registration Practice Statement you should also add requirements for Service Providers if they want to be interfederated. It should then be the same data as for Identity Providers except shibmd:scope but with the addon of mdui:Description.

 

Again, sorry for the late read through but I hope you find my comments helpful.

 

Pål Axelsson

 

 

 

 

 

 

Från: Brook Schofield <brook.schofield AT geant.org>
Skickat: den 6 april 2018 11:37
Till: edugain-discuss AT lists.geant.org
Kopia:
Порхачев Василий <porhachev AT runnet.ru>; Ilya V. Vasiliev <vasilyev AT runnet.ru>; Peter Schober <peter.schober AT univie.ac.at>; Guy Halse <guy AT tenet.ac.za>
Ämne: Re: [eduGAIN-discuss] Assessment of Russia/RUNNet AAI for eduGAIN membership

 

All,

 

after a slight diversion on the the CAFMoz email thread there has been some progress on the Russia/RUNNet AAI front. 

 

So could those that provided feedback take a look and see if they are happy with these updates?

 

 

* Metadata endpoint is available: https://j.edugain.runnet.ru/j/signedmetadata/federation/RUNNET/metadata.xml now contains RUNNetAAI metadata 100% validated by eduGAIN validator (certificate will be imported once membership status is completed - just a safe guard to accidentally importing before then).

 

 

* Policy/MRPS updates at:  http://runnet.ru/en/release-2018-03-30 or through RUNNetAAI page http://runnet.ru/en/services-en/runnetaai-en

 

 

Changes include:

 

RUNNetAAI Terms of Service Agreement

Minor changes 

p 3.1 Added «with the Policy and its appendices»

p 3.2 Added «A termination implies the cancellation of the use of Policy».

RUNNetAAI Identity Federation Policy

Sec 1. Introduction

Removed too broad definition of the Federation.

Removed the terms of the Policy (5 years) because now it is mentioned in Terms and Service Agreement that Policy is valid until the Agreement is valid.

RUNNetAAI Technology Profile

The document was totally redrafted as previous version got a lot of comments. We tried to align the new version with the best practices also verifying is it suitable for us. We added references on Interoperable SAML 2.0 Profile saml2int.

Also we decided to move the most metadata information to the MRPS document as it includes section on entity requirement and verification.

 We decreased required attributes to EPPN and eduPersonAffiliation. Also we decided not to demand any privacy policy documents from SP   

 

RUNNetAAI MRPS

 

Some changes in Registration block and entity requirement and verification section.

 

 

Thanks,

 

-Brook

 

 



On 20 Mar 2018, at 12:10 pm, Brook Schofield <brook.schofield AT geant.org> wrote:

 




On 14 Mar 2018, at 8:53 pm, Peter Schober <peter.schober AT univie.ac.at> wrote:

 

* Brook Schofield <brook.schofield AT geant.org> [2018-03-13 19:00]:

This application is from an organisation that is closely aligned
with the GÉANT community and their participation in eduGAIN will
further build links to RUNNet and the Russian Academic community.


Would anyone care to spend just a few words on the [lack of]
relationship with
фEDUrus who have sigend the eduGAIN policy almost 5
years ago and already have registered 14 SPs and 9 IDPs?
The more the merrier, of course, but can we at least assume that tools
or more importantly knowledge (and maybe metadata) are being shared?

-peter

 

Peter (& everyone else interested),

 

Work with RUNNet started about 2 years ago and at that time their focus was to work with фEDUrus to support an identity federation that supports their membership. For some reason (that I’m not privy to) that collaboration didn’t complete and RUNNet asked me whether it was permissible for a separate federation to be formed and the implications of that.

 

I also raised this topic at the last SG meeting of overlapping federations joining (because of RUNNet AAI, as well as multiple federations from China and a new Omani federation appearing). This wasn’t seen as a concern. https://wiki.geant.org/display/eduGAIN/eduGAIN+SG-2018+January

 

I’ve also recently asked the long term candidates about their intention with respect to eduGAIN in the short-/mid-term. фEDUrus responded that they are promising to do more work in this space so we hope to see updates to their website/policy soon - and that their focus is their library association ARLICON and specifically their membership in Kyrgyzstan and Kazakhstan so their target audience/memberships isn’t the same as RUNNet AAI.

 

I hope that these federations will be able to interoperate as eduGAIN members since they weren’t able to collaborate closer to home and that the membership of both organisations will benefit from eduGAIN participation.

 

-Brook

 




Archive powered by MHonArc 2.6.19.

Top of Page