An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Alan Buxey <alan.buxey AT myunidays.com> [2018-05-08 16:35]:
> I believe Peter has already had a discussion about this sort of
> thing - might be that those entries actually resolve at the home
> site and are in national metadata for convenience etc but arent for
> use/consumption at a wider scale in the first place.

Not sure what you're thinking of but I do have a somewhat similar
example to share:

One institution in eduID.at (though we don't export it to eduGAIN at
this time, so not really a topic for this list, yet) has its IDP
behind a firewall, only accessible from their internal network (or a
VPN getting you there).
While I strongly recommended against that I can't really mandate their
internal IDP access policies (it is a research hospital, after all).

And while the hostname in metadata endpoints (and entityID) exists in
DNS -- and so would trivially satisfy a literal DNS checks -- nothing
would ever be reachable for any eduGAIN or eduID.at test.
(Only connection attempts to its protocol endpoints would discovery
that, not DNS checks.)

But contrary to what Alan states above the entitiy is not "for
convenience" nor somehow not meant for wider consumption: It's only
the IDP's own population that needs to access the IDP's endpoints, so
this is in fact perfectly functional and globally interoperable with
any SP, and if approached by them I would also expose the IDP to
eduGAIN without hesitation.

-peter