Skip to Content.
Sympa Menu

edugain-discuss - Re: [eduGAIN-discuss] IdP without DNS records

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

Re: [eduGAIN-discuss] IdP without DNS records


Chronological Thread 
  • From: Scott Koranda <skoranda AT gmail.com>
  • To: Peter Schober <peter.schober AT univie.ac.at>
  • Cc: edugain-discuss AT lists.geant.org
  • Subject: Re: [eduGAIN-discuss] IdP without DNS records
  • Date: Tue, 8 May 2018 10:15:55 -0500
  • Authentication-results: prod-mail.geant.net (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com

> * Alan Buxey <alan.buxey AT myunidays.com> [2018-05-08 16:35]:
> > I believe Peter has already had a discussion about this sort of
> > thing - might be that those entries actually resolve at the home
> > site and are in national metadata for convenience etc but arent for
> > use/consumption at a wider scale in the first place.
>
> Not sure what you're thinking of but I do have a somewhat similar
> example to share:
>
> One institution in eduID.at (though we don't export it to eduGAIN at
> this time, so not really a topic for this list, yet) has its IDP
> behind a firewall, only accessible from their internal network (or a
> VPN getting you there).
> While I strongly recommended against that I can't really mandate their
> internal IDP access policies (it is a research hospital, after all).
>
> And while the hostname in metadata endpoints (and entityID) exists in
> DNS -- and so would trivially satisfy a literal DNS checks -- nothing
> would ever be reachable for any eduGAIN or eduID.at test.
> (Only connection attempts to its protocol endpoints would discovery
> that, not DNS checks.)
>
> But contrary to what Alan states above the entitiy is not "for
> convenience" nor somehow not meant for wider consumption: It's only
> the IDP's own population that needs to access the IDP's endpoints, so
> this is in fact perfectly functional and globally interoperable with
> any SP, and if approached by them I would also expose the IDP to
> eduGAIN without hesitation.

Hi,

Would you consider also tagging the IdP with the "hide from discovery"
tag since the IdP is generally not discoverable?

Since some discovery services pre-load logos and the like, when the IdP's
endpoints are not reachable it can cause delays and less than optimal
behavior for the discovery service.

It is helpful when the discovery service can filter those IdPs away
using the "hide from discovery" tag.

Thanks,

Scott K



Archive powered by MHonArc 2.6.19.

Top of Page