An open discussion list for topics related to the eduGAIN interfederation service.

[Nick Roy <nroy AT internet2.edu>]

Hi Nosiku,

For the first item, I would expect to see documentation about use of
signing and encryption certificates in IdP and SP metadata, for example
recommendation of publication of IdP public keys with use="signing", or
no use= attribute, in the IdPSSO KeyDescriptor. For SPs, I'd make a
recommendation to publish a KeyDescriptor with no use= (so, both signing
and encryption) or two separate KeyDescriptors, if you want people to
use separate signing and encryption keys. Those would have use="signing"
and use="encryption" in the KeyDescriptors.

InCommon's documentation on this is at:
https://spaces.at.internet2.edu/display/InCFederation/X.509+Certificates+in+Metadata

You should sign your metadata with a highly protected private key, and
publish the metadata signing key somewhere where your users can download
it, with instructions on how to configure their deployments to verify
the signature on your metadata. InCommon's documentation on metadata
refresh and signature verification is at:
https://spaces.at.internet2.edu/display/InCFederation/Metadata+Consumption

For the second item, you should have some way of vetting the domains
used in entityIDs and shibmd:Scope (the latter applies only to
IDPSSODescriptors and AttributeAuthorityDescriptors), to ensure that
they are not misused by an unauthorized party. In the case of entityIDs,
this could cause collisions in metadata. In the case of shibmd:Scope, it
could result in an IdP asserting identities that do not belong to it.

InCommon's documentation on domains in metadata is available at:
https://spaces.at.internet2.edu/display/inctac/Domains+in+IdP+Metadata

Please let me know if you have other questions or would like to discuss
any of these items (or anything else about federation policy, metadata,
etc) further.

Best,

Nick

On 9/14/18 3:54 AM, Nosiku Sikanyika wrote:
> Good morning Nick,
> 
> Unfortunately I am unclear regarding the two points
> 
> 1) Mention of SAML certificates
> 2) Mention of shibmd:Scope and its management/subject to DNS policy 
> alongside other domains in metadata.
> 
> What is supposed to be mentioned under SAML certificates and where?
> I am also unclear on the second point as well.
> Could you provide examples or sample documents I can look at?
> 
> Kind regards,
> 
> Nosiku
> 
> ----- Original Message -----
> From: "nroy" <nroy AT internet2.edu>
> To: "Brook Schofield" <brook.schofield AT geant.org>, "edugain-discuss" 
> <edugain-discuss AT lists.geant.org>
> Cc: "info" <info AT fidern.ac.zm>, "Stein Mkandawire" <mkandaws AT zamren.zm>, 
> "Nosiku Sikanyika" <nosiku.sikanyika AT zamren.zm>
> Sent: Thursday, July 26, 2018 5:14:51 PM
> Subject: Re: [eduGAIN-discuss] Assessment of Zambia/FIDERN for eduGAIN 
> membership
> 
> Hi all,
> 
> A couple quick things I see that are not in the FIDERN policy:
> 
> 1) Mention of SAML certificates
> 2) Mention of shibmd:Scope and its management/subject to DNS policy
> alongside other domains in metadata.
> 
> Best,
> 
> Nick
> 
> On 7/26/18 1:11 AM, Brook Schofield wrote:
>> All,
>>
>> I present to you the application of Zambia / FIDERN who has Signed the
>> eduGAIN Declaration, has a policy based on the policy template, is
>> self declaring their federation as a production service and is wanting
>> to join the global R&E federated environment.
>>
>> You can find more detailed information about the federation under
>> "eduGAIN Candidates” at
>>     https://technical.edugain.org/status.php
>> which contains links to their policy and MRPS.
>>
>> This application is from an organisation that is closely aligned with
>> the GÉANT community via their participation in the AfricaConnect
>> and UbunutuNet projects and communities. They are also the eduroam .zm
>> roaming operator.
>>
>> So I ask the following federations to specifically review the submission
>> by FIDERN:
>>  * Estonia/TAAT
>>  * Finland/Haka
>>  * France / FÉR
>>  * Georgia/GIF
>>  * Germany/DFN-AA
>>
>> All eduGAIN members can (and should) provide feedback on this but to
>> share the burden of review around, these five (5) federations have
>> a specific responsibility.
>>
>> If you have any questions please contact the FIDERN team (Stein +
>> Nosiku) that are subscribed to this mailing list as well as CC’d to
>> this message.
>>
>> Formal components of the membership process will be via the eduGAIN
>> Steering Group mailing list.
>>
>> Thanks,
>>
>> -Brook
>>
>> Brook Schofield
>> eduGAIN Steering Group Chair
>> GÉANT
>> M: +31651553991 
>> Skype: brookschofield
>>
>