An open discussion list for topics related to the eduGAIN interfederation service.

[Vladimir Mencl <vladimir.mencl AT reannz.co.nz>]

Hi,

I have started by reading the MRPS (... and comparing it with the REFEDS 
MRPS template along the way).

Overall, the application looks good to me, but there are some points to 
be clarified - see below.

* MRPS based on template without pretty much any changes (GOOD).

* Section "3.Member Eligibility and Owners"
  * Federation registration policy is at the link provided (GOOD)

  * Joining is for NREN ("LEARN") members only
  * Strong process - documents to be signed by head of institution, 
verification also at senior managerial level.  Uses LEARN member 
registry for name checking.

  ISSUE: this is however clashing with the Federation Policy.  While it 
says Home Organisations can only be members of LEARN, Service Providers 
can be "Any party that provides a service that is recognizable as usable 
for R&E community".

   The checks documented in this section then completely fails to apply 
- such Service Providers would not be found in the LEARN Member Registry.

   I think this section should be expanded to also cover how such 
organisations would get checked.


* Section "4. Metadata Format"
   The example given should use registirationAuthority and 
RegistrationPolicy values specific for this federation - please provide.


* Section "5. Entity Eligibility and Validation"
   I see this section deviates from the MRPS template, dropping any 
mention of IdP scope - both the clause in 5.1, and the whole section 
"5.3 Scope Format".

    Was there a particular reason for omitting scope from the MRPS?

* Section "6. Entity Management"
   - might be contradictory: for entityChange requests, it states they 
should be emailed to noc AT learn.ac.lk, but the Join page points to 
Federation Registry, which appears to be self-service (but could not 
confirm, just making assumptions here).

   Can you please clarify?

   Also, when I tried the Federated Login link at the registry, it gave 
me an Internal Server Error.

* Section "2.Introduction and Applicability"

The URL to get latest published MRPS only points to landing page, not 
exact document ... and not that obvious where to find the document.
Took me a while - only once I navigated through "Join" -> "Federation 
Registry", I found I can see the key documents from
https://fr.ac.lk/ ... but this was not at all obvious.


(I also found a link to the Federation Policy in References - that was 
helpful, thanks).
IdentityFederationPolicy (v1.0):
https://fr.ac.lk/templates/IdentityFederationPolicy-LIAFv1.0.pdf


Technical:
  * metadata signing certificate is self-signed valid for 10 years - 
that looks good.
    * there is however a personal email address in the Subject+Issuer 
DN of the certificate (thilina AT learn.ac.lk) - should have been an alias. 
 But that's too late to change now.

  * metadata signature, https endpoints, metadata schema are all good

  * I see in the metadata, the EntitiesDescriptor Name element has value
      "/opt/pyff/fed"
    As per SAML 2.0 Metadata specification, it should be:
       "A string name that identifies a group of SAML entities in the 
context of some deployment."

    A string like "liaf.ac.lk" would allow referring to all entities in 
your metadata.  (In your internal use within LIAF - the name gets 
dropped once the metadata traverses through the eduGAIN aggregator). 
But pointing it out because I noticed it...

* And if possible, please make links in the MRPS PDF clickable (had to 
select the link text and paste into a browser)



But overall, congratulations on a job well done.

I might have gotten into more detail than needed - overall, the 
federation looks all good to me, just the points I noticed...


Cheers,
Vlad


On 9/03/19 00:57, Brook Schofield wrote:
> All,
>
> I present to you the application of Sri Lanka / LIAF who has signed the 
> eduGAIN Declaration, has a policy based on the policy template, is 
> self declaring their federation as a production service and is wanting 
> to join the global R&E federated environment.
>
> You can find more detailed information about the federation under 
> "eduGAIN Candidates” at
> https://technical.edugain.org/status.php
> which contains links to their policy and MRPS.
>
> This application is from an organisation that is closely aligned with 
> the GÉANT community via their participation in the Asi@Connect project 
> and has been receiving support via the BACKFIRE project and TF-IAM 
> activities within APAN to support their participation in eduGAIN.
>
> So I ask the following federations to specifically review the submission 
> by LIAF:
>   * Malaysia / SIFULAN
>   * Moldova / LEAF
>   * Mozambique / CAFMoz
>   * The Netherlands / SURFconext
>   * New Zealand / Tuakiri
>
> All eduGAIN members can (and should) provide feedback on this but to 
> share the burden of review around, these five (5) federations have 
> a specific responsibility.
>
> If you have any questions please contact the LIAF team that are 
> subscribed to this mailing list as well as CC’d to this message.
>
> Formal components of the membership process will be via the eduGAIN 
> Steering Group mailing list.
>
> Brook Schofield
> eduGAIN Steering Group Chair
> GÉANT
> M: +31651553991
> Skype: brookschofield

--
Vladimir Mencl
Senior Software Engineer

Research & Education
Advanced Network NZ Ltd

M +64 21 997352
E  vladimir.mencl AT reannz.co.nz
www.reannz.co.nz