Skip to Content.
Sympa Menu

edugain-discuss - [eduGAIN-discuss] eduGAIN SAML profile and MDS update

edugain-discuss AT lists.geant.org

Subject: An open discussion list for topics related to the eduGAIN interfederation service.

List archive

[eduGAIN-discuss] eduGAIN SAML profile and MDS update


Chronological Thread 
  • From: Davide Vaghetti <davide.vaghetti AT garr.it>
  • To: edugain-sg AT lists.geant.org, edugain-discuss AT lists.geant.org
  • Subject: [eduGAIN-discuss] eduGAIN SAML profile and MDS update
  • Date: Tue, 19 Nov 2019 22:53:21 +0100

Hi,

what follows is a brief report on today's eduGAIN MDS updating process.

As you know, today is the deadline for the eduGAIN SAML profile
adoption. The eduGAIN OT scheduled an update of the eduGAIN MDS along
those directly targeting the validator and the technical site to support
the new profile.

The update on eduGAIN MDS was limited to the environment (python
version) and pyFF itself, which was updated to the latest stable version.

The feed produced by the updated eduGAIN MDS was schema validating
exactly as the old one.

At 4:10pm CET, Chris Philips (Canarie) alerted us of an error that was
preventing their MDA to correctly parse some entities in the eduGAIN
feed. Canarie is using Shibbolteh MDA. The error was:

"ERROR - validateSchema reported: UndeclaredPrefix: Cannot resolve
'xs:string' as a QName: the prefix 'xs' is not declared."

We found that there was a difference in how the "xs" namespace was
declared in the backward eduGAIN feed and in the current one.

With the eduGAIN OT we decided to roll back to the previous eduGAIN MDS
instance, which happened at 4:47pm CET.

With the help of Ian Young we found out that:
1. what is causing the issue is that the "xs" namespace is declared in
`EntitiesDescriptor` on the latest version of the eduGAIN MDS, versus
per `AttributeValue` in the previous version.
2. we're hitting on an old Shibboleth MDA bug which is preventing the
MDA to resolve namespaces declared "too far" from the element where they
are used --- see https://issues.shibboleth.net/jira/browse/MDA-47
3. other identity federations using Shibboleth MDA, such as UKf and many
others, were not hit by the issue because they strip out all the
`xsi:type="xs:string"` elements as part of their aggregation process.

As already noted on the slack edugain_support channel and on today's
eduGAIN "Drop in session", there is room for improving the eduGAIN MDS
updating process: for example letting fed-ops know about possible diffs
among the current and the updated eduGAIN metadata --- even though both
are schema valid.

As a very short term measure we are setting up two different feeds:
production and pre-production. We will keep both active for enough time
to let federation operators test them and signal potential issues.

Currently we're still relying on the backward eduGAIN MDS. Tomorrow
morning we will give you further details.

Cheers,
Davide

--
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature




Archive powered by MHonArc 2.6.19.

Top of Page