An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

* Daniel Muscat <daniel.muscat AT um.edu.mt> [2020-05-15 14:58]:
> Does eduGAIN have the policy to accept or not accept IDPs using WS-Fed?

I already told you, so did Davide.
But why not check for yourself?
https://technical.edugain.org/documents

In none of the formal documents -- nor any of the BCPs -- will you find
anything that rules out the kind of stuff WS-* puts into SAML Metadata.
(I.e., there's no policy to "not accept" this and there is no policy
*needed* to allow this.)

That doesn't mean that wide-scale real-world usage of WS-* on top of
SAML-centric federations will just work, though. E.g. there are good
reasons to filter out stuff that MS-ADFS expects to find in SAML 2.0
Metadata for non-SAML use and I know of a few federations (mine
included) that started doing just that in order to protect their SAML
protocol-using members from potential breakage.
(I can provide pointers if you're interested in that particular
tangent, even though this is not related to eduGAIN policy.)

> Is eduGAIN structured to really support such IDPs.

Unsurprisingly, that depends on what that question means. Most
services (from support to technical tooling) assume use of the SAML
protocol (not just SAML 2.0 Metadata) and following Best Current
Practices for SAML deployments, including saml2int.
(E.g. test services test for certain attribute names, the eduGAIN
support may not be able to help with non-SAML usage, etc.pp.)

So clearly the system and support services have not been /designed/ to
support non-SAML protocols. You're still free to put into your SAML
Metadata what you think is useful. (It might not ever reach entities
registered in other /federations/, though, for the reason I mentioned
above.)

> For example, I am using the hosted FaaS system and it does not seem
> to allow me to input an IDP with WS-Fed protocol

The GÉANT FaaS offering includes the Free/Libre/OpenSource software
https://jagger.heanet.ie/
What Jagger supports (or does not) would make a great topic for its
community mailing list.

If you have concrete questions about the FaaS offering you may also
post questions to the FaaS support contact, of course.
E.g. a properly stated, real need for your FaaS instance to support
federated non-SAML use within your SAML 2.0 Metadata-based federation
would certainly be considered.

> I am asking for an example entity as cannot find one myself

Again, if you have (or anyone else you care about has) such a system
at hand then this system should be able to produce its own SAML 2.0
Metadata including the stuff for WS-*.
According to SO the well-known URL to get the metadata from is
https://FQDN/federationmetadata/2007-06/federationmetadata.xml

If OTOH you don't have such systems (and neither does anyone
else who you care about) I don't understand why we're talking about
this. Purely academic intest? The answer remains the same:
If you want to see howo SAML 2.0 Metadata including stuff for
e.g. MS-ADFS looks like, by all means, get such a system set up and
have a look yourself.

I can confirm that there are no such entities included in the eduGAIN
MDS at this time (just look for RoleDescriptor elements).

-peter