An open discussion list for topics related to the eduGAIN interfederation service.

[Alex Stuart <Alex.Stuart AT jisc.ac.uk>]

Hello Owen and Ahmed,

I've looked at your MRPS. In section 5.3 on entity validation it says:

"On entity registration, the Federation Operator SHALL carry out entity 
validations checks. These checks include [...] Ensuring endpoints are 
properly protected with TLS / SSL Certificates."

You should explain what "properly protected" means. Do you require 
TLS-protected endpoints, and that's the extent of your requirement? If you're 
also conducting checks on the TLS protocol / ciphersuites supported by the 
entities (through SSL Labs or similar) it would be good to describe the 
process you use. Good practice in TLS configuration is a moving target so I 
would not add too much detail here.


I'd also like to expand on a couple of points from Jinyong JO

> On 2 Nov 2021, at 01:48, JO Jinyong <jinyong.jo AT gmail.com> wrote:
>
> 1. It seems that eduId.ng's federation metadata does not comply with its 
> MRPS.
> Please check: https://technical.edugain.org/validator2?fed_id=EDUID-NG
>

I've also run the metadata against the UK federation's metadata checking 
framework. We find a couple of other issues.

- The mdui:PrivacyStatementURL for 
https://moodle.cloud.ren.ng/simplesaml/module.php/saml/sp/metadata.php/default-sp
 has a typo. It currently says "htpps://ren.ng/policy".

- The DigestMethod and SigningMethod algorithms registered for the two 
Shibboleth SPs include several unexpected algorithms. There are 2 algorithms 
which use MD5, and there are some HMAC algorithms where we would expect 
signature algorithms. These algorithms are not found in the 
automatically-generated metadata from the SPs (which can be found at 
https://registry.eduid.ng/Shibboleth.sso/Metadata and 
https://moodle.cloud.ren.ng/Shibboleth.sso/Metadata). Do you know how the 
metadata mismatch arises between the SP software and that published by your 
federation metadata management tool?


> 5. In the MRPS document (p.5): recommend changing the Metadata format in 
> the box (e.g., registrationAuthority="http://eduid.ng";).
>

...and the value you decide on should then be used consistently in metadata. 
Currently, there is 
mdrpi:RegistrationInfo/@registrationAuthority="www.eduid.ng" and 
mdrpi:PublicationInfo/@publisher="https://www.eduid.ng";

Regards,
Alex

—
Alex Stuart (he/him)
Technical Development Manager (Trust and Identity)
alex.stuart AT jisc.ac.uk







Jisc is a registered charity (number 1149740) and a company limited by 
guarantee which is registered in England under company number. 05747339, VAT 
number GB 197 0632 86. Jisc’s registered office is: 4 Portwall Lane, Bristol, 
BS1 6NB. T 0203 697 5800.


Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited 
by guarantee which is registered in England under company number 02881024, 
VAT number GB 197 0632 86. The registered office is: 4 Portwall Lane, 
Bristol, BS1 6NB. T 0203 697 5800.


Jisc Commercial Limited is a wholly owned Jisc subsidiary and a company 
limited by shares which is registered in England under company number 
09316933, VAT number GB 197 0632 86. The registered office is: 4 Portwall 
Lane, Bristol, BS1 6NB. T 0203 697 5800.


For more details on how Jisc handles your data see our privacy notice here: 
https://www.jisc.ac.uk/website/privacy-notice