An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

Valeriu,

Note that not all organisations operating a federation within eduGAIN
are NRENs, sometimes not even related to the NREN. So things will vary
widely among eduGAIN-participating federations, despite the answers
given so far (all from European federations) are virtually identical.

* Valeriu Vraciu <valeriu AT roedu.net> [2021-11-17 20:17]:
> We have a request to join eduGain as an IdP from an accredited by the
> Ministry of Education private university, with which we did not have any
> relation (until this request). They are not connected to our network and do
> not use any service from us, so first reaction seems to be a no go. Any
> information regarding how other federations deal with such cases can help us
> to decide further.
> Our policy does not cover this case, maybe an update will be worth too.

There are several aspects to this, I think, among them the "nature" of
the organisation operating the federation (e.g. whether it's regulated
or not), the business model and questions of policy.

E.g. ACOnet has a financing model based on network connectivity alone
(as will still be the case for many other NRENs). I.e., bandwidth is
the only thing we charge for. All other services, including Identity
Federation, are included on top of that at no extra cost.
  That means organisations that want to use (even only some) of our
services will need to join the NREN with (a yearly fee plus) a minimum
bandwidth subscription -- even if they don't physically connect to the
network at all.

ACOnet not being a public ISP also means we need to be selective in
who can participate at the NREN level. (And again NRENs vary quite a
bit in their membership criteria, here are our own:
https://www.aco.net/organisation.html?L=1 )

We've opted to include a mandate in our federation policy that only
NREN participants (whether physically connected or not) can join the
federation as IDPs (i.e., consume services available via the
federation), so the definition / purpose limitation of the NREN
automatically limits who can join the federation as an IDP.
Any legal entity can join the federation as Service Provider, though.
(While that's a common model not all federations handle things this
way nor is there a mandate to do it this way.)

Occasionally I might have wished for a "more open" federation policy
(allowing also non-NREN participants to join the federation as IDPs)
but that would have caused difficulties on many other layers (even
though some or most of those difficulties may be self-imposed but
still not easily fixed/avoided).
OTOH the rules for joining the federation as an IDP are now rather
clear and simple (as clear as the rules for eligibility for NREN
participation are, to be precise), no ad-hoc decisions required.

So maybe one conclusion would be: If you're unhappy with your NREN
membership model or selection process you should probably opt against
tighly coupling your federation membership model to that.

Otherwise do whatever is most useful to you and the communities you're
here to support!

(Fewer or less strict rules means more freedom with case-by-case
decisions. You'll always want to remain fair and impartialm, though,
which may become increasingly difficult with ad-hoc decisions.)

HTH,
-peter