...
Delegated
...
Administration
...
of
...
Metadata
...
The
...
term
...
delegated
...
administration
...
refers
...
to
...
the
...
ability
...
of
...
a
...
site
...
administrator
...
to
...
delegate
...
responsibility
...
for
...
administering
...
SP
...
metadata
...
to
...
another
...
administrator
...
called
...
a
...
delegated
...
administrator
...
.
...
The
...
rationale
...
for
...
delegated
...
administration
...
was
...
discussed
...
in
...
a
...
...
...
published
...
early
...
in
...
2012.
...
The
...
primary
...
motivation
...
for
...
adding
...
this
...
feature
...
to
...
the
...
...
...
(FM)
...
is
...
to
...
simplify
...
metadata
...
management
...
for
...
those
...
sites
...
with
...
large
...
numbers
...
of
...
entities
...
in
...
metadata.
| Wiki Markup |
|---|
{div:style=float:right;margin-left:1em;margin-bottom:1ex}{note}Watch a [video demo|http://www.incommon.org/video/da_demo/] of delegated administration{note}{div} { |
| Table of Contents |
|---|
...
|
| Info | ||
|---|---|---|
| ||
As of 13 October 2013, the Google Gateway is a production service! Delegated administrators can now log into the Federation Manager with their Google accounts. |
Facts About Delegated Administration
- A site administrator delegates the ability to administer SP metadata to a delegated administrator by providing the
eduPersonPrincipalNameand e-mail address of a prospective delegated administrator. - A site administrator constrains the privileges of each delegated administrator, that is, the site administrator assigns delegated administrators to manage particular SPs.
- A delegated administrator is able to administer SP metadata only.
- A delegated administrator may create/modify/delete SP entity descriptors.
- A metadata update request submitted by a delegated administrator must be approved by a site administrator.
- The delegated administrative login interface accepts federated credentials only (i.e., InCommon Operations does not issue passwords to delegated administrators).
- The delegated administrator’s IdP must support SAML V2.0 Web Browser SSO (i.e., SAML V1.1 is not supported).
- The delegated administrator’s IdP must release a set of required attributes to the Federation Manager.
Limitations
- A site administrator for an organization may not function as a delegated administrator for the same organization.
- A delegated administrator for one organization may not function as a delegated administrator for another organization.
- Assigning two delegated administrators to the same entity descriptor can have undesirable side effects since the editing of entity descriptors is not constrained by the software in any way.
- A site administrator can not unconditionally delegate responsibility for administering SP metadata; that is, a site administrator must always approve update requests made by a delegated administrator.
- ProtectNetwork no longer releases attributes to the Federation Manager, so ProtectNetwork can no longer be used by delegated administrators to log into the Federation Manager.
For the Site Administrator
| Wiki Markup |
|---|
=3} {info:title=Google Gateway in production!} As of 13 October 2013, the [Google Gateway] is a production service! Delegated administrators can now log into the Federation Manager with their Google accounts. {info} h3. Facts About Delegated Administration * A site administrator delegates the ability to administer SP metadata to a delegated administrator by providing the {{eduPersonPrincipalName}} and e-mail address of a prospective delegated administrator. * A site administrator constrains the privileges of each delegated administrator, that is, the site administrator assigns delegated administrators to manage particular SPs. * A delegated administrator is able to administer SP metadata only. * A delegated administrator may create/modify/delete SP entity descriptors. * A metadata update request submitted by a delegated administrator must be approved by a site administrator. * The delegated administrative login interface accepts federated credentials only (i.e., InCommon Operations does not issue passwords to delegated administrators). * The delegated administrator’s IdP must support SAML V2.0 Web Browser SSO (i.e., SAML V1.1 is not supported). * The delegated administrator’s IdP must release a set of required attributes to the Federation Manager. h4. Limitations * A site administrator for an organization may not function as a delegated administrator for the same organization. * A delegated administrator for one organization may not function as a delegated administrator for another organization. * Assigning two delegated administrators to the same entity descriptor can have undesirable side effects since the editing of entity descriptors is not constrained by the software in any way. * A site administrator can not _unconditionally_ delegate responsibility for administering SP metadata; that is, a site administrator must always approve update requests made by a delegated administrator. * ProtectNetwork no longer releases attributes to the Federation Manager, so ProtectNetwork can no longer be used by delegated administrators to log into the Federation Manager. h3. For the Site Administrator {div:style=float:right;margin-left:1em;margin-bottom:1ex}{note}[Login to the FM|https://service1.internet2.edu/siteadmin] as a site admin{note}{div} |
As
...
a
...
site
...
administrator,
...
you
...
have
...
the
...
ability
...
to
...
provision
...
one
...
or
...
more
...
delegated
...
administrators
...
to
...
manage
...
SP
...
metadata.
...
You
...
determine
...
which
...
entity
...
descriptors
...
may
...
be
...
edited
...
by
...
explicitly
...
assigning
...
a
...
delegated
...
administrator
...
to
...
one
...
or
...
more
...
SPs.
...
Any
...
updates
...
submitted
...
by
...
a
...
delegated
...
administrator
...
are
...
bounced
...
back
...
to
...
you
...
for
...
approval,
...
so
...
the
...
risk
...
associated
...
with
...
the
...
delegation
...
of
...
SP
...
metadata
...
is
...
minimal.
| Warning | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| =
|
|
|
|
|
|
| |||||||||
| }
If you provisioned one or more delegated administrators prior to November 19, 2012to November 19, 2012 (when an upgrade to delegated administration occurred), please do the following: #
Each delegated administrator assigned as described above should now be able to edit SP metadata. {warning} h4. Preparing Your IdP Since the delegated administrative login interface accepts federated credentials only, a site administrator must configure the IdP to release the following attributes to the Federation Manager ([ |
Preparing Your IdP
Since the delegated administrative login interface accepts federated credentials only, a site administrator must configure the IdP to release the following attributes to the Federation Manager (https://fm.incommon.org/sp):
eduPersonPrincipalNamemailgivenNamesn(surName)
| Tip | ||
|---|---|---|
| ||
| |https://incommon.org/federation/info/entity.html?entityID=https%3A%2F%2Ffm.incommon.org%2Fsp]):
* {{eduPersonPrincipalName}}
* {{mail}}
* {{givenName}}
* {{sn}} (surName)
{tip:title=Test Your IdP}You can test your IdP by logging into the following test SP: [ You can test your IdP by logging into the following test SP: https://service1.internet2.edu/test/ ]{tip} h4. Provisioning a Delegated Administrator |
Provisioning a Delegated Administrator
It's
...
easy
...
to
...
provision
...
a
...
delegated
...
administrator.
...
To
...
do
...
so,
...
a
...
site
...
administrator
...
logs
...
into
...
the
...
Federation
...
Manager
...
as
...
usual
...
and
...
clicks
...
the
...
menu
...
item
...
"Delegated
...
Administrators"
...
along
...
the
...
left
...
hand
...
side
...
of
...
the
...
page.
...
After
...
providing
...
the
...
ePPN
...
and
...
...
address
...
of
...
a
...
prospective
...
delegated
...
administrator,
...
the
...
system
...
sends
...
an
...
...
invitation
...
to
...
the
...
given
...
...
address
...
(copying
...
all
...
other
...
site
...
administrators
...
as
...
well).
...
The
...
prospective
...
delegated
...
administrator
...
clicks
...
the
...
link
...
in
...
the
...
...
to
...
continue
...
with
...
the
...
boarding
...
process.
| Tip | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| =
|
|
| |||||||
| } If the delegated administrator will be using the Gateway, the {{
asserted by the Gateway is based on the user's address. Be sure to type in the correct {{
when provisioning the delegated administrator. See the [ ]wiki page for more information. {tip} |
Once
...
the
...
delegated
...
administrator
...
has
...
successfully
...
logged
...
into
...
the
...
Federation
...
Manager
...
via
...
SAML
...
Web
...
Browser
...
SSO,
...
a
...
local
...
account
...
is
...
provisioned.
...
No
...
local
...
credentials
...
are
...
issued---the
...
delegated
...
administrator
...
always
...
logs
...
in
...
with
...
a
...
federated
...
credential.
| Warning |
|---|
| } By provisioning a particular {{
, a site administrator implicitly assumes the risk that the IdP *always *asserts that {{
for the correct user. If you don't trust the IdP to do that, don't provision a delegated administrator with that {{ |
Assigning Privileges to a Delegated Administrator
Delegated administrators are assigned to specific SPs. If you don't assign a delegated administrator to an SP, that delegated administrator will only be able to create new SP metadata. Typically, any given SP will have at most one delegated administrator assigned to it (although multiple delegated administrators may be assigned to a single SP if you choose).
| Warning |
|---|
If multiple delegated administrators are assigned to a single SP, one delegated administrator may edit and submit metadata without being aware that another delegated administrator has already submitted an update request for the same entity descriptor. For this reason, it is recommended that at most one delegated administrator be assigned to a particular SP. |
Approving Updates Made by a Delegated Administrator
Since all updates must be approved by a site administrator, the integrity of metadata is maintained.
| Warning |
|---|
Since the site administrator approves all update requests, it is the site administrator who ultimately assumes the responsibility for all metadata submitted (which is the case in the absence of delegated administration as well). |
For the Delegated Administrator
| Wiki Markup |
|---|
}}.{warning} h4. Assigning Privileges to a Delegated Administrator Delegated administrators are assigned to specific SPs. If you don't assign a delegated administrator to an SP, that delegated administrator will only be able to create new SP metadata. Typically, any given SP will have at most one delegated administrator assigned to it (although multiple delegated administrators may be assigned to a single SP if you choose). {warning}If multiple delegated administrators are assigned to a single SP, one delegated administrator may edit and submit metadata without being aware that another delegated administrator has already submitted an update request for the same entity descriptor. For this reason, it is recommended that _at most one delegated administrator be assigned to a particular SP_.{warning} h4. Approving Updates Made by a Delegated Administrator Since all updates must be approved by a site administrator, the integrity of metadata is maintained. {warning}Since the site administrator approves all update requests, it is the site administrator who ultimately assumes the responsibility for all metadata submitted (which is the case in the absence of delegated administration as well).{warning} h3. For the Delegated Administrator {div:style=float:right;margin-left:1em;margin-bottom:1ex}{note}[Login to the FM|https://service1.internet2.edu/siteadmin/federated_login] as a delegated admin {note}{div} |
As
...
a
...
delegated
...
administrator,
...
you
...
will
...
be
...
able
...
to
...
create
...
new
...
SP
...
metadata
...
and
...
edit
...
existing
...
SP
...
metadata
...
subject
...
to
...
policy.
...
Your
...
privileges
...
have
...
been
...
assigned
...
to
...
you
...
by
...
a
...
site
...
administrator.
...
If
...
you
...
are
...
unable
...
to
...
perform
...
some
...
action,
...
talk
...
to
...
your
...
site
...
administrator.
...
Only
...
a
...
site
...
administrator
...
can
...
assign
...
privileges
...
to
...
a
...
delegated
...
administrator.
...
Create
...
New
...
SP
...
Metadata
...
Click
...
the
...
link
...
"Add
...
a
...
New
...
Service
...
Provider"
...
to
...
create
...
new
...
SP
...
metadata.
...
Visit
...
the
...
...
...
wiki
...
page
...
for
...
tips,
...
recommendations,
...
and
...
requirements
...
regarding
...
the
...
administration
...
of
...
SP
...
metadata.
| Info |
|---|
| } Any new metadata you create must be approved by your site administrator. {info} h4. Edit Existing SP Metadata When you login as a delegated administrator, you will be presented with a list of all SPs owned by the organization. Those SPs you have been given permission to edit will have an "Edit" link next to their entity ID. Click the link to edit the metadata for that SP. If there is no "Edit" link next to the SP you want to edit, talk to your site administrator. {info}Any metadata updates you submit must be approved by your site administrator.{info} h5. Unlinking a Certificate You may notice a link labeled "Unlink from the metadata" next to a certificate reference. This means the certificate was previously uploaded to the system by a site administrator and therefore can not be shown inline until you "Unlink" it. You should perform the following steps for each such certificate: # Scroll down to the bottom of the page and copy the content of the {{<ds:X509Certificate>}} element in metadata. # Paste the certificate content into an empty textarea. # Click the "Unlink from the metadata" link. # Submit an update request to your site administrator. Once your site administrator approves the request, the certificate will appear inline where it is more easily reviewed and manipulated. h3. Security Considerations For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with the federated credentials of delegated administrators. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, the approval process mitigates any weakness in the delegated administrator's login |
Edit Existing SP Metadata
When you login as a delegated administrator, you will be presented with a list of all SPs owned by the organization. Those SPs you have been given permission to edit will have an "Edit" link next to their entity ID. Click the link to edit the metadata for that SP. If there is no "Edit" link next to the SP you want to edit, talk to your site administrator.
| Info |
|---|
Any metadata updates you submit must be approved by your site administrator. |
Unlinking a Certificate
You may notice a link labeled "Unlink from the metadata" next to a certificate reference. This means the certificate was previously uploaded to the system by a site administrator and therefore can not be shown inline until you "Unlink" it. You should perform the following steps for each such certificate:
- Scroll down to the bottom of the page and copy the content of the
<ds:X509Certificate>element in metadata. - Paste the certificate content into an empty textarea.
- Click the "Unlink from the metadata" link.
- Submit an update request to your site administrator.
Once your site administrator approves the request, the certificate will appear inline where it is more easily reviewed and manipulated.
Security Considerations
For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with the federated credentials of delegated administrators. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, the approval process mitigates any weakness in the delegated administrator's login credentials.