The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

This is a roadmap for operationalizing eduGAIN participation in the InCommon Federation.

Operational Timeline

The following timeline for operationalizing eduGAIN was obtained by working around the milestone date February 7, 2016. This is the date by which all non-technical requirements will have been met.

Contents:


Milestones

A Global Metadata Aggregator that imports eduGAIN metadata as outlined in this document has been developed and deployed by InCommon Operations. Using this new infrastructure, a snapshot of global metadata was taken on October 29, 2015.

Phase 0 [DONE]

  • Introduce the <mdrpi:RegistrationInfo> element into production metadata
  • Introduce the registered-by-incommon entity attribute into production metadata
  • Introduce the <mdrpi:PublicationInfo> element into production metadata
    • Align with the <mdrpi:PublicationInfo> element in the export aggregate

Phase 1 [in production by November 20, 2015]

There are 994 global SP entities in eduGAIN metadata (as of October 29, 2015)

Perform the following operations:

  1. Deploy a user interface for IdPs in the Federation Manager
    1. Give Site Administrators the ability to self-assert membership in the Hide From Discovery Category
  2. Deploy initial user interfaces for IdPs and SPs in the Federation Manager
    1. Give Site Administrators the ability to opt out of default export of IdP metadata
    2. Give Site Administrators the ability to explicitly opt into the export of SP metadata

Phase 2 [in production on January 11, 2016]

There are 1453 global IdP entities in eduGAIN metadata (as of October 29, 2015)

Perform the following operation:

  1. Import global metadata into the preview aggregate
    1. Advise deployers to point their pre-production systems at the preview aggregate

Post-Phase 2 Metrics

Once Phase 2 is complete, the InCommon preview aggregate will be over 33MB in size, with more than 1800 IdPs and 3500 SPs. (More than 2600 of those SPs are registered by InCommon.)

Phase 3 [in production on February 11, 2016]

Perform the following operations in order:

  1. Deploy final user interfaces for IdPs and SPs in the Federation Manager
    1. Continue to give Site Administrators the ability to opt out of default export of IdP metadata
    2. Continue to give Site Administrators the ability to explicitly opt into the export of SP metadata
  2. Import global metadata into the main production aggregate
    1. Sync the main production aggregate with the preview aggregate
    2. Maintain the fallback aggregate for a minimum of one month
  3. Export InCommon metadata to eduGAIN
    1. Export all IdP metadata by default, except those IdPs that have explicitly opted out
    2. Export SP metadata on demand, for those SPs that have explicitly opted in

The following groups of entities require special handling:

  1. Thirteen (13) InCommon SPs currently being exported to eduGAIN
  2. InCommon SPs registered in multiple federations
  3. InCommon SPs that already consume global IdP metadata
  4. InCommon IdPs that already consume global SP metadata

Policy Rules

Import Rules (in order)

  1. Filter all imported entities with XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
    1. Entities so marked must come from primary sources only.
  2. Filter all entity attributes not on the Entity Attribute Whitelist (see subsection below)
  3. Filter all imported entities with weak keys
    1. The use of weak keys in metadata has security and privacy implications.
    2. There are no weak keys in InCommon metadata and so we'd like to keep it that way.
  4. Filter all imported IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding. [to be discussed]
    1. In effect, all imported IdPs must support SAML2.
    2. This rule has no effect until Phase 2.
  5. Filter all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
    1. This happens because some SPs choose to join multiple federations.
    2. Dozens of global SPs are filtered by this rule.

A number of additional rules are applied to ensure metadata correctness. Some minor but common errors are corrected. Entities failing checks such as XML schema validity are removed.

Entity Attribute Whitelist

  1. (name, value) = (http://macedir.org/entity-categoryhttp://refeds.org/category/research-and-scholarship)
  2. (name, value) = (http://macedir.org/entity-category-supporthttp://refeds.org/category/research-and-scholarship)
  3. (namevalue) = (http://macedir.org/entity-categoryhttp://refeds.org/category/hide-from-discovery)

Export Rules

  1. Filter all exported entities not having XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
    1. Only entities registered by InCommon will be exported.
  2. Filter the legacy incommon.org R&S entity attribute value from SP metadata
    1. This tag remains in SP metadata for backwards compatibility only. We hope to completely remove this tag from SP metadata in the future.
    2. This tag has nothing to do with R&S interoperability outside the InCommon Federation.
  3. Filter all exported IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding. [to be discussed]
    1. In effect, all exported IdPs must support SAML2.

Metadata Export Options

Deployment Date

The initial versions of the following user interfaces will be deployed in the Federation Manager in production at Phase 1. Updated interfaces will be deployed in production at Phases 2 and 3.

SP Metadata Export Options

The following user interface will be deployed at Phase 1:

SP Metadata Export Options (initial version)

If you want your SP metadata to be exported to eduGAIN, check the box below. If you do not want your SP metadata to be exported to eduGAIN, leave it unchecked to prevent export.

IMPORTANT. If you do not export your SP metadata to eduGAIN, and your SP has a dynamic discovery interface, then you should filter eduGAIN metadata at the SP, otherwise some users may have a failed login experience. Configure your SP using the Registered By InCommon Category by December 1, 2015.

[checkbox] Export my SP metadata to eduGAIN beginning on December 1st (recommended)

Questions? Visit our wiki for a complete eduGAIN timeline and FAQ: [URL]

The checkbox in the above interface is not checked by default.

At Phase 2, InCommon Operations will begin importing IdP metadata from eduGAIN. At that time, we will replace the initial user interface for SPs with the following simplified user interface:

SP Metadata Export Options (final version)

If you want your SP metadata to be exported to eduGAIN, check the box below. If you do not want your SP metadata to be exported to eduGAIN, leave it unchecked to prevent export.

IMPORTANT. If you do not export your SP metadata to eduGAIN, and your SP has a dynamic discovery interface, then you should filter eduGAIN metadata at the SP, otherwise some users may have a failed login experience. You should immediately configure your SP using the Registered By InCommon Category.

[checkbox] Export my SP metadata to eduGAIN (recommended)

Questions? Visit our wiki for a comprehensive eduGAIN FAQ: [URL]

The default value of the latter checkbox depends on the state of the former checkbox.

IdP Metadata Export Options

The following user interface will be deployed at Phase 1:

IdP Metadata Export Options (initial version)

If you want your IdP metadata to be exported to eduGAIN, click the first or second button below. If you do not want your IdP to be exported to eduGAIN, click the third button below to prevent export.

IMPORTANT. Consider your choices carefully. Once you start exporting your IdP metadata to eduGAIN, it will be difficult to reverse that process without causing interoperability and usability issues.

NOTE. Before exporting your IdP metadata to eduGAIN, review the effect of your currently configured attribute release rules in the presence of global SP metadata. If necessary, use the Registered By InCommon Category to adjust your attribute release policy.

[radio] Export my IdP metadata to eduGAIN beginning on December 1, 2015 (recommended)
[radio] Export my IdP metadata to eduGAIN beginning on March 1, 2016
[radio] Do not export my IdP metadata to eduGAIN without my permission

Questions? Visit our wiki for a complete eduGAIN timeline and FAQ: [URL]

The second radio button in the above interface is checked by default.

At Phase 2, InCommon Operations will begin importing SP metadata from eduGAIN. At that time, we will replace the initial user interface for IdPs with the following updated user interface:

IdP Metadata Export Options (intermediate version)

If you want your IdP metadata to be exported to eduGAIN, click the first or second button below. If you do not want your IdP to be exported to eduGAIN, click the third button below to prevent export.

IMPORTANT. Consider your choices carefully. Once you start exporting your IdP metadata to eduGAIN, it will be difficult to reverse that process without causing interoperability and usability issues.

NOTE. Before exporting your IdP metadata to eduGAIN, review the effect of your currently configured attribute release rules in the presence of global SP metadata. If necessary, use the Registered By InCommon Category to adjust your attribute release policy.

[radio] Export my IdP metadata to eduGAIN immediately (recommended)
[radio] Export my IdP metadata to eduGAIN beginning on March 1, 2016
[radio] Do not export my IdP metadata to eduGAIN without my permission

Questions? Visit our wiki for a complete eduGAIN timeline and FAQ: [URL]

The default value of the latter set of radio buttons depends on the state of the former set of radio buttons.

At Phase 3, InCommon Operations will begin exporting IdP metadata to eduGAIN by default. At that time, we will replace the previous user interface for IdPs with the following simplified user interface:

IdP Metadata Export Options (final version)

If you do not want your IdP metadata to be exported to eduGAIN, check the box below. If you leave it unchecked, your IdP metadata will be exported to eduGAIN by default.

IMPORTANT. Once we start exporting your IdP metadata to eduGAIN, it will be difficult to reverse that process without causing interoperability and usability issues. If you have doubts, check the box below to prevent your IdP metadata from being exported to eduGAIN.

NOTE. Review the resulting effect of your currently configured attribute release rules in the presence of global SP metadata. If necessary, use the Registered By InCommon Category to adjust your attribute release policy.

[checkbox] Do not export my IdP metadata to eduGAIN without my permission

Questions? Visit our wiki for a comprehensive eduGAIN FAQ: [URL]

The default value of the checkbox depends on the state of the former set of radio buttons.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels