This is a roadmap for operationalizing eduGAIN participation in the InCommon Federation.
Operational Timeline
Contents:
Milestones
A Global Metadata Aggregator that imports eduGAIN metadata as outlined in this document has been developed and deployed by InCommon Operations. Using this new infrastructure, a snapshot of global metadata was taken on October 29, 2015.
Phase 0 [DONE]
- Introduce the
<mdrpi:RegistrationInfo>
element into production metadata - Introduce the
registered-by-incommon
entity attribute into production metadata - Introduce the
<mdrpi:PublicationInfo>
element into production metadata- Align with the
<mdrpi:PublicationInfo>
element in the export aggregate
- Align with the
Phase 1 [in production by November 20, 2015]
There are 994 global SP entities in eduGAIN metadata (as of October 29, 2015)
Perform the following operations:
- Deploy an updated user interface for requested attributes in the Federation Manager
- Deprecate SAML1-format
<md:RequestedAttribute>
elements in SP metadata - Support the
isRequired
XML attribute in SP metadata
- Deprecate SAML1-format
- Deploy a user interface for IdPs in the Federation Manager
- Give Site Administrators the ability to self-assert membership in the Hide From Discovery Category
- Deploy initial user interfaces for IdPs and SPs in the Federation Manager
- Give Site Administrators the ability to opt out of default export of IdP metadata
- Give Site Administrators the ability to explicitly opt into the export of SP metadata
Phase 2 [in production on January 11, 2016]
There are 1453 global IdP entities in eduGAIN metadata (as of October 29, 2015)
Perform the following operation:
- Import global metadata into the preview aggregate
- Advise deployers to point their pre-production systems at the preview aggregate
Post-Phase 2 Metrics
Phase 3 [in production on February 11, 2016]
Perform the following operations in order:
- Deploy final user interfaces for IdPs and SPs in the Federation Manager
- Continue to give Site Administrators the ability to opt out of default export of IdP metadata
- Continue to give Site Administrators the ability to explicitly opt into the export of SP metadata
- Import global metadata into the main production aggregate
- Sync the main production aggregate with the preview aggregate
- Maintain the fallback aggregate for a minimum of one month
- Export InCommon metadata to eduGAIN
- Export all IdP metadata by default, except those IdPs that have explicitly opted out
- Export SP metadata on demand, for those SPs that have explicitly opted in
The following groups of entities require special handling:
- Thirteen (13) InCommon SPs currently being exported to eduGAIN
- InCommon SPs registered in multiple federations
- InCommon SPs that already consume global IdP metadata
- InCommon IdPs that already consume global SP metadata
Technical Policy Rules
Import Rules (in order)
- Filter all imported entities with XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
- Entities so marked must come from primary sources only.
- Filter all entity attributes not on the Entity Attribute Whitelist (see subsection below)
- Filter all imported entities with weak keys
- The use of weak keys in metadata has security and privacy implications.
- There are no weak keys in InCommon metadata and so we'd like to keep it that way.
- Filter all imported IdP entities that do not have a SAML2
SingleSignOnService
endpoint that supports the HTTP-Redirect binding.- In effect, all imported IdPs must support SAML2.
- Filter all imported SP entities that do not have at least one SAML2
AssertionConsumerService
endpoint that supports the HTTP-POST binding.- In effect, all imported SPs must support SAML2.
- Filter all imported entities that have the same
entityID
as an existing entity in the InCommon aggregate.- This happens because some SPs choose to join multiple federations.
- Dozens of global SPs are filtered by this rule.
A number of additional rules are applied to ensure metadata correctness. Some minor but common errors are corrected. Entities failing checks such as XML schema validity are removed.
Entity Attribute Whitelist
- (name, value) = (
http://macedir.org/entity-category
,http://refeds.org/category/research-and-scholarship
) - (name, value) = (
http://macedir.org/entity-category-support
,http://refeds.org/category/research-and-scholarship
) - (name, value) = (
http://macedir.org/entity-category
,http://refeds.org/category/hide-from-discovery
)
Export Rules
- Filter all exported entities not having XML attribute
mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
- Only entities registered by InCommon will be exported.
- Filter the legacy incommon.org R&S entity attribute value from SP metadata
- This tag remains in SP metadata for backwards compatibility only. We hope to completely remove this tag from SP metadata in the future.
- This tag has nothing to do with R&S interoperability outside of the InCommon Federation.
- Do not export a SAML1-only entities.
- All exported IdP entities must have a SAML2
SingleSignOnService
endpoint that supports the HTTP-Redirect binding. - All exported SP entities must have at least one SAML2
AssertionConsumerService
endpoint that supports the HTTP-POST binding.
- All exported IdP entities must have a SAML2