Roadmap for Operationalizing eduGAIN

This is a roadmap for operationalizing eduGAIN participation in the InCommon Federation.

Operational Timeline

The following timeline for operationalizing eduGAIN was obtained by working around the milestone date February 7, 2016, the date by which all non-technical requirements will have been met.

Contents:

Milestones

A Global Metadata Aggregator that imports eduGAIN metadata as outlined in this document has been developed and deployed by InCommon Operations. Using this new infrastructure, a snapshot of global metadata was taken on October 29, 2015.

Phase 0 [DONE]

Introduce the <mdrpi:RegistrationInfo> element into production metadata
Introduce the registered-by-incommon entity attribute into production metadata
Introduce the <mdrpi:PublicationInfo> element into production metadata
- Align with the <mdrpi:PublicationInfo> element in the export aggregate

Phase 1 [in production by November 20, 2015]

There are 994 global SP entities in eduGAIN metadata (as of October 29, 2015)

Perform the following operations:

Deploy an updated user interface for requested attributes in the Federation Manager
1. Deprecate SAML1-format <md:RequestedAttribute> elements in SP metadata
2. Support the isRequired XML attribute in SP metadata
Deploy a user interface for IdPs in the Federation Manager
1. Give Site Administrators the ability to self-assert membership in the Hide From Discovery Category
Deploy initial user interfaces for IdPs and SPs in the Federation Manager
1. Give Site Administrators the ability to opt out of default export of IdP metadata
2. Give Site Administrators the ability to explicitly opt into the export of SP metadata

Phase 2 [in production on January 11, 2016]

There are 1453 global IdP entities in eduGAIN metadata (as of October 29, 2015)

Perform the following operation:

Import global metadata into the preview aggregate
1. Advise deployers to point their pre-production systems at the preview aggregate

Post-Phase 2 Metrics

Once Phase 2 is complete, the InCommon preview aggregate will be over 33MB in size, with more than 1800 IdPs and 3500 SPs. (More than 2600 of those SPs are registered by InCommon.)

Phase 3 [in production on February 11, 2016]

Perform the following operations in order:

Deploy final user interfaces for IdPs and SPs in the Federation Manager
1. Continue to give Site Administrators the ability to opt out of default export of IdP metadata
2. Continue to give Site Administrators the ability to explicitly opt into the export of SP metadata
Import global metadata into the main production aggregate
1. Sync the main production aggregate with the preview aggregate
2. Maintain the fallback aggregate for a minimum of one month
Export InCommon metadata to eduGAIN
1. Export all IdP metadata by default, except those IdPs that have explicitly opted out
2. Export SP metadata on demand, for those SPs that have explicitly opted in

The following groups of entities require special handling:

Thirteen (13) InCommon SPs currently being exported to eduGAIN
InCommon SPs registered in multiple federations
InCommon SPs that already consume global IdP metadata
InCommon IdPs that already consume global SP metadata

Technical Policy Rules

Import Rules (in order)

Filter all imported entities with XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
1. Entities so marked must come from primary sources only.
Filter all entity attributes not on the Entity Attribute Whitelist (see subsection below)
Filter all imported entities with weak keys
1. The use of weak keys in metadata has security and privacy implications.
2. There are no weak keys in InCommon metadata and so we'd like to keep it that way.
Filter all imported IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
1. In effect, all imported IdPs must support SAML2.
Filter all imported SP entities that do not have at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
1. In effect, all imported SPs must support SAML2.
Filter all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
1. This happens because some SPs choose to join multiple federations.
2. Dozens of global SPs are filtered by this rule.

A number of additional rules are applied to ensure metadata correctness. Some common minor errors are corrected but entities failing checks such as XML schema validity are removed.

Log all entities that are:

filtered by an import rule
removed for lack of schema validity
modified in any way

Entity Attribute Whitelist

(name, value) = (http://macedir.org/entity-category, http://refeds.org/category/research-and-scholarship)
(name, value) = (http://macedir.org/entity-category-support, http://refeds.org/category/research-and-scholarship)
(name, value) = (http://macedir.org/entity-category, http://refeds.org/category/hide-from-discovery)

Export Rules

Filter all exported entities not having XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
1. Only entities registered by InCommon will be exported.
Filter the legacy incommon.org R&S entity attribute value from SP metadata:
1. http://refeds.org/category/research-and-scholarship
2. This tag remains in SP metadata for backwards compatibility only. We hope to completely remove this tag from SP metadata in the future.
3. This tag has nothing to do with R&S interoperability outside of the InCommon Federation.
All exported SP entities must have at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
1. The RA will prevent any such entity from being exported
All exported IdP entities must have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
1. The RA will initialize the IdP's export option as "Do not export"
2. The Site Admin may override the RA's initial decision to not export

Child pages