Interfederation

[Tom Scavo <>]

On Fri, Feb 22, 2013 at 10:33 AM, Steven Carmody
<>
 wrote:
> On 2/22/13 6:45 AM, Scott Koranda wrote:
>>
>> Or, since you have done the hard work, should I take what you
>> have done and with your help transfer it to somewhere a bit
>> more permanent on a LIGO server?
>>
>> That is, should I try to do an installation of the Shibboleth
>> Metadata Aggregator on a LIGO server with your help and create
>> the same aggregate?

Since LIGO is a python shop, you may want to look at Leif's python
metadata aggregator:

https://github.com/leifj/pyFF#readme

But yes, as a first approximation you probably want to consume the InC
aggregate and the UKF aggregate, verify the signatures, validate the
expiration dates, and then create a custom aggregate that meets the
needs of your SP.

>> If your sandbox is somewhat stable I am happy to use it for
>> now but if you prefer I can get this transferred to something
>> that LIGO will look after as "production" until such time that
>> InCommon can host this service on behalf of the federation.

It's not clear what value InCommon Operations can add to a custom
metadata aggregate for LIGO. The aggregation process described above
is basically what needs to be done, and of course only you know who
you trust, so I'm not sure I see the advantage of Ops getting into the
middle of that. A centralized facility would certainly preclude the
need for each and every site to have to deploy the necessary software
and understand the security requirements of metadata aggregation, and
there may be enough benefit in that to warrant a centralized service
(there often is) but certainly LIGO can deploy a metadata aggregator
and get the ball rolling without assistance from Ops.

> I'd like to use the existence of this pilot instance (and its
> non-production status) as an incentive for us to start a conversation about
> what would be required to move this functionality to IC .....

Well, if we can keep our goals straight, it may be possible. The goals
suggested by the LIGO use case above are reasonable but I don't think
the trust model can be easily centralized. In other words, I can
imagine a centralized system that lets the LIGO SP choose its desired
IdP partners but I'm not clear how to construct a system that produces
a generic aggregate that is trusted by multiple sites. We don't make
trust decisions centrally today, and don't think we really want to go
there.

Tom