Interfederation

[Scott Koranda <>]

Hi,

> On Fri, Feb 22, 2013 at 10:33 AM, Steven Carmody
> <>
>  wrote:
> > On 2/22/13 6:45 AM, Scott Koranda wrote:
> >>
> >> Or, since you have done the hard work, should I take what you
> >> have done and with your help transfer it to somewhere a bit
> >> more permanent on a LIGO server?
> >>
> >> That is, should I try to do an installation of the Shibboleth
> >> Metadata Aggregator on a LIGO server with your help and create
> >> the same aggregate?
> 
> Since LIGO is a python shop, you may want to look at Leif's python
> metadata aggregator:
> 
> https://github.com/leifj/pyFF#readme

Thanks. We are a Python shop and I am sure Leif's work is
great, but I have a number of reasons to use the Shib
product:

- we use both the IdP and SP already
- Ian is quite involved and helpful!
- Steve already has done the hard work
- LIGO is a member of the Shibboleth Consortium 

> 
> But yes, as a first approximation you probably want to consume the InC
> aggregate and the UKF aggregate, verify the signatures, validate the
> expiration dates, and then create a custom aggregate that meets the
> needs of your SP.
> 
> >> If your sandbox is somewhat stable I am happy to use it for
> >> now but if you prefer I can get this transferred to something
> >> that LIGO will look after as "production" until such time that
> >> InCommon can host this service on behalf of the federation.
> 
> It's not clear what value InCommon Operations can add to a custom
> metadata aggregate for LIGO.

This exercise is not intended to create anything custom for
LIGO. If I was only interested in furthering LIGO's federation
I would just join the UK federation and be done with it (along
with about 10 other federations around the world).

What I would like is for LIGO to be a use case that helps
drive international interfederation between InCommon and other
federations.

> The aggregation process described above
> is basically what needs to be done, and of course only you know who
> you trust, so I'm not sure I see the advantage of Ops getting into the
> middle of that. A centralized facility would certainly preclude the
> need for each and every site to have to deploy the necessary software
> and understand the security requirements of metadata aggregation, 

Yes, precisely.

> and
> there may be enough benefit in that to warrant a centralized service
> (there often is) but certainly LIGO can deploy a metadata aggregator
> and get the ball rolling without assistance from Ops.

Yes, I think that is what has been done with Stephen's help.
:-)

I would like to see InCommon Ops begin to think about how to
evolve it so it can become and InCommon service more generally
useful than for just LIGO.

> 
> > I'd like to use the existence of this pilot instance (and its
> > non-production status) as an incentive for us to start a conversation 
> > about
> > what would be required to move this functionality to IC .....
> 
> Well, if we can keep our goals straight, it may be possible. The goals
> suggested by the LIGO use case above are reasonable but I don't think
> the trust model can be easily centralized. In other words, I can
> imagine a centralized system that lets the LIGO SP choose its desired
> IdP partners but I'm not clear how to construct a system that produces
> a generic aggregate that is trusted by multiple sites. We don't make
> trust decisions centrally today, and don't think we really want to go
> there.
> 

I do not think InCommon Ops needs to construct the system you
describe above.

I think it will be more than useful if InCommon Ops can put
together an aggregate that has some level of vetting, probably
determined by a mutual negotiation between InCommon and the UK
federation (and other federations eventually), and then let
the individual InCommon entities decided which other entities
to trust, just as can be done now with the standard InCommon
metadata feed.

In short, I am not asking InCommon Ops to make all my trust
decisions for me. I am asking InCommon Ops to manage a
"platform" that makes it easy for me as an InCommon member to
manage trust relationships with international partners.

Cheers,

Scott