Interfederation

[Tom Scavo <>]

On Mon, Feb 25, 2013 at 9:50 AM, Scott Koranda 
<>
 wrote:
>>
>> First you tell me what other
>> entities you want to trust and then I will securely assemble the
>> corresponding entity descriptors into an aggregate that you can
>> consume. Does that meet your needs?
>
> I think so, though I don't want to have to go out and discover
> entity IDs on my own.

I don't think that's a reasonable requirement given the level of
sophistication of today's federations. For example, like it or not,
you have to discover the entityIDs of IdPs in the InCommon Federation
if you want to interoperate with them. We invented R&S precisely so
you wouldn't have to, but R&S is not yet widely deployed so we have a
long way to go before an IdP and SP in InC can interoperate
seemlessly.

Clearly attribute release dominates an SP's ability to interoperate
with IdPs. Even if you possessed one huge file of all the IdPs of the
world, you'd still have to contact each one to negotiate attribute
release. It's not reasonable to think interfederation will "just work"
any more than it's reasonable to think federation will "just work."
Metadata isn't sufficient. We need to solve the privacy issue (i.e.,
attribute release).

> I want my internal conversation to go somewhat like this:
>
> - I have a user at Cardiff that needs to get to my SP
> - I need to have my SP interoperate with the Cardiff IdP
> - The Cardiff IdP is part of the UK federation
> - InCommon has an exchange agreement with the UK federation
> - I can consume an InCommon metadata aggregate that has the Cardiff IdP
> - The Cardiff IdP can consume a UK aggregate that has my SP
> - I just need to make a simple configuration change on my SP
>   to consume that new feed
>
> Ideally this can all happen without me having to contact you,
> Ian Young, or even the Cardiff IdP operator.

I don't think you can avoid the latter if you want attributes.

> In the same way
> that since my SP is in InCommon I don't have to contact OSU to
> have their IdP recognize my SP.

OSU is a bad example since the OSU IdP releases attributes to ALL SPs.
Few IdPs in the InCommon Federation do this. Almost no IdPs in the EU
do this. You will certainly be contacting IdPs in the EU one by one.

> I know it will
> take a while to get there but that is where I would like to
> get.

Using your sequence of steps as a basis, I can support the following
scenario without worrying about crossing the policy line:

- I have a user at Cardiff that needs to get to my SP
- I need to have my SP interoperate with the Cardiff IdP
- I log into the Federation Manager and discover the Cardiff IdP (via
a discovery-like interface), which adds the Cardiff IdP to my list of
IdP partners
- InC Ops adds Cardiff IdP metadata to InCommon IdP metadata,
providing me with a custom IdP aggregate for my SP
- I can consume the custom InCommon metadata aggregate that has the Cardiff 
IdP
- The Cardiff IdP can consume a UK aggregate that has my SP

Does that work for you?

> I want InCommon to make some trust decisions. I will rely on
> the experts to get it right by my naive ideas are:
>
> - I want to know InCommon and the UK have had some type of
>   formal discussion.
> - I want to know there is a document (MOU?) that explains the
>   agreement between the two federations and where I can read
>   that document.

The above two requirements could become prerequisites before we expose
UKF IdPs via the discovery-like interface described earlier.

> - I want to know that the entities that the UK "passes along"
>   to InCommon and that InCommon makes available as a feed to
>   me are entities that are in good standing in the UK
>   federation.

I can't say. Only the UKF can make that claim.

> - If InCommon and the UK can agree on categories like R&S and
>   what they mean I want to know if entities in the UK are part
>   of those categories.

I suppose InC and UKF could work towards standardizing R&S but this
really is a discussion for REFEDs (and I believe it's a REFEDs work
item in fact).

> - If InCommon and the UK can agree on LOA and what they mean I
>   want to know if entities in the UK are part of a particular
>   LOA.

This, too, is a REFEDs work item.

Tom