Interfederation

[Jim Basney <>]

Proposed agenda for Apr 9 call:

* Update on LIGO SP + UK IdP pilot
* More thoughts on mdrpi registrationAuthority="https://incommon.org";
  and publisher="https://incommon.org";?
* OrganizationDisplayName and related elements for InCommon+UK interfed
* Starting on lessons learned doc:
  LIGO Wiki, I2 Spaces Wiki, Shibboleth.net, TERENA SP

Minutes from Apr 2 call:

attending: JimB, TomS, IJK, MarkS, ScottC, IanY, SteveC, JohnK

Agenda bashing.
REFEDS 2013 work item REF13-2 on Federation Operation Practices template
  hasn't started? TomS checked on this. No work overlap at the moment.
eduGAIN policy update expected soon.
eduGAIN disclosure of federation operation practices is typically a
few paragraphs.
currently no eduGAIN template for fed op practices or minimum reqs.
ScottK couldn't join but sent an update on the LIGO-UK pilot via
email.
IanY meeting tomorrow with UK helpdesk about additional IdPs for LIGO.
Topic: Baseline Federation Operational Practices (FOP) for interfed.
UK+InCommon roadmap: https://spaces.internet2.edu/x/tIA_Ag
InCommon FOPP: https://www.incommon.org/docs/policies/incommonfopp.html
UK Federation Technical Specifications (draft):
  http://dl.dropbox.com/u/236274/FTS-1.4-20130322.pdf
do we agree on registrationAuthority="https://incommon.org";?
  also publisher="https://incommon.org";? should these 2 be the same?
  yes generally the same.
  when aggregator publishes, publisher will be different.
  so they can be different in special cases.
  should be resolvable to a page that describes registration practices?
  IanY: Just meant to identify the registrar.
    Other places to reference practices. Keep the URI short.
why are registrationAuthority values published in the UKFTS doc?
  this info isn't anywhere else. do we need a registry?
  at least a REFEDS wiki page? concern about keeping wiki up-to-date.
  for UK-US bilateral federation, just need to agree between the two.
  metadata aggregators could map identifiers for internal consumption.
  so there is some flexibility with these identifiers going forward.
  still good to use the same values when possible.
for <shibmd:Scope>, InCommon is carefully vetting ownership.
https://spaces.internet2.edu/display/InCCollaborate/Scope+in+Metadata
scope can appear in 3 places in UK metadata: <Extensions> element of
  <EntityDescriptor>, <IDPSSODescriptor>, and
    <AttributeAuthorityDescriptor>
  InCommon doesn't put scope at top level (EntityDescriptor).
    Only Shib 2.x can handle this.
  scope elements can be processed in metadata aggregator.
  scopes in 3 places are all identical in UK metadata.
  scopes in 2 places are all identical in InCommon metadata.
scope regexp="false" always specified for InCommon.
  UK fed experimenting with regexp scopes for UK schools sector.
  shared concern about this.
  Past experience includes mistakes in regexps.
  UK unlikely to export entities with regexp="true" as no interfed use
  case for UK schools sector.
MarkS: hub-and-spoke model for regionals / k-12 being discussed
  but not at technical level of scopes
general agreement on entityID value registration between UK and InCommon
  UK stricter than InCommon on URNs? In practice probably not really.
  UK might allow other URNs so long as org ownership can be verified.
  mace URNs have clear registration / ownership procedure.
  InCommon could strengthen URN verification.
  encourage entityID URLs instead of URNs in any case.
Topics for next week:
  Organization element - OrganizationDisplayName / MDUI DisplayName
  lessons learned:
    spaces wiki, shibboleth.net, TERENA - SP joining multiple feds
    Dick Visser said REEP could have helped - registering metadata.
    ScottC experience: legal and policy issues dwarf technical issues.
      PKI requirements for certificates in metadata
        was also a huge source of pain for shibboleth.net.
    IanY: progress - one less fed agreement because of UK-Irish interfed
      Irish fed accesses shib wiki via UK metadata aggregate.