Interfederation

[Jim Basney <>]

Proposed agenda for Apr 30 call:

* Update on LIGO SP + UK IdP pilot
* Interfederation Lessons Learned discussion continued
* InCommon and UK Interfederation roadmap discussion continued
* (add your item here)

Minutes from Apr 16 call:

attending: JimB, TomS, IJK, ScottK, ChrisP, IanY, ScottC, SteveC, JohnK

Update on LIGO+UK pilot:
Production LIGO SP is consuming metadata from Steven.
Metadata issues from last week are fixed.
LIGO SP pulling metadata over the network from Brown.
LIGO SP checking signature on metadata using cert from Steven.
No validity dates on metadata at this point.
Current issue: Cardiff IDP trouble with artifact resolution.
Lesson learned: conservative use of SAML profiles more likely to work.
LIGO SP OK if IdPs don't support artifact, so long as they don't list
broken artifact endpoint in metadata.
Artifact support can be addressed in upcoming SAML2 support campaign
in InCommon.
Plans for UK interfederation trial to move to production?
UK+Edugate trial going well. UK ready to move to production.
UK+Edugate consensus on bilateral agreement.
However, Edugate constitution prohibits interfederation!
Edugate working to change their constitution.
This takes time... May be resolved soon... Difficult to predict.
Same UK bilateral agreement could be signed by InCommon!
If signed, would InCommon entities go in UK production aggregate?
IanY: Yes, particularly since UK and InCommon are so similar.
Ian would recommend to board and federation operator to proceed.
In contrast, EduGAIN has no bilateral agreements - instead declarations.
Ian would prefer a slimmer InCommon metadata source for UK interfed.
Does this mean opt-in on InCommon side?
Or could InCommon filter automatically?
For example, excluding internal-to-campus SPs?
ScottC and JohnK prefer opt-out, not opt-in.
UK agreement says it's up to InCommon to decide
which entities to interfed.
Previously eduGAIN required opt-in.
That's removed in new eduGAIN policy.
UK proceeding with opt-in to interfederation in general, not eduGAIN
specifically. UK moving toward opt-out regime.
JohnK reviewed latest eduGAIN documents.
eduGAIN terms of use has some jurisdiction? That was in old version.
Terms of use is gone from new eduGAIN documents.
eduGAIN has only published updated constitution and policy declaration
so far. Not published eduGAIN updated metadata profile yet.
JohnK - add to lessons learned:
* validUntil on metadata file
* 2048 bit keys
The validUntil in metadata is hop-by-hop. Want eduGAIN to validate
validUntil that it pulls, then include validUntil in eduGAIN published
metadata aggregate. Not in production today, but eduGAIN test
aggregate does it, and it's rolling out to production.
EduGAIN doesn't place policies on OrganizationName.
Can look at <mdrpi:RegistrationInfo> for info on registrar practices.
Currently eduGAIN not vetting <mdrpi:RegistrationInfo>.
eduGAIN as a service providing metadata versus eduGAIN as a means
through which we interfederate between each other (mechanism vs policy).
Eventually replace bilateral agreements with multilateral (eduGAIN).
Initially easier to go down bilateral road.
For next call:
* UK+InCommon interfed roadmap: opt-in/opt-out, agreement, etc.
  Initially exporting SPs, not IdPs? Production InCommon aggregate
  doesn't change. Separate interfed aggregate.
Address metadata size issue independently of interfederation.
Ian: concern about sophistication to deal with interfed environment.
Start slow until we understand problems people run in to.
Exporting hundreds of IdPs to InCommon immediately could create
helpdesk chaos.
InCommon exporting SPs, not IdPs? Need to move beyond asymmetric
arrangements.
Researchers want symmetric interfederation. Users and services on
both sides.
InCommon doesn't have helpdesk like UK federation does.
For lessons learned:
* federation in different directions, support structure
* change "methods of interfederation" to "methods of interop"
* Swiss interfed with neighbording country? (Germany?)
* multilateral: technical *and* policy framework? could be *or*!
  eduGAIN more about technical infrastructure.
  Kalmar Union is example of policy framework. Policies in English. :)
    We can ask LeifJ about this.