Interfederation

[Ian Young <>]

Apologies in advance for any blurring of the air above my head as I switch 
rapidly between my various hats. Most of this is spoken with my UKf architect 
hat on.

On 25 Sep 2013, at 13:36, Tom Scavo 
<>
 wrote:

> * In item 1a, it is not clear to me that we actually need agreements
> with *both* eduGAIN *and* the UK federation. As I understand it, the
> UKf is currently working on importing to (and exporting from) eduGAIN
> metadata.

Let me start by giving a status update on UKf/eduGAIN. The UKf signed the 
(V2) eduGAIN declaration back in June.  That's the easy part, of course, and 
there was a fair amount of additional policy/documentation and technical work 
required to actually get to somewhere useful. There's still technical and 
documentation work to be done going forward, and perhaps we'll never see the 
end of that; this is new territory.

We cleared the main policy/documentation work required by the end of August. 
The main result of that which might be of interest to this group was this 
page and the document attached to it:

   http://ukfederation.org.uk/mdrps

In other words, we actually have a published Metadata Registration Practice 
Statement and we are tagging elements that are registered under it. Although 
it's not as detailed as one might like in some areas, it is quite a lot more 
detailed than the ones provided by almost all other eduGAIN participants. 
There's an ongoing helpdesk task to make sure that everything we put in our 
export aggregate is re-evaluated and tagged appropriately.

We subsequently went live with eduGAIN in a pilot mode on 2-Sep, and are 
listed as a full participant on the status page:

   http://www.edugain.org/technical/status.php

eduGAIN, today, republishes the whole of the UKf's export aggregate (17 
entities as I write this).  We import the eduGAIN aggregate, filter and 
transform it a bit to get rid of some things we don't like (I have 20 
outstanding tickets in my personal Bugzilla, which equates to a little over 
10% of the eduGAIN metadata we're discarding at present).  The eduGAIN entity 
metadata that passes scrutiny is currently passed through to our test 
aggregate, which is to say just to willing volunteers.  Full production, 
which we haven't yet set a date for but will certainly be before the end of 
the year, will see that metadata being republished in our production 
aggregate.

Our central discovery service does not currently show eduGAIN (or other 
imported) metadata by default, but does so if you click on the "Search over 
All Sites" link. You can try that from here:

        https://test.ukfederation.org.uk/Shibboleth.sso/UKfedDS

(Click on "Search over All Sites" at the bottom, then put say "latvia" in the 
search box.)

> If so, why do we need a separate agreement with UKf? Isn't
> that what eduGAIN is for?

Scott K covered a lot of what I'd say here, so I'll just add a couple of 
scraps.

The first is that you need to remember that you will never have an agreement 
with eduGAIN, because eduGAIN is not based on agreements but on unilateral 
declarations.  If you want more assurance than that will give you, then you 
need to change eduGAIN's governance structure (again) or look for bilateral 
agreements to supplement the multilateral mechanism of exchange. Whether 
that's necessary in this case is not for me to judge.

The other question is about whether moving forward with the UKf would be 
valuable in its own right. I think that's separate from the question of an 
agreement with the UKf, although that's the way the current text refers to it 
because it was written a few months ago. The existing pilot was very fruitful 
for all parties and I think for our mutual understanding of the issues; it 
proceeded without a formal agreement, and we could broaden that arrangement 
if we wanted. We're only offering eduGAIN the exact same metadata that is 
offered to you within that pilot, so you can see that the UKf is not 
insisting on formal bilateral agreements here; we've offered such agreements 
where we thought it might move the ball forward for a partner, not because we 
need them ourselves other than to assure us that we're not going against that 
partner's wishes.

I happen to believe that InCommon is important enough to the UKf that we'd 
want to do anything we can to accommodate broader co-operation on the 
shortest possible timescales. It has always seemed to me that doing things 
with a known partner is a fair bit simpler than doing it with an amalgam of 
19 partners of varying technical ability and diligence. Which is not to say 
that I would advocate moving forward with UKf as an alternative to eduGAIN 
participation, more as a way to gain confidence in the shorter term while 
moving towards full participation in eduGAIN. It perhaps goes without saying 
that my position is that signing the eduGAIN declaration is very easy to do, 
but getting the full benefit from it will take a bit longer: the UKf is 
interested in whichever route gets us a wide exchange with InCommon sooner, 
even if that will be replaced (or largely replaced) later by eduGAIN.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature