Interfederation

[Ian Young <>]

This group may be interested in the appended announcement, which I will 
hopefully be sending out later today.

Also of potential interest is the Shibboleth IdP extension mentioned, which 
is very close to being available for testing.  You can see the current status 
here:

        https://github.com/ukf/mdrpi-match-idp-ext

Until InCommon publishes RegistrationInfo in its metadata, this is probably 
only going to be of direct use in the contact of inter-federation pilots, but 
contact me anyway if you're interested.

        -- Ian



Subject: UK federation: inter-federation via eduGAIN: transition to production

Dear Colleague,

You are receiving this message because you are listed as a technical or
administrative contact for one or more entities registered with the UK Access
Management Federation for Education and Research.  Its purpose is to inform
you of the UK federation's coming transition to full production participation
in the eduGAIN system, and to provide resources to enable you to take full
benefit from this powerful new capability.

This transition to production will take place during Monday, 2-Dec-2013.

YOU SHOULD ENSURE that the material below is reviewed by your technical staff
as soon as possible, so that any reconfiguration you feel may be appropriate
can take place before the transition.



Summary
=======

The UK federation publishes, usually daily, an aggregate of the metadata of 
all
entities registered in the federation. This aggregate is consumed by UK
federation entities in order to be able to inter-operate with one another.

The "reach" of the UK federation is being extended with effect from 2-Dec-2013
by the addition, in the published aggregate, of metadata from entities
registered by other federations. The "other federations" are those which,
together with the UK federation, are participating in eduGAIN, a 
GEANT-sponsored
inter-federation metadata exchange service.

The effect of this change is that UK federation IdPs and SPs will in principle
be able to interoperate with SPs and IdPs registered in other participating
federations.



What is eduGAIN?
================

eduGAIN is a centralised inter-federation metadata exchange service run
by GEANT. Each of eduGAIN's participating federations provides eduGAIN with
metadata about selected entities registered by their members, which is then
made available to the other participants. The effect is to extend the reach
of all of the participant federations to entities registered elsewhere.

You can learn more about eduGAIN here:

    http://www.edugain.org/

The UK federation is a participant in eduGAIN, along with many of our
federation partners both from Europe and around the world. You can view the
current list of participating federations here:

    http://www.edugain.org/technical/status.php



How does the UK federation participate in eduGAIN today?
========================================================

The UK federation formally joined the eduGAIN system in September 2013. Since
that time, selected UK federation members have been involved in pilot use of
eduGAIN as described here:

    http://www.ukfederation.org.uk/content/Documents/InterfederationTrialFAQ

During this pilot phase:

* Only "opted in" entities have been provided to eduGAIN for republication by
  other federation participants, and

* Metadata from other participating federations has been made available in the
  UK federation's test aggregate for use by our testers. This metadata 
includes
  both identity provider and service provider entities.

* Identity providers sourced through eduGAIN have been available in the UK
  federation's central discovery service only when the "search across all
  sites" option has been selected.



What will change on 2-Dec-2013?
===============================

After the transition date:

* Selection of UK federation registered entities to be provided to eduGAIN for
  republication by other participating federations will continue to be on an
  "opt in" basis for the immediate future.

* Metadata from other participating federations will be republished within
  the UK federation's *production* aggregate. This metadata will include both
  identity provider and service provider entities. This means that the new
  metadata will be available to all UK federation entities by default, without
  any need for reconfiguration.
  
* This will add approximately 12% to the size of the metadata that UK 
federation
  members' entities will download.

* Identity provider entities sourced through eduGAIN will in most cases be
  available in the UK federation's central discovery service, even without use
  of the "search across all sites" option.



How do I participate in eduGAIN after the production transition?
================================================================

Because eduGAIN-sourced metadata will be provided in the UK federation's
production aggregate, participation in eduGAIN after 2-Dec-2013 may be as
simple as contacting the UK federation helpdesk to opt in to inter-federation
metadata exchange. There are a small number of technical pre-conditions for
this, but most UK federation entities will be accepted promptly.

Note that the opt-in is for inter-federation metadata exchange in general,
not just for eduGAIN. You will not need to opt in again for any other
inter-federation opportunities should they become available.



I want to participate as soon as possible; can I start earlier?
===============================================================

Yes; we encourage members with more pressing use cases to begin the eduGAIN
participation process early. To do so, you will need to opt in as above, but
also reconfigure your entity to consume the UK federation's test aggregate
instead of the production aggregate, on a temporary basis.

Please refer to section 4.2 of the Federation Technical specifications for
details of the test aggregate:

    http://www.ukfederation.org.uk/doc/federation-technical-specifications



What about attributes?
======================

Due to differing local circumstances, different federations make different
recommendations to their members about the attributes to use. In general, you
will need to work with the owners of each entity with which you need to
inter-operate.

To make this process easier in some specific cases, the UK federation is
developing an extension for the V2.x Shibboleth identity provider, which will
enable the *registrar* associated with an entity to be taken into account in
attribute release policies. For example, this could be used to release
certain attributes from the SCHAC profile to entities from those countries
which make use of it.

We anticipate that an initial version of this extension will become available
shortly; please contact the UK federation helpdesk if you are interested in
making use of it and are prepared to help with testing.



What can I do if I want to prevent access by eduGAIN entities?
==============================================================

The UK federation's Technical Recommendations for Participants recommend that
presence in the federation metadata alone should not be taken to imply
particular behavioural guarantees. In particular:

* it is the responsibility of each identity provider to establish appropriate
  policies for attribute release based on their knowledge of individual
  service providers;

* it is the responsibility of each service provider to decide how much trust
  to place in the attributes presented by an identity provider based on their
  knowledge of the individual identity provider.

Entities already following these recommendations will be unaffected by the
presence in the UK federation's production metadata of entities not registered
by the UK federation.

Entities whose policies are configured more broadly than described in the UK
federation recommendations can take advantage of the presence in all UK
federation metadata of a "registration authority" value identifying the
registrar responsible for each entity. This facility is described in section
3.2.2 of the Federation Technical Specifications:

    http://www.ukfederation.org.uk/doc/federation-technical-specifications

The Shibboleth V2.x identity provider extension mentioned above can be used to
incorporate this information into attribute release policies.



Please contact the UK federation helpdesk 
()
 if you
have any additional questions about this update.

        -- Ian Young, UK federation

Subject: UK federation: inter-federation via eduGAIN: transition to production

Dear Colleague,

You are receiving this message because you are listed as a technical or
administrative contact for one or more entities registered with the UK Access
Management Federation for Education and Research.  Its purpose is to inform
you of the UK federation's coming transition to full production participation
in the eduGAIN system, and to provide resources to enable you to take full
benefit from this powerful new capability.

This transition to production will take place during Monday, 2-Dec-2013.

YOU SHOULD ENSURE that the material below is reviewed by your technical staff
as soon as possible, so that any reconfiguration you feel may be appropriate
can take place before the transition.



Summary
=======

The UK federation publishes, usually daily, an aggregate of the metadata of 
all
entities registered in the federation. This aggregate is consumed by UK
federation entities in order to be able to inter-operate with one another.

The "reach" of the UK federation is being extended with effect from 2-Dec-2013
by the addition, in the published aggregate, of metadata from entities
registered by other federations. The "other federations" are those which,
together with the UK federation, are participating in eduGAIN, a 
GEANT-sponsored
inter-federation metadata exchange service.

The effect of this change is that UK federation IdPs and SPs will in principle
be able to interoperate with SPs and IdPs registered in other participating
federations.



What is eduGAIN?
================

eduGAIN is a centralised inter-federation metadata exchange service run
by GEANT. Each of eduGAIN's participating federations provides eduGAIN with
metadata about selected entities registered by their members, which is then
made available to the other participants. The effect is to extend the reach
of all of the participant federations to entities registered elsewhere.

You can learn more about eduGAIN here:

    http://www.edugain.org/

The UK federation is a participant in eduGAIN, along with many of our
federation partners both from Europe and around the world. You can view the
current list of participating federations here:

    http://www.edugain.org/technical/status.php



How does the UK federation participate in eduGAIN today?
========================================================

The UK federation formally joined the eduGAIN system in September 2013. Since
that time, selected UK federation members have been involved in pilot use of
eduGAIN as described here:

    http://www.ukfederation.org.uk/content/Documents/InterfederationTrialFAQ

During this pilot phase:

* Only "opted in" entities have been provided to eduGAIN for republication by
  other federation participants, and

* Metadata from other participating federations has been made available in the
  UK federation's test aggregate for use by our testers. This metadata 
includes
  both identity provider and service provider entities.

* Identity providers sourced through eduGAIN have been available in the UK
  federation's central discovery service only when the "search across all
  sites" option has been selected.



What will change on 2-Dec-2013?
===============================

After the transition date:

* Selection of UK federation registered entities to be provided to eduGAIN for
  republication by other participating federations will continue to be on an
  "opt in" basis for the immediate future.

* Metadata from other participating federations will be republished within
  the UK federation's *production* aggregate. This metadata will include both
  identity provider and service provider entities. This means that the new
  metadata will be available to all UK federation entities by default, without
  any need for reconfiguration.
  
* This will add approximately 12% to the size of the metadata that UK 
federation
  members' entities will download.

* Identity provider entities sourced through eduGAIN will in most cases be
  available in the UK federation's central discovery service, even without use
  of the "search across all sites" option.



How do I participate in eduGAIN after the production transition?
================================================================

Because eduGAIN-sourced metadata will be provided in the UK federation's
production aggregate, participation in eduGAIN after 2-Dec-2013 may be as
simple as contacting the UK federation helpdesk to opt in to inter-federation
metadata exchange. There are a small number of technical pre-conditions for
this, but most UK federation entities will be accepted promptly.

Note that the opt-in is for inter-federation metadata exchange in general,
not just for eduGAIN. You will not need to opt in again for any other
inter-federation opportunities should they become available.



I want to participate as soon as possible; can I start earlier?
===============================================================

Yes; we encourage members with more pressing use cases to begin the eduGAIN
participation process early. To do so, you will need to opt in as above, but
also reconfigure your entity to consume the UK federation's test aggregate
instead of the production aggregate, on a temporary basis.

Please refer to section 4.2 of the Federation Technical specifications for
details of the test aggregate:

    http://www.ukfederation.org.uk/doc/federation-technical-specifications



What about attributes?
======================

Due to differing local circumstances, different federations make different
recommendations to their members about the attributes to use. In general, you
will need to work with the owners of each entity with which you need to
inter-operate.

To make this process easier in some specific cases, the UK federation is
developing an extension for the V2.x Shibboleth identity provider, which will
enable the *registrar* associated with an entity to be taken into account in
attribute release policies. For example, this could be used to release
certain attributes from the SCHAC profile to entities from those countries
which make use of it.

We anticipate that an initial version of this extension will become available
shortly; please contact the UK federation helpdesk if you are interested in
making use of it and are prepared to help with testing.



What can I do if I want to prevent access by eduGAIN entities?
==============================================================

The UK federation's Technical Recommendations for Participants recommend that
presence in the federation metadata alone should not be taken to imply
particular behavioural guarantees. In particular:

* it is the responsibility of each identity provider to establish appropriate
  policies for attribute release based on their knowledge of individual
  service providers;

* it is the responsibility of each service provider to decide how much trust
  to place in the attributes presented by an identity provider based on their
  knowledge of the individual identity provider.

Entities already following these recommendations will be unaffected by the
presence in the UK federation's production metadata of entities not registered
by the UK federation.

Entities whose policies are configured more broadly than described in the UK
federation recommendations can take advantage of the presence in all UK
federation metadata of a "registration authority" value identifying the
registrar responsible for each entity. This facility is described in section
3.2.2 of the Federation Technical Specifications:

    http://www.ukfederation.org.uk/doc/federation-technical-specifications

The Shibboleth V2.x identity provider extension mentioned above can be used to
incorporate this information into attribute release policies.



Please contact the UK federation helpdesk 
()
 if you
have any additional questions about this update.

        -- Ian Young, UK federation

Attachment: smime.p7s
Description: S/MIME cryptographic signature