InCommon Technical Discussions

[Nick Roy <>]

It appears that there are two service components at play:

1) The DLT AWS portal, which allows you to do things like spin up AWS
accounts (I don't know the specific functionality in that portal, I've
never seen it).  This is in InCommon and can use eduPersonEntitlement
for access control.

2) The AWS service itself, which is not in InCommon (Scott has pointed
out one reason for this).

Internet2 is working on providing much more detailed information about
how each service in the Net+ portfolio meets various community
requirements.  I've asked Net+ staff if I can share info about that with
the InCommon TAC and then start a discussion about what configuration
items need to be enumerated regarding support for InCommon in Net+ services.

Best,

Nick

On 4/2/17 11:20 AM, Cantor, Scott wrote:
>> I have to separately download metadata to the NCSA IdP from
>> https://signin.aws.amazon.com/static/saml-metadata.xml? Is Internet2
>> working with AWS to get their metadata into InCommon?
> The entityID isn't valid, so that would seem to be one dealbreaker. I can't 
> imagine Amazon deferring any changes in order to propagate them via 
> metadata either, which would defeat the purpose. The worst case would be 
> having the metadata entered but not used properly. Manually loading it is a 
> clear signal that any changes will have to be manually accomodated, which 
> is likely to be the case.
>
> (OSU is federating with them also, so I did go through the process.)
>
> Incidentally, does anybody have an ECP-based wrapper around their 
> proprietary use of SAML in the CLI at this point? I've told our folks that 
> it seems like we'd have to support that in order to bother federating the 
> console.
>
> The Shibboleth Project would I think be willing to assist in or take over 
> support of such a wrapper, and if not, I'd certainly contribute.
>
> -- Scott
>