InCommon enables interaction between its IdPs and SPs and IdPs and SPs registered by other federations through eduGAIN, a metadata aggregation service run by GÉANT for the higher ed community worldwide. The eduGAIN service routinely imports metadata from dozens of participating federations, aggregates that metadata into a single file, and then serves the signed aggregate file from a well-known HTTP location. Participating federations consume and distribute metadata in the eduGAIN aggregate at their discretion.
Importing eduGAIN Metadata
InCommon Operations downloads a fresh copy of eduGAIN metadata once a day, in conjunction with our daily metadata signing process. Briefly, the import process includes the following steps:
Fetch the eduGAIN metadata aggregate
Verify the XML signature
Validate the expiration date
Enforce InCommon import policy rules
Ensure schema validity and metadata correctness of imported metadata
Finally, eduGAIN metadata is merged into the InCommon metadata aggregate. Thus the metadata file consumed by InCommon SAML deployments contains both metadata registered by InCommon as well as metadata registered by other federations. For more information, see:
Exporting eduGAIN Metadata
InCommon exports all of its IdPs to eduGAIN, unless the Site Administrator has opted out of eduGAIN. The reverse is true for SPs; SPs are exported only if the Site Administrator has opted in.
Interfederation Frequently Asked Questions
These questions and answers are intended to help you understand how eduGAIN will affect your organization and some of the policy questions to be considered.
What is eduGAIN?
eduGAIN collects, aggregates and distributes SAML metadata, enabling collaboration and access to online services globally. The eduGAIN service is operated by GÉANT (in the European Union) for the benefit of the higher ed community worldwide. Participating federations share metadata via the eduGAIN aggregation service, which facilitates SAML interoperability across federation boundaries.
How does eduGAIN work?
Participating federations (including InCommon) export SAML metadata to eduGAIN. Then eduGAIN combines these metadata files into a single comprehensive aggregate. Participating federations then import the global metadata aggregate from eduGAIN and make that metadata available to their participants.
Why is InCommon participating in eduGAIN?
Research, scholarship and education are increasingly international endeavors. eduGAIN allows researchers, faculty, staff, and scientists to use familiar campus credentials to access collaboration tools and other services from around the world. All types of research projects will benefit from eduGAIN—from small collaborations involving two or three individuals to large government-funded virtual organizations. A major benefit of eduGAIN is that a Service Provider can join just one national federation and provide single sign-on access globally.
What am I agreeing to by participating in eduGAIN?
InCommon has published an eduGAIN Intent Statement that outlines the rationale for eduGAIN participation. The document reviews such topics as governance, transparency, policy structure, dispute resolution, and metadata sharing. In general, the policies of their home federations and the laws of their home countries bind all eduGAIN participating organizations. In short, InCommon participants remain under the policies and practices of InCommon, as their home federation.
I’ve read that an expanded attribute release policy is also a consideration. Is that true?
You do not need to change your attribute release policy in order to participate in eduGAIN. However, InCommon recommends that you review your policy and consider supporting the global (REFEDS) Research & Scholarship Category. By doing so, you agree to release a small set of attributes (generally considered directory information) to all Service Providers that have joined the global R&S Category.
Adopting global R&S is intended to make international collaboration seamless for faculty, staff, researchers and scientists, thereby improving interoperability and the user experience.
Where can I learn more about eduGAIN?
The best place to start is www.incommon.org/edugain
My organization operates an Identity Provider. Do you recommend I export my metadata to eduGAIN?
Yes, and in fact, all InCommon Identity Provider metadata will be exported to eduGAIN by default beginning on February 15, 2016. Exporting Identity Provider metadata to eduGAIN is strongly RECOMMENDED. If, for some reason, you wish to opt out, an InCommon Site Administrator must log into the Federation Manager and check the appropriate box.
My organization operates one or more Service Providers. Do you recommend I export my metadata to eduGAIN?
If you provide a service intended to have global reach, we recommend that your Service Provider metadata be exported to eduGAIN. Service Provider owners will be able to opt into the export process, if they wish. To have your Service Provider metadata exported to eduGAIN, an InCommon Site Administrator must log into the Federation Manager and check the appropriate box.
For example, a campus researcher may host a wiki or a database or some other service that needs to be available to colleagues in other countries. We recommend exporting that Service Provider to provide single sign-on convenience to international collaborators.
If you are with a company that provides a service globally, we recommend that you export that Service Provider metadata. If a service is strictly US-only, we recommend that you not export your metadata but of course your metadata will continue to be included in the InCommon metadata aggregate.