Introduction

eduGAIN is a service that allows Participant Federations that serve the interests of education and research to interfederate. Interfederation allows end users whose Identity Provider exists in one Federation to easily authenticate to a Service Provider from a different Federation. This is enabled via the distribution of SAML metadata aggregates signed and distributed by eduGAIN. InCommon has a strong interest in joining eduGAIN as a Participant Federation.

The Interfederation Working Group of the InCommon Technical Advisory Committee has reviewed the eduGAIN Policy Framework, which describes the policies and practices of the eduGAIN service as well as the rights and responsibilities of Participant Federations. In order to join eduGAIN, InCommon (like all Participant Federations) is required to sign a declaration agreeing to the eduGAIN Policy Framework, which consist of three essential documents: 1) the eduGAIN Declaration, 2) the eduGAIN Constitution, and 3) the eduGAIN Metadata Profile. Agreement of a Participant Federation to the eduGAIN Policy Framework is in essence a unilateral agreement—the policy framework is set and, for the most part, non-negotiable.

This document contains the observations of the InCommon TAC Interfederation Working Group upon reviewing the eduGAIN Policy Framework. It contains only the clarifications and observations that the subcommittee deemed most noteworthy. Interested readers are invited to review the eduGAIN Policy Framework in its entirety. We organize these notes by the eduGAIN Policy Framework document to which they apply. We wish to acknowledge the participation and input of Ian Young from the UK Federation, which recently joined eduGAIN.

Declaration

  • Entity Metadata Standards: eduGAIN relies on each published metadata entity to be in compliance with its parent federation's policies and operational standards.
  • Rules for Publishing Entity Metadata in eduGAIN: There are no explicit rules about whether a federation invokes opt-in or opt-out policies with regard to exporting its own members' metadata entities to eduGAIN.
  • Rules for Acceptance of eduGAIN Metadata by Entities: Likewise there are no rules of behavior regarding the import of metadata entities from eduGAIN. In particular, member entities are free to filter eduGAIN metadata as they see fit.
  • Issue Resolution for Participant Federations: eduGAIN is not responsible for resolving issues between participant federations. If issues arise, participant federations are expected to resolve them by direct communication.
  • Change Policies: eduGAIN relies on a general "promptness" level of communication responsiveness for change of any federation's policies/operations.
  • Communication of Change: communication of change is between a Participant Federation and eduGAIN Operations. It is assumed that eduGAIN Ops will communicate relevant changes to participating Federations.
  • Support & Complaints. There is an expectation for a "reasonable" level of support between Participating Federations; any federations' members must only direct support to its parent Federation and not expect support directly from eduGAIN participating Federations. For any given member organization, only its parent Federation rules apply in support and complaint cases. The load has reportedly been light to negligible.
  • Nature of Declaration: Signing the declaration creates no new legal obligations or rights (section 9), nor is there any financial consideration (section 12). Each federation is signing a one-sided declaration, which is neither a contract nor an agreement.

Constitution

  • eduGAIN Governance: eduGAIN is governed by an Executive Committee, which today is the GÉANT Executive Committee and a "Steering Group" comprised of Participating Federations. Each Federation appoints a Delegate and a Deputy.
  • Operational Team: eduGAIN Operational Team handles most administrative tasks for eduGAIN.
  • Peering: eduGAIN has no direct peering relationships at present, but has contingencies in the constitution to allow them should they exist.
  • Approval of Changes: There are multiple levels of approval for important decisions to ensure that changes will not exclude participant federations, either directly or indirectly.
  • Entities Registration in eduGAIN: There is no direct registration of entities with eduGAIN and a Participant Federation is responsible for making sure non-eduGAIN entities are not presented to eduGAIN.
  • Metadata Registration Practice Statement: Each federation must publish a Metadata Registration Practice Statement prior to exchanging metadata.
  • Leaving eduGAIN: Federations must give one (1) month notice prior to leaving eduGAIN; however, there are no constraints on a federation for dropping any given IdP or SP metadata entity from its metadata export. Likewise, there are no constraints on a federation for dropping any given IdP or SP from its import pipeline prior to republishing for its own members.
  • eduGAIN Technical Overview: eduGAIN Technical Overview document mentioned in the constitution is currently not published.
  • Signing of Declaration: The eduGAIN Operational Team verifies that the signing party on the declaration for a participant federation is authorized to sign on behalf of the federation. For expediency, the Operational Team requests a scanned copy of the signed declaration followed eventually by a paper copy.
  • Pre-approval: Certain federations have been pre-approved by the eduGAIN Steering Committee for admittance. InCommon has been pre-approved.
  • Required vs Optional Profiles: The only required profile for participant federations at present is the SAML 2.0 Metadata Profile.

Metadata Profile

  • Required Elements: not all elements required by the eduGAIN Metadata Profile are currently implemented in InCommon metadata.
  • MDS Aggregation Practice Statement: the MDS Aggregation Practice Statement mentioned in this document does not exist yet.
  • Filtering metadata during aggregation: eduGAIN aggregation is supposed to be transparent and does not remove or validate metadata elements during aggregation—this is the responsibility of the participant federation that registers the entity into metadata.

Conclusions

On the continuum between Stability, Assurance, & Centralized Control down the spectrum to Flexibility, Complete Freedom, and Decentralized Governance, the eduGAIN model is weighted toward the latter. In order to achieve maximal adoption among international federations, there are very few obligations placed on Participating Federations. As a consequence, there are also very few assurances for interoperability and stability. This is not a value judgment but simply today's balance point to get to a working model.

As such, the eduGAIN Policy Framework appears to present no philosophical barriers to InCommon participation. It should be noted, however, that there are some technical and operational issues that will need to be resolved in order to participate. The feeling of the Interfederation Working Group is that these are not insurmountable obstacles. Furthermore, the WG recognizes the significant benefits that would accrue to InCommon by participating in eduGAIN. eduGAIN provides a trust framework for participant federations as well as a service to allow interoperation with other identity federations in a relatively simple and scalable way. The Interfederation Working Group recommends to the TAC that participation in eduGAIN be actively pursued.

  • No labels