Versions Compared

Old Version 11

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version Current

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Ops would prefer not to invest resources to create additional aggregates but would rather prefer to devote our limited resources to realize the future of metadata distribution.  That said, since a significant fraction of SP deployments will be unable to leverage per-entity metadata until we solve the discovery problem, Ops recommends that a production-quality IdP-only aggregate be published at a permanent location.

...

  1. In general, resist the urge to publish new aggregates in production.

  2. In particular, do not publish an SP-only aggregate. Push all IdP deployments towards per-entity metadata.

    1. Most of the entities in metadata are SPs so the benefit of an SP-only aggregate is marginal.
    2. IdPs are poised to benefit most from per-entity metadata. An SP-only aggregate will disrupt and confuse the migration of IdPs to per-entity metadata.

  3. Since the vast majority of SPs do not have a dynamic discovery interface (i.e., a discovery interface that depends on published metadata) push these SPs towards per-entity metadata (which is an easy sell since most of these SPs depend on a small number of fixed IdPs).

  4. For the relatively few SPs that implement a dynamic discovery interface, consider publishing a centralized JSON metadata feed that conforms to the published JSON schema associated with the Shibboleth Embedded Discovery Service.

  5. Alternatively, if a JSON metadata feed turns out to infeasible at this time, publish a standalone aggregate of IdP-only metadata (but no pipeline).

Although a centralized JSON metadata feed would be fairly easy to create, there are issues (most importantly, security issues) that need to be addressed and it is doubtful that these issues can be resolved in the short term. Alternatively, a production-quality IdP-only aggregate could be published in a matter of weeks, and moreover, clients could leverage this new aggregate immediately, with no changes to the client software.

Info
titleOps Recommendation
Deploy an IdP-only aggregate in production. This not only helps alleviate the pain felt by SP owners in the short term but it becomes an essential part of our overall strategy in the foreseeable future since we know there are SP deployments that won't be able to leverage per-entity metadata until we solve the discovery problem.

The deployment of a centralized JSON feed for SP deployments is appealing but there are issues that need to be addressed so this is not seen as a short-term solution. Hence the need for Once an IdP-only aggregate in the short to medium term. In the long term, a centralized JSON feed may indeed play a roleis deployed, Ops will focus its efforts on the production and distribution of per-entity metadata.