BEER - Bunch of End Entities Registry
BEER is envisioned as a lightweight, global registrar for SAML Metadata representing both SAML and non-SAML endpoints (eg OpenID, IMI). It is intended as a focused activity to catalyze international use of federated identity. The service is not intended to be a replacement for federation or inter-federation, but is intended to be a tool supporting such activities. The service is intended to be operational Jan 2011. It may be operated by an interim operator and move to a permanent home if the service is seen as useful.
A SAML metadata curation service
An entity registrering SAML metadata in a metadata registry
An entity consuming SAML metadata
An entity which has administrative control of a DNS domain and/or URL
BEER ("the service" in what follows) will accept registration of SAML metadata by a registrant who is the domain owner of the domain associated with the SAML metadata entityID hostname. The service will make all valid registered metadata available to all consumers equally, unfiltered and unrestricted.
The service will not impose restrictions on the type of metadata registered but may perform schema validation based on a controlled set of technologies including SAML 2.0 Interoperable Metadata Profile, OpenID and IMI along will a set of widely deployed extensions.
The service will minimally support managing key rollover and will probably support updating organization name and contact information for individual entities.
The level of assurance of the entities registered in the system is based on demonstrated ownership of the domain. Consumers of the metadata are expected to understand this.
The service is not intended to address the privacy aspects of services represented by registered metadata. Consumers of metadata are expected to address privacy considerations including management of attribute release policies.
Registrants must be aware that they are making their metadata available for publication without constraint and that registered metadata will be publicly available to all consumers. Consumers may constrain what information they import from the system.
- 1 A service provider like the Czech medical atlas or Internet2 spaces wiki wants a single point of registration for metadata in order to cut down on the work that they need to do with all the federations that want to use the service.
- 2 As a consumer of metadata from BEER, I want the metadata to be a full representation of all the data in BEER about the entity in question in order to not depend on proprietary interfaces
- We wonder how all data can be fitted into metadata without any aggrements on predefined syntax.
- 3 As a registrant, I want to be able to manage key rollover for my entities in order to not reregister full metadata
- 4 As a registrant I want the system to be able to support SAML metadata, OpenId metadata and IMI metatadata in order to be able to support multiple federation technologies.
- 5 As a consumer I want to have the system produce schema valid SAML 2 metadata.
- 6 As an consumer I need clarity on IP rights issued by the service in order to avoid legal problems on publishing the metadata.
- 7 As a consumer of metadata, I want the metadata to be available in multiple publication protocols, including an MDX endpoint. At least one publication protocol should be some of revision or versioning system.
- 8 As a registrant, I want to be able to import metadata from well-known locations based on SAML based approaches. Primarily One-time thing.
- 9 As a registrant I want the system to be able to refresh the metadata fetched from a previously specified (known) location.
- 10 As a registrant, I want to be notified about required changes to metadata, including certificate and metadata expiration, either by certificate expiration or on a regular basis.
- 11 As a manager of BEER, I need to be able to add additional XML schema to the metadata evaluation mechanism in order to support future development.
- 12 As a consumer of metadata I need to know and understand the level of assurance with metadata published by BEER in order to support my business processes.
- 13 As a consumer, I require clarity on the LOA associated with each part of the published metadata. (Know who has supplied which items of metadata to BEER)
- 14 As a consumer I need contact info for all metadata
- 15 As a consumer, I want the problems of metadata in order to evaluate its trustworthiness.
- Is the tool responsible of the validity of the metadata? E.g., as a consumer, should I trust the metadata blindly or should I check, for example, that the certificates associated with such metadata are not revoked or expired?
- 16 As a consumer, I need a human-readable descriptor of each entity. As a registrant I want to be able to insert a human-readable descriptor.
- 17 As a registrant, I want to be able to delete my metadata, even though it may not purge all traces of my metadata.
- 18 As a registrant, I want the service to publish appropriate caching hints in order to ensure that stale metadata doesn't live forever.
- 19 As a registrant, I want to be able to transfer control of metadata (permission to modify)
- 20 As a domain owner, I want to be able to delegate all or part of the registration and administer metadata on my behalf.