Delegated administration is the ability for a site administrator to delegate the duty of administering select Service Provider(SP) metadata to another person in his/her organization. This delegated role is called a Delegated Administrator. For organizations with a large number of SPs, or where the SP is operated by a departmental unit, delegated administration allows an organization to spread out the load of metadata management.
- A Site Administrator delegates the ability to administer SP metadata to a delegated administrator by providing the
eduPersonPrincipalName
and e-mail address of a prospective Delegated Administrator. - A Site Administrator uses the Delegated Administration feature in Federation Manager to assign ongoing management duties of particular SPs to a Delegated Administrator.
- A Delegated Administrator may modify and/or delete SP entities assigned to him/her.
- A Delegated Administrator can create new SP entity.
- Any metadata update made by a Delegated Administrator must be approved by a Site Administrator for publication to the InCommon metadata.
For Site Administrator:
For Delegated Administrator:
- A Site Administrator for an organization may not function as a Delegated Administrator for the same organization.
- A Delegated Administrator for one organization may not function as a Delegated Administrator for another organization.
- Assigning two Delegated Administrators to manage same entity can have undesirable side effects since the editing of entity descriptors is not constrained by the software in any way.
- A Site Administrator can not unconditionally delegate responsibility for administering SP metadata; that is, a site administrator must always approve update requests made by a Delegated Administrator.
- The Delegated Administrative login interface accepts federated credentials only (i.e., InCommon Operations does not issue passwords to Delegated Administrators).
- The Delegated Administrator’s IdP must support SAML V2.0 Web Browser SSO (i.e., SAML V1.1 is not supported).
- The Delegated Administrator’s IdP must release a set of required attributes to the Federation Manager.