Versions Compared

Old Version 2

changes.mady.by.user trscavo@internet2.edu

Saved on

compared with

New Version 3

changes.mady.by.user trscavo@internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Delegated Administration of Metadata

The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering metadata to another administrator called a delegated administrator.

Features

  • A site administrator delegates the ability to administer metadata to a delegated administrator by providing the ePPN and e-mail address of the prospective delegated administrator.
  • A metadata update request submitted by a delegated administrator must be approved by a site administrator.
  • The delegated administrative login interface accepts federated credentials only.
  • The delegated administrative login interface supports SAML V2.0 only, that is, the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO.
  • A delegated administrator is able to administer SP metadata only.
  • A delegated administrator may create/update/destroy SP entity descriptors.
  • An administrator may be delegated the responsibility to (independently) manage the metadata of multiple organizations.

Limitations

  • A site administrator for an organization may not function as a delegated administrator for the same organization.
  • A delegated administrator may not upload a certificate.

Security Considerations

For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with these credentials, however. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, it is thought that this approval process mitigates against any weakness in the delegated administrator's login credentials

Currently each site has up to two administrators who manage all IdP and SP metadata for the organization. For those sites with many SPs, this can be a burdensome process. To compensate, InCommon Operations has introduced a new feature called delegated administration.

This new feature allows an InCommon site administrator to delegate administration of SP metadata to another individual, presumably the system administrator who operates the SP in question. This feature has the potential to streamline the metadata administrative process, allowing the site to support many more SPs than it does today.