- Created by Albert Wu (internet2.edu), last modified on Jul 09, 2020
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 33 Next »
Jump to:
Introduction
Delegated administration is the ability for a site administrator to delegate the duty of administering select Service Provider(SP) metadata to another person in his/her organization. This delegated role is called a Delegated Administrator. For organizations with a large number of SPs, or where the SP is operated by a departmental unit, delegated administration allows an organization to spread out the load of metadata management.
How delegated metadata administration works
- A Site Administrator delegates the ability to administer SP metadata to a delegated administrator by providing the
eduPersonPrincipalName
and e-mail address of a prospective Delegated Administrator. - A Site Administrator uses the Delegated Administration feature in Federation Manager to assign ongoing management duties of particular SPs to a Delegated Administrator.
- A Delegated Administrator may modify and/or delete SP entities assigned to him/her.
- A Delegated Administrator can create new SP entity.
- Any metadata update made by a Delegated Administrator must be approved by a Site Administrator for publication to the InCommon metadata.
Step-by-step topics
For Site Administrator:
- Prepare for Delegated Administration assignment
- Assign access to a Delegated Administrator
- Approve updates submitted by a Delegated Administrator
For Delegated Administrator:
Considerations
- A Site Administrator for an organization may not function as a Delegated Administrator for the same organization.
- A Delegated Administrator for one organization may not function as a Delegated Administrator for another organization.
- Assigning two Delegated Administrators to manage same entity can have undesirable side effects since the editing of entity descriptors is not constrained by the software in any way.
- A Site Administrator can not unconditionally delegate responsibility for administering SP metadata; that is, a site administrator must always approve update requests made by a Delegated Administrator.
Access Requirements
- The Delegated Administrative login interface accepts federated credentials only (i.e., InCommon Operations does not issue passwords to Delegated Administrators).
- The Delegated Administrator’s IdP must support SAML V2.0 Web Browser SSO (i.e., SAML V1.1 is not supported).
- The Delegated Administrator’s IdP must release a set of required attributes to the Federation Manager.
In this section
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?
- No labels