Delegated Administration of Metadata
The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering metadata to another administrator called a delegated administrator.
Features
- A site administrator delegates the ability to administer metadata to a delegated administrator by providing the ePPN and e-mail address of the prospective delegated administrator.
- A metadata update request submitted by a delegated administrator must be approved by a site administrator.
- The delegated administrative login interface accepts federated credentials only.
- The delegated administrative login interface supports SAML V2.0 only, that is, the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO.
- A delegated administrator is able to administer SP metadata only.
- A delegated administrator may create/update/destroy SP entity descriptors.
- An administrator may be delegated the responsibility to (independently) manage the metadata of multiple organizations.
Limitations
- A site administrator for an organization may not function as a delegated administrator for the same organization.
- A delegated administrator may not upload a certificate.
Security Considerations
For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with these credentials, however. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, it is thought that this approval process mitigates against any weakness in the delegated administrator's login credentials.