The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

InCommon Federation Manager

The InCommon Federation Manager is a web application for managing InCommon Federation metadata. The interface supports both IdP and SP metadata.

To create metadata for a new IdP or SP, or to edit the metadata for an existing IdP or SP, login to the Federation Manager with the credentials that were issued to you when your organization joined the InCommon Federation. Alternatively, a site administrator may delegate administration of SP metadata to another individual.

FM Users

There are three types of Federation Manager (FM) users:

  1. RA administrators
  2. Site administrators
  3. Delegated administrators

RA Administrators

An RA administrator vets and approves submitted metadata. In some cases, an RA administrator may modify metadata directly without the intervention of the site administrator.

An RA administrator logs into the Federation Manager (FM) with two-factor authentication.

Site Administrators

Site administrators are provisioned by RA administrators. A site administrator can create, update, or delete any type of metadata, either IdP or SP metadata. An RA administrator must approve any metadata update request submitted or approved by a site administrator.

Today a site administrator logs into the FM in with a strong password.

Delegated Administrators

Delegated administrators are provisioned by site administrators. A delegated administrator can create, update, or delete SP metadata, but a site administrator must approve any metadata update request submitted by a delegated administrator.

A delegated administrator logs into the FM with a federated credential (no assurance requirements) but every metadata update request made by a delegated administrator must be approved by a site administrator. The identity provider must provide certain identity attributes for the delegated administrator to gain access to the FM. These attributes positively identify the authenticated user to be the delegated administrator previously provisioned by the site administrator.

Every time a delegated administrator tries to access the FM, the attributes received from the identity provider are compared with the attributes stored in the identity management system. These attributes determine: 1) whether the authenticated user is allowed access, and if so, 2) what metadata the delegated administrator is allowed to update.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels