Delegated Administration of Metadata
The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering SP metadata to another administrator called a delegated administrator. The rationale for delegated administration was discussed in a blog post published early April 2012. The primary motivation is to streamline metadata management for those sites with large numbers of entities in metadata.
Software Availability
A BETA version of delegated administration was moved to production on April 23, 2012.
To use this new feature, a site administrator logs into the Federation Manager as usual and clicks the menu item "Delegated Administrators" along the left hand side of the page. After provisioning a new delegated administrator (by supplying an ePPN
and an e-mail address), the system sends an e-mail invitation with a link to the delegated administrator (and a copy to the site administrator). To see how the process works end-to-end, a site administrator can become a delegated administrator by using an alternative account such as a ProtectNetwork account.
Features
- A site administrator delegates the ability to administer metadata to a delegated administrator by providing the
ePPN
and e-mail address of a prospective delegated administrator. - The delegated administrative login interface accepts federated credentials only.
- The delegated adminstrator's IdP must release
eduPersonPrincipalName
to the Federation Manager (https://fm.incommon.org/sp
). - The delegated administrative login interface supports SAML V2.0 only, that is, the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO.
- A delegated administrator is able to administer SP metadata only.
- A delegated administrator may create/update/destroy SP entity descriptors.
- A metadata update request submitted by a delegated administrator must be approved by a site administrator.
- An administrator may be delegated the responsibility to (independently) manage the metadata of multiple organizations.
Limitations
- A site administrator for an organization may not function as a delegated administrator for the same organization.
- A delegated administrator may not upload a certificate (for security reasons). (MDADMIN-51)
- A site administrator is provided with limited information on which to base an approval decision. (MDADMIN-61)
- A site administrator is unable to constrain the update privileges of a particular delegated administrator. (MDADMIN-56)
Security Considerations
For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with these credentials. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, it is thought that this approval process mitigates against any weakness in the delegated administrator's login credentials.