The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Delegated Administration of Metadata

The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering SP metadata to another administrator called a delegated administrator. The rationale for delegated administration was discussed in a blog post published early April 2012. The primary motivation is to streamline metadata management for those sites with large numbers of entities in metadata.

Software Availability

A BETA version of delegated administration was moved to production on April 23, 2012.

To use this new feature, a site administrator logs into the Federation Manager as usual and clicks the menu item "Delegated Administrators" along the left hand side of the page. After provisioning a new delegated administrator (by supplying an ePPN and an e-mail address), the system sends an e-mail invitation with a link to the delegated administrator (and a copy to the site administrator). To see how the process works end-to-end, a site administrator can become a delegated administrator by using an alternative account such as a ProtectNetwork account.

Features

  • A site administrator delegates the ability to administer metadata to a delegated administrator by providing the ePPN and e-mail address of a prospective delegated administrator.
  • The delegated administrative login interface accepts federated credentials only.
  • The delegated adminstrator's IdP must release eduPersonPrincipalName to the Federation Manager (https://fm.incommon.org/sp).
  • The delegated administrative login interface supports SAML V2.0 only, that is, the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO.
  • A delegated administrator is able to administer SP metadata only.
  • A delegated administrator may create/update/destroy SP entity descriptors.
  • A metadata update request submitted by a delegated administrator must be approved by a site administrator.
  • An administrator may be delegated the responsibility to (independently) manage the metadata of multiple organizations.

Limitations

  • A site administrator for an organization may not function as a delegated administrator for the same organization.
  • A delegated administrator may not upload a certificate (for security reasons). (MDADMIN-51)
  • A site administrator is provided with limited information on which to base an approval decision. (MDADMIN-61)
  • A site administrator is unable to constrain the update privileges of a particular delegated administrator. (MDADMIN-56)

Security Considerations

For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with these credentials. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, it is thought that this approval process mitigates against any weakness in the delegated administrator's login credentials.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels