The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 14 Next »

Software Availability

An updated version of delegated administration will be moved to production the week of October 29, 2012.

Delegated Administration of Metadata

The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering SP metadata to another administrator called a delegated administrator. The rationale for delegated administration was discussed in a [blog post] published early in 2012. The primary motivation is to streamline metadata management for those sites with large numbers of entities in metadata.

Unknown macro: {div}

Login to the FM as a delegated admin

To use this new feature, a site administrator logs into the Federation Manager as usual and clicks the menu item "Delegated Administrators" along the left hand side of the page. After provisioning a new delegated administrator (by supplying an eduPersonPrincipalName and an e-mail address), the system sends an e-mail invitation with a link to the delegated administrator (and a copy to the site administrator). To see how the process works end-to-end, a site administrator can become a delegated administrator by using an alternative account such as a ProtectNetwork account.

Facts About Delegated Administration

  • A delegated administrator is able to administer SP metadata only.
  • A delegated administrator may create/modify/delete SP entity descriptors.
  • A metadata update request submitted by a delegated administrator must be approved by a site administrator.
  • A site administrator delegates the ability to administer metadata to a delegated administrator by providing the eduPersonPrincipalName and e-mail address of a prospective delegated administrator.
  • A site administrator constrains the update privileges of each delegated administrator, that is, the site administrator assigns delegated administrators to manage particular SPs.
  • The delegated administrative login interface accepts federated credentials only.
  • The delegated administrative login interface supports SAML V2.0 only, that is, the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO.
  • A delegated administrator may be given the responsibility to (independently) manage the metadata of multiple organizations.

Limitations

  • A site administrator for an organization may not function as a delegated administrator for the same organization.

Preparing Your IdP

Since the delegated administrative login interface accepts federated credentials only, the site administrator must provide the eduPersonPrincipalName (ePPN) and the e-mail address (mail) of each delegated administrator ahead of time. As a one-time operation, the site administrator configures the IdP to release ePPN and mail to the Federation Manager (https://fm.incommon.org/sp).

Test Your IdP

You can test your IdP by logging into the following test SP: https://service1.internet2.edu/test/

Security Considerations

For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with the federated credentials of delegated administrators. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, it is thought that this approval process mitigates against any weakness in the delegated administrator's login credentials.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels