The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

Software Availability

An updated version of delegated administration will be moved to production the week of November 19, 2012.

Delegated Administration of Metadata

The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering SP metadata to another administrator called a delegated administrator. The rationale for delegated administration was discussed in a [blog post] published early in 2012. The primary motivation for adding this feature to the [InCCollaborate:Federation Manager] is to simplify metadata management for those sites with large numbers of entities in metadata.

Facts About Delegated Administration

  • A site administrator delegates the ability to administer metadata to a delegated administrator by providing the eduPersonPrincipalName and e-mail address of a prospective delegated administrator.
  • A site administrator constrains the privileges of each delegated administrator, that is, the site administrator assigns delegated administrators to manage particular SPs.
  • A delegated administrator is able to administer SP metadata only.
  • A delegated administrator may create/modify/delete SP entity descriptors.
  • A metadata update request submitted by a delegated administrator must be approved by a site administrator.
  • The delegated administrative login interface accepts federated credentials only (i.e., InCommon Operations does not issue passwords to delegated administrators).
  • The delegated administrative login interface supports SAML V2.0 only (i.e., the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO).

Limitations

  • A delegated administrator for one organization may not function as a delegated administrator for another organization.
  • A site administrator for an organization may not function as a delegated administrator for the same organization.
  • Assigning two delegated administrators to the same entity descriptor can have undesirable side effects since the editing of entity descriptors is not constrained by the software in any way.

For the Site Administrator

Unknown macro: {div}

Login to the FM as a site admin

To use this new feature, a site administrator logs into the Federation Manager as usual and clicks the menu item "Delegated Administrators" along the left hand side of the page. After provisioning a new delegated administrator, the system sends an email invitation to the newly provisioned delegated administrator (copying all the site administrators as well). The delegated administrator clicks the link in the email to continue with the onboarding process.

Since multiple delegated administrators may be assigned to a single SP, one delegated administrator may edit and submit metadata without being aware that another delegated administrator has already submitted an update request for the same entity descriptor. For this reason, it is recommended that at most one delegated administrator be assigned to a particular SP.

Preparing Your IdP

Since the delegated administrative login interface accepts federated credentials only, a site administrator must configure the IdP to release the following attributes to the Federation Manager (https://fm.incommon.org/sp):

  • eduPersonPrincipalName
  • mail
  • displayName OR (givenName AND sn)

Test Your IdP

You can test your IdP by logging into the following test SP: https://service1.internet2.edu/test/

For the Delegated Administrator

Unknown macro: {div}

Login to the FM as a delegated admin

Security Considerations

For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with the federated credentials of delegated administrators. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, the approval process mitigates any weakness in the delegated administrator's login credentials.

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels