Delegated Administration of Metadata
The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering SP metadata to another administrator called a delegated administrator. The rationale for delegated administration was discussed in a [blog post] published early in 2012. The primary motivation for adding this feature to the [InCCollaborate:Federation Manager] is to simplify metadata management for those sites with large numbers of entities in metadata.
Facts About Delegated Administration
- A site administrator delegates the ability to administer metadata to a delegated administrator by providing the
eduPersonPrincipalNameand e-mail address of a prospective delegated administrator. - A site administrator constrains the privileges of each delegated administrator, that is, the site administrator assigns delegated administrators to manage particular SPs.
- A delegated administrator is able to administer SP metadata only.
- A delegated administrator may create/modify/delete SP entity descriptors.
- A metadata update request submitted by a delegated administrator must be approved by a site administrator.
- The delegated administrative login interface accepts federated credentials only (i.e., InCommon Operations does not issue passwords to delegated administrators).
- The delegated administrative login interface supports SAML V2.0 only (i.e., the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO).
Limitations
- A site administrator for an organization may not function as a delegated administrator for the same organization.
- A delegated administrator for one organization may not function as a delegated administrator for another organization.
- Assigning two delegated administrators to the same entity descriptor can have undesirable side effects since the editing of entity descriptors is not constrained by the software in any way.
- A site administrator can not unconditionally delegate responsibility for administering SP metadata; that is, a site administrator must always approve update requests made by a delegated administrator.
For the Site Administrator
Login to the FM
as a site admin
To use this new feature, a site administrator logs into the Federation Manager as usual and clicks the menu item "Delegated Administrators" along the left hand side of the page. After provisioning a new delegated administrator, the system sends an email invitation to the newly provisioned delegated administrator (copying all the site administrators as well). The delegated administrator clicks the link in the email to continue with the onboarding process.
Since multiple delegated administrators may be assigned to a single SP, one delegated administrator may edit and submit metadata without being aware that another delegated administrator has already submitted an update request for the same entity descriptor. For this reason, it is recommended that at most one delegated administrator be assigned to a particular SP.
Preparing Your IdP
Since the delegated administrative login interface accepts federated credentials only, a site administrator must configure the IdP to release the following attributes to the Federation Manager (https://fm.incommon.org/sp):
eduPersonPrincipalNamemailgivenNamesn(surName)
Test Your IdP
You can test your IdP by logging into the following test SP: https://service1.internet2.edu/test/
For the Delegated Administrator
Login to the FM as a delegated admin
As a delegated administrator, you will be able to create new SP metadata and edit existing SP metadata subject to policy. Your privileges have been assigned by a site administrator. If you are unable to perform some action, talk to your site administrator. Only a site administrator can assign privileges to a delegated administrator.
Create New SP Metadata
Click the link "Add a New Service Provider" to create new SP metadata. Visit the [InCCollaborate:Metadata Administration] wiki page for tips, recommendations, and requirements regarding SP metadata.
Any new metadata you create must be approved by your site administrator.
Edit Existing SP Metadata
When you login as a delegated administrator, you will be presented with a list of all SPs owned by the organization. The particular SPs you have been given permission to edit will have an "Edit" link next to their entity ID. Click the link to edit the metadata for that SP. If there is no "Edit" link next to the SP you want to edit, talk to your site administrator.
Any metadata updates you submit must be approved by your site administrator.
Unlinking a Certificate
You may notice a link labeled "Unlink from the metadata" next to a certificate reference. This means the certificate was previously uploaded to the system by a site administrator and therefore can not be shown inline until you "Unlink" it. You should perform the following steps for each such certificate:
- Scroll down to the bottom of the page and copy the content of the
<ds:X509Certificate>element in metadata. - Paste the certificate content into the provided textarea.
- Click the "Unlink from the metadata" link.
- Submit an update request to your site administrator.
Once your site administrator approves the request, the certificate will appear inline where it is more easily reviewed and manipulated.
Security Considerations
For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with the federated credentials of delegated administrators. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, the approval process mitigates any weakness in the delegated administrator's login credentials.