Migrating to REFEDS R&S Phase II
Browse a list of all current R&S SPs and IdPs
Report on Phase I
As of Feb 17, all but four (4) R&S SPs meet the requirements of REFEDS R&S; that is, 28 of 32 R&S SPs now have a multivalued R&S entity attribute in metadata:
<mdattr:EntityAttributes
xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
<!-- multivalued entity attribute for R&S SPs -->
<saml:Attribute
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
Name="http://macedir.org/entity-category">
<saml:AttributeValue>
http://id.incommon.org/category/research-and-scholarship
</saml:AttributeValue>
<saml:AttributeValue>
http://refeds.org/category/research-and-scholarship
</saml:AttributeValue>
</saml:Attribute>
</mdattr:EntityAttributes>
I suspect two of the remaining four R&S SPs are at risk:
GPN/UM Dropoff Services
Narada Metrics
OTOH, I believe the other two (nanoHUB.org and Penn State WikiSpaces) will successfully make the transition by the end of February.
Outline of Phase II
Basic message: If you are an IdP operator that supports R&S, migrate to REFEDS R&S now! (reference needed)
Recommended migration process:
An R&S IdP migrates to REFEDS R&S by changing its config from this:
The configuration of an IdP that has NOT migrated to REFEDS R&S<afp:AttributeFilterPolicy id="releaseFullBundleToRandS"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://id.incommon.org/category/research-and-scholarship"/> <!-- attribute rules here --> </afp:AttributeFilterPolicy>to this:
The configuration of an IdP that has migrated to REFEDS R&S<afp:AttributeFilterPolicy id="releaseFullBundleToRandS"> <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch" attributeName="http://macedir.org/entity-category" attributeValue="http://refeds.org/category/research-and-scholarship"/> <!-- attribute rules here --> </afp:AttributeFilterPolicy>When an R&S IdP migrates to REFEDS R&S (as above), the entity attribute in IdP metadata will be changed from this:
The InCommon R&S Entity Attribute for IdPs<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <!-- the InCommon entity attribute value for R&S IdPs --> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category-support"> <saml:AttributeValue> http://id.incommon.org/category/research-and-scholarship </saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes>to this:
The REFEDS R&S Entity Attribute for IdPs<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute"> <!-- the REFEDS entity attribute value for R&S IdPs --> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="http://macedir.org/entity-category-support"> <saml:AttributeValue> http://refeds.org/category/research-and-scholarship </saml:AttributeValue> </saml:Attribute> </mdattr:EntityAttributes>The InCommon R&S entity attribute value is not exported to eduGAIN. Only the REFEDS R&S entity attribute value is exported to eduGAIN.
R&S IdPs that migrate to REFEDS R&S will be automatically exported to eduGAIN once global R&S SPs have been imported into InCommon metadata.
Open Question
What about new R&S IdPs? Should new R&S IdPs be allowed to declare their support for InCommon R&S only?
Once Phase II begins, the following wiki pages will need to be edited:
https://spaces.at.internet2.edu/x/-oKVAQ
https://spaces.at.internet2.edu/x/eQTvAQ