The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Migrating to REFEDS R&S Phase II

Browse a list of all current R&S SPs and IdPs

Report on Phase I

As of February 17, all but four (4) R&S SPs meet the requirements of REFEDS R&S; that is, 28 of 32 R&S SPs now have a multivalued R&S entity attribute in metadata:

A Multivalued R&S Entity Attribute for SPs
<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- multivalued entity attribute for R&amp;S SPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <saml:AttributeValue>
      http://id.incommon.org/category/research-and-scholarship
    </saml:AttributeValue>
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

I suspect two of the remaining four R&S SPs are at risk of not making the transition to REFEDS R&S:

  1. GPN/UM Dropoff Services

  2. Narada Metrics

I predict the other two (nanoHUB.org and Penn State WikiSpaces) will successfully make the transition by the end of February.

Messaging to R&S SPs

AFAIK, there are little more than a handful of R&S SPs that filter metadata based on the R&S entity attribute but in any case those SPs will be advised as follows:

If you filter metadata based on the R&S entity attribute, you should know that R&S IdPs will begin migrating from InCommon R&S to REFEDS R&S in March 2015. This means that some IdPs will have the legacy InCommon R&S entity attribute value in metadata:

http://id.incommon.org/category/research-and-scholarship

while other IdPs will have the REFEDS R&S entity attribute value in metadata:

http://refeds.org/category/research-and-scholarship

We expect the migration to take a very long time so you are advised to filter metadata on both R&S entity attribute values if you filter metadata at all.

A more interesting question remains:

Open Question

What should R&S SPs do (if anything) once we start importing global R&S IdPs into InCommon metadata?

Outline of Phase II

Basic message: If you are an IdP operator that supports R&S, migrate to REFEDS R&S now! (reference needed)

Recommended migration process:

  1. An R&S IdP migrates to REFEDS R&S by changing its config from this:

    The configuration of an IdP that has NOT migrated to REFEDS R&S
    <afp:AttributeFilterPolicy id="releaseFullBundleToRandS">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/research-and-scholarship"/>

  <!-- attribute rules here -->

</afp:AttributeFilterPolicy>

    to this:

    The configuration of an IdP that has migrated to REFEDS R&S
    <afp:AttributeFilterPolicy id="releaseFullBundleToRandS">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- attribute rules here -->

</afp:AttributeFilterPolicy>

  2. When an R&S IdP migrates to REFEDS R&S (as above), the entity attribute in IdP metadata will be changed from this:

    The InCommon R&S Entity Attribute for IdPs
    <mdattr:EntityAttributes
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- the InCommon entity attribute value for R&amp;S IdPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <saml:AttributeValue>
      http://id.incommon.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

    to this:

    The REFEDS R&S Entity Attribute for IdPs
    <mdattr:EntityAttributes
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- the REFEDS entity attribute value for R&amp;S IdPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

  3. The InCommon R&S entity attribute value is not exported to eduGAIN. Only the REFEDS R&S entity attribute value is exported to eduGAIN.

  4. R&S IdPs that migrate to REFEDS R&S will be automatically exported to eduGAIN once global R&S SPs have been imported into InCommon metadata.

Open Question

What about new R&S IdPs? Should new R&S IdPs be allowed to declare their support for InCommon R&S only?

 

 

 

Once Phase II begins, the following wiki pages will need to be edited:

https://spaces.at.internet2.edu/x/-oKVAQ

https://spaces.at.internet2.edu/x/eQTvAQ

https://spaces.at.internet2.edu/x/aAbvAQ

https://spaces.at.internet2.edu/x/BoOVAQ

#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels