Delegated Administration of Metadata
The term delegated administration refers to the ability of a site administrator to delegate responsibility for administering SP metadata to another administrator called a delegated administrator. The rationale for delegated administration was discussed in a blog post published early April 2012. The primary motivation is to streamline metadata management for those sites with large numbers of entities in metadata.
|
A BETA version of delegated administration will be available April 2012. |
Features
- A site administrator delegates the ability to administer metadata to a delegated administrator by providing the ePPN and e-mail address of the prospective delegated administrator.
- A metadata update request submitted by a delegated administrator must be approved by a site administrator.
- The delegated administrative login interface accepts federated credentials only.
- The delegated administrative login interface supports SAML V2.0 only, that is, the delegated administrator’s IdP must support SAML V2.0 Web Browser SSO.
- A delegated administrator is able to administer SP metadata only.
- A delegated administrator may create/update/destroy SP entity descriptors.
- An administrator may be delegated the responsibility to (independently) manage the metadata of multiple organizations.
Limitations
- A site administrator for an organization may not function as a delegated administrator for the same organization.
- A delegated administrator may not upload a certificate (for security reasons). (MDADMIN-51)
- A site administrator is provided with limited information on which to base an approval decision. (MDADMIN-61)
- A site administrator is unable to constrain the update capability of a particular delegated administrator. (MDADMIN-56)
Security Considerations
For delegated administrators, the Federation Manager recognizes federated credentials only (no local credentials are issued to delegated admins). Currently there are no explicit assurance requirements associated with these credentials. Since a trusted site administrator must approve any metadata update request submitted by a delegated administrator, it is thought that this approval process mitigates against any weakness in the delegated administrator's login credentials.