Migrating to REFEDS R&S Phase II

Browse a list of all current R&S SPs and IdPs

Report on Phase I

As of February 20, all but three (3) R&S SPs meet the requirements of REFEDS R&S; that is, 29 of 32 R&S SPs now have a multivalued R&S entity attribute in metadata:

<mdattr:EntityAttributes xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- multivalued entity attribute for R&amp;S SPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category">
    <saml:AttributeValue>
      http://id.incommon.org/category/research-and-scholarship
    </saml:AttributeValue>
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

I suspect two of the remaining four R&S SPs are at risk of not making the transition to REFEDS R&S:

  1. GPN/UM Dropoff Services

  2. Narada Metrics

I predict the other R&S SP (nanoHUB.org) will successfully make the transition by the end of February.

Messaging to R&S SPs

AFAIK, there are little more than a handful of R&S SPs that filter metadata based on the R&S entity attribute but in any case those SPs will be advised as follows:

If you filter metadata based on the R&S entity attribute, you should know that R&S IdPs will begin migrating from InCommon R&S to REFEDS R&S in March 2015. This means that some IdPs will have the legacy InCommon R&S entity attribute value in metadata:

http://id.incommon.org/category/research-and-scholarship

while other IdPs will have the REFEDS R&S entity attribute value in metadata:

http://refeds.org/category/research-and-scholarship

We expect the migration to take a very long time so you are advised to filter metadata on both R&S entity attribute values if you filter metadata at all.

A more interesting question remains:

What should we advise R&S SPs do (if anything) once we start importing global R&S IdPs into InCommon metadata?

Outline of Phase II

Basic message: If you are an IdP operator that supports R&S, migrate to REFEDS R&S now! (reference needed)

Recommended migration process:

  1. An R&S IdP migrates to REFEDS R&S by changing its config from this:

    <afp:AttributeFilterPolicy id="releaseFullBundleToRandS">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://id.incommon.org/category/research-and-scholarship"/>

  <!-- attribute rules here -->

</afp:AttributeFilterPolicy>

    to this:

    <afp:AttributeFilterPolicy id="releaseFullBundleToRandS">

  <afp:PolicyRequirementRule xsi:type="saml:AttributeRequesterEntityAttributeExactMatch"
      attributeName="http://macedir.org/entity-category"
      attributeValue="http://refeds.org/category/research-and-scholarship"/>

  <!-- attribute rules here -->

</afp:AttributeFilterPolicy>

  2. When an R&S IdP migrates to REFEDS R&S (as above), the entity attribute in IdP metadata will be changed from this:

    <mdattr:EntityAttributes
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- the InCommon entity attribute value for R&amp;S IdPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <saml:AttributeValue>
      http://id.incommon.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

    to this:

    <mdattr:EntityAttributes
    xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute">
  <!-- the REFEDS entity attribute value for R&amp;S IdPs -->
  <saml:Attribute
      xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
      NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
      Name="http://macedir.org/entity-category-support">
    <saml:AttributeValue>
      http://refeds.org/category/research-and-scholarship
    </saml:AttributeValue>
  </saml:Attribute>
</mdattr:EntityAttributes>

  3. The InCommon R&S entity attribute value is not exported to eduGAIN. Only the REFEDS R&S entity attribute value is exported to eduGAIN.

  4. R&S IdPs that migrate to REFEDS R&S will be automatically exported to eduGAIN once global R&S SPs have been imported into InCommon metadata.

What about new R&S IdPs? Should new R&S IdPs be allowed to declare their support for InCommon R&S only?

 

 

 

Once Phase II begins, the following wiki pages will need to be edited:

https://spaces.at.internet2.edu/x/-oKVAQ

https://spaces.at.internet2.edu/x/eQTvAQ

https://spaces.at.internet2.edu/x/aAbvAQ

https://spaces.at.internet2.edu/x/BoOVAQ

Declaration of Support