Towards DNA3.3 - a work by Martin Haase, Pieter Gietz, et al. (DAASI)

Questionnaire development

One aim of task NA3.3 is to identify the current set of policies and practices in use within R&E federations, and having identified the elements necessary for enabling the initial set of use cases, specify operational recommendations for federations to streamline their policies.

In order to get a somewhat representative picture, a questionnaire has been developed. Its primary target group are federation operators, supposed to answer the included questions in telephone interviews. It is assumed that the variety of multiple answers will yield a representative picture of the current policies and practices in today's federations. That picture then will enable to create concrete recommendations which will be the content of deliverable DNA3.3.

It was chosen to implement an iterative approach: conduct one or two interviews and to revise the questionnaire after each. Currently there have been conducted interviews with one representative of a mesh-type federation (DFN-AAI), and one for hub-and-spoke (SURFconext). The current set of questions can be subsumed under the following areas:

  • Q1: Descriptive Data

  • Q2: Legal Aspects

  • Q3: SAML Metadata in the federation

  • Q4: Service Providers

  • Q5: Identity Providers

  • Q6: Further services

Each interviews was conducted with two interviewers; interviewees were given online access to the interview documents in order to do any post-edits if desired.


So far there are differences and commonalities with the federations examined. As to the differences, these could be attributed to

  • size of the federation: there are more automatic processes in place in a bigger federation

  • type mesh vs. hub-and-spoke: H&S federation are in a position to 'care' more for its providers

    • leading negotiations with specific providers wrt. eg. attribute release

    • enhance and transform attributes from IdP given to the SP via the Hub

There are on the other hand a lot of commonalities, among others

  • many similarities as to the acceptance policy of an IdP or an SP

  • similar pricing models: IdPs are charged via network connectivity contract, SPs are free

  • similar treatment of export to eduGAIN: membership is via opt-in, SAML2 is required, CoCo and R&S entity attributes are supported in order to make attribute release scalable

Interestingly, the situation with respect to guest IdPs is diverse and does not yield a clear picture or policy. Guest IdPs are allowed in principle for the federations we looked at, but there are questions as to

  • how to express an according LoA,

  • whether to include social IDs,

  • whether to allow for more than one guest IdP,

  • whether to export guest IdP metadata to eduGAIN

The questionnaires including answers are available in the AARC Wiki under Task+NA3.3+Service+Operational+Models (confidential).

Future developments

Apparently, especially the area of guest IdPs is missing clear policies in order to arrive at some general recommendation for federations. There seemed much more consensus in the rest of the areas regarding current policy. Thus the aim for the next year is to not focus on the current status, which has been covered well in the sister project GN4, but concentrate more on future policies and what to recommend here. Especially the areas pertaining to

  • guest IdP policies

  • attribute translation services

  • attribute authorities

will be of much more importance in Y2 because they are yet unclear to many federation operators.

As to the concrete work, activities will be aligned with the findings of GN4-1 SA5 T1.3 - "Federation Operator Best Practice" (cf. The areas which have been researched there will be removed from the questionnaire, and we will concentrate on the latter three topics.


  • No labels