Towards DNA3.3 - a work by Martin Haase, Pieter Gietz, et al. (DAASI)
One aim of task NA3.3 is to identify the current set of policies and practices in use within R&E federations, and having identified the elements necessary for enabling the initial set of use cases, specify operational recommendations for federations to streamline their policies.
In order to get a somewhat representative picture, a questionnaire has been developed. Its primary target group are federation operators, supposed to answer the included questions in telephone interviews. It is assumed that the variety of multiple answers will yield a representative picture of the current policies and practices in today's federations. That picture then will enable to create concrete recommendations which will be the content of deliverable DNA3.3.
It was chosen to implement an iterative approach: conduct one or two interviews and to revise the questionnaire after each. Currently there have been conducted interviews with one representative of a mesh-type federation (DFN-AAI), and one for hub-and-spoke (SURFconext). The current set of questions can be subsumed under the following areas:
Q1: Descriptive Data
Q2: Legal Aspects
Q3: SAML Metadata in the federation
Q4: Service Providers
Q5: Identity Providers
Q6: Further services
Each interviews was conducted with two interviewers; interviewees were given online access to the interview documents in order to do any post-edits if desired.
So far there are differences and commonalities with the federations examined. As to the differences, these could be attributed to
size of the federation: there are more automatic processes in place in a bigger federation
type mesh vs. hub-and-spoke: H&S federation are in a position to 'care' more for its providers
leading negotiations with specific providers wrt. eg. attribute release
enhance and transform attributes from IdP given to the SP via the Hub
There are on the other hand a lot of commonalities, among others
many similarities as to the acceptance policy of an IdP or an SP
similar pricing models: IdPs are charged via network connectivity contract, SPs are free
similar treatment of export to eduGAIN: membership is via opt-in, SAML2 is required, CoCo and R&S entity attributes are supported in order to make attribute release scalable
Interestingly, the situation with respect to guest IdPs is diverse and does not yield a clear picture or policy. Guest IdPs are allowed in principle for the federations we looked at, but there are questions as to
how to express an according LoA,
whether to include social IDs,
whether to allow for more than one guest IdP,
whether to export guest IdP metadata to eduGAIN
The questionnaires including answers are available in the AARC Wiki under Task+NA3.3+Service+Operational+Models (confidential).
Apparently, especially the area of guest IdPs is missing clear policies in order to arrive at some general recommendation for federations. There seemed much more consensus in the rest of the areas regarding current policy. Thus the aim for the next year is to not focus on the current status, which has been covered well in the sister project GN4, but concentrate more on future policies and what to recommend here. Especially the areas pertaining to
guest IdP policies
attribute translation services
will be of much more importance in Y2 because they are yet unclear to many federation operators.
As to the concrete work, activities will be aligned with the findings of GN4-1 SA5 T1.3 - "Federation Operator Best Practice" (cf. https://wiki.geant.org/display/gn41sa5/1.3+Federation+Operator+Best+Practice). The areas which have been researched there will be removed from the questionnaire, and we will concentrate on the latter three topics.