Versions Compared

Old Version 26

changes.mady.by.user Tomasz Wolniewicz

Saved on

compared with

New Version 27

changes.mady.by.user Tomasz Wolniewicz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This central component of eduGAIN SAML service is called Metadata Distribution Service (MDS).

Terms

The terms defined below are a required extension of the terminology defined in  [eduGAIN-Profile]. The reader should consult both dictionaries for a complete picture.

federation metadata feedA SAML metadata file originating from a participant federation acting as a SAMLMetadataProducer
eduGAIN matadata aggregateA SAML metadata file obtained as an aggregate of federation metadata feeds according to the procedures described in this document
federation metadata channelA location (in the form of http/https URL) pointing to the distribution source of the federation metadata feed

Source of metadata

MDS bases its aggregation function of information provided by each participant Federation as specified in [eduGAIN-Profile]:

  • A to fetch the Federation metadata feed from - an http or https location.federation metadata channel

  • An RSA public key with which the metadata metadata feed document will be signed. This will normally be made available in the form of an X.509 certificate.

  • The registrationAuthority value attribute value to be associated with the channel.federation metadata feed

This information needs to be registered with eduGAIN OT in a trust preserving way as described in [eduGAIN-OPS].

...

After a successful verification (as described further down), each federation metadata feed is saved for possible future use.


If a federation metadata feed channel is unavailable or fails a required condition it is rejected in full. The latest saved copy is used instead, provided that it is permitted by the value of the validUntil attribute.If a saved federation metadata feed copy exists and it also follows from the Conditional GET Request that the feed has not changed, the saved copy is being used for further processing.

...

As specified by the [eduGAIN-Profile] in order to assure metadata integrity and originality, each federation metadata feed MUST be signed as specified in [SAMLMeta]. This signature made with the key matching the one supplied to the eduGAIN OT is the only element on which trust is based. In particular the eduGAIN aggregator does MDS does not use trust that might be derived from an https endpoint details.

...

Federation metadata feeds are combined into a single collection - the eduGAIN metadata aggregate as described in detail later. If an md:EntityDescriptor/@entityID value appears in more than one federation metadata feed, the resulting collection will contain only one of the entities; the others will be discarded. The aggregator MDS does not  attempt to merge or otherwise combine the clashing entity descriptions. See the technical details for a description of the collision handling algorithm.

...

Metadata aggregation is performed with pyFF (currently 0.10.0dev)

...

Acknowledgment

This document borrow heavily from Ian Young’s https://gist.github.com/iay/7486653

...