...
This central component of eduGAIN SAML service is called Metadata Distribution Service (MDS).
Terms
The terms defined below are a required extension of the terminology defined in [eduGAIN-Profile]. The reader should consult both dictionaries for a complete picture.
federation metadata feed | A SAML metadata file originating from a participant federation acting as a SAMLMetadataProducer |
eduGAIN matadata aggregate | A SAML metadata file obtained as an aggregate of federation metadata feeds according to the procedures described in this document |
federation metadata channel | A location (in the form of http/https URL) pointing to the distribution source of the federation metadata feed |
Source of metadata
MDS bases its aggregation function of information provided by each participant Federation as specified in [eduGAIN-Profile]:
A to fetch the Federation metadata feed from - an http or https location.federation metadata channel
An RSA public key with which the metadata metadata feed document will be signed. This will normally be made available in the form of an X.509 certificate.
The registrationAuthority value attribute value to be associated with the channel.federation metadata feed
This information needs to be registered with eduGAIN OT in a trust preserving way as described in [eduGAIN-OPS].
...
After a successful verification (as described further down), each federation metadata feed is saved for possible future use.
If a federation metadata feed channel is unavailable or fails a required condition it is rejected in full. The latest saved copy is used instead, provided that it is permitted by the value of the validUntil attribute.If a saved federation metadata feed copy exists and it also follows from the Conditional GET Request that the feed has not changed, the saved copy is being used for further processing.
...
As specified by the [eduGAIN-Profile] in order to assure metadata integrity and originality, each federation metadata feed MUST be signed as specified in [SAMLMeta]. This signature made with the key matching the one supplied to the eduGAIN OT is the only element on which trust is based. In particular the eduGAIN aggregator does MDS does not use trust that might be derived from an https endpoint details.
...
Federation metadata feeds are combined into a single collection - the eduGAIN metadata aggregate as described in detail later. If an md:EntityDescriptor/@entityID value appears in more than one federation metadata feed, the resulting collection will contain only one of the entities; the others will be discarded. The aggregator MDS does not attempt to merge or otherwise combine the clashing entity descriptions. See the technical details for a description of the collision handling algorithm.
...
Metadata aggregation is performed with pyFF (currently 0.10.0dev)
...
Acknowledgment
This document borrow heavily from Ian Young’s https://gist.github.com/iay/7486653
...