This is a working living document, minor changes can be expected at any time.
This document describes operational procedures implemented to support eduGAIN SAML services. It The procedures regarding eduGAIN membership are described in eduGAIN Operational Practice Statement. The Operational Practice Statement is required by the eduGAIN SAML Profile document [eduGAIN-Profile] and in addition to the Metadata the Metadata Aggregation Practice Statement must be seen as complementary to eduGAIN SAML Profile.
|Name||Access location||Description||Managed by|
|MDS||httpshttp://mds.edugain.org//edugain-v1.xml||eduGAIN Metadata Distribution Service (MDS) is the central component of the eduGAIN service as a whole. For the detailed description and procedures used in the eduGAIN metadata aggregate distributed by MDS see [eduGAIN-meta]. The eduGAIN metadata aggregate is produced on a separate, secured host (mds-feed) and it is copied to the distribution hosts and served from there by the http server. The file is updated hourly.||OT|
|The technical site||https://technical.edugain.org||The technical site is directed primarily at the federation level technical personel. It provides information about eduGAIN members, details about their participation. The technical site is also the distribution point of documentation and the home for several core and supplementary services.||OT|
|Validator||https://validatortechnical.edugain.org/validator||The eduGAIN validator is a service designed for validating metadata adherence to standards and eduGAIN requirements. The software has been created primarily as a component for the eduGAIN metadata aggregation and the details of validation rules are given in [eduGAIN-meta]. The same software enriched by a GUI is used as a tool for manual validation of metadata and serves as a support tool for federation operators.||OT|
|eduGAIN status information||This status page provides a view of the eduGAIN database in the part relevant to membership information and the current status of metadata aggregation. The page also displays short summary information about numbers of entities in eduGAIN. The interface provides links to scans of the eduGAIN declaration documents signed by federations, direct links to metadata validation, links to contacts, metadata sources etc.||OT|
|Entities database GUI||http://technical.edugain.org/entities||This service is an interface to the part of the eduGAIN database which stores information about entities themselves. The interface has many filtering mechanisms and also allows for CSV download for further processing in a spreadsheet.||OT|
|eduGAIN database API||https://technical.edugain.org/api||The API provides access to most of information stored in the database. In particular, the API may be used by the federations to monitor the eduGAIN aggregation process. Other uses are statistics of various sorts or even download of membership maps.||OT|
|Name||Access location||Description||Managed by|
|ECCS||https://technical.edugain.org/eccs/||eduGAIN Connectivity Check Service is a monitoring service for IdPs listed in eduGAIN, testing if they are actually ready for eduGAIN, i.e. if they consume eduGAIN metadata||OT|
|isFederated Check||https://technical.edugain.org/isFederatedCheck/||This tool searches all known academic identity federations for matching organisations and then displays the results.||OT|
|CoCo monitor||http://monitor.edugain.org/coco/||Monitoring service testing for REFEDS Code of Conduct compliance||SRCE|
|Technical testing platform||http://technical-test.edugain.org||This host serves as a playground for software development done by the operational team. All extensions are applied, tested and presented at this platform and then transferred to production using the git mechanism||OT|
|WIKI||The WIKI is maintained as a part of the GEANT WIKI space. The content is provided by many members of the community. WIKI serves as technical documentation, formal documentation (meeting minutes, documentation of operational procedures) and various guides on joining and making most of eduGAIN||GEANT core|
Operational Team tasks
As defined in [eduGAIN-CONST] the Operational Team (OT) is responsible for:
- Daily technical issues in central eduGAIN operations (e.g. website, central member database).
- Collaboration with the operators of each Technology Profile.
- Receiving enquiries about eduGAIN and forwarding them to the appropriate body.
- Receiving, reviewing and processing applications to join eduGAIN against basic eligibility criteria as set out in the eduGAIN Policy Declaration.
- Preparing and publishing an eduGAIN Operational Practice Statement (this document) for the eduGAIN interfederation service, covering central operations and relationship with each technology profile.
- Preparing an audit plan for the eduGAIN operational practices on the request of the eSG.
At the moment the OT also acts as the operator of the SAML technology profile.
|firstname.lastname@example.org||eduGAIN support mail contact|
Operational Team tasks (SAML Profile)
Management of core eduGAIN services
- eduGAIN OT directly manages:
- isFederated check
- eduGAIN OT supervises
- CoCo monitor
The joining process support has been assigned to the Operational Team, but decision making and organising the voting process currently lies within the eduGAIN SG and its chair. The OT handles all technical details of joining, like metadata validation, signing certificate handling etc. Any paperwork is handled by the eduGAIN secretariat provided by GEANT.
eduGAIN operational model and availability of services
- All virtual machines running eduGAIN services are regularly updated.
- Before an update is planned, the local personel at PSNC are notified in the case of an update failure and immediate restore. An update forward notice is sent to the eduGAIN SG.
- In the case of large configuration changes, like moving services to new hosts, applying large infrastructure changes etc., a notice at least 7 days in advance is sent to the eduGAIN SG.
- All changes are documented in the log available for inspection at: https://technical.edugain.org/system_updates.
- The unavailability details are provided at eduGAIN Services Status.
Aggregator software updates
Updates to crucial aggregator elements, in particular pyFF, may result in a changed format of resulting metadata aggregate. Any such change will be announced to the eduGAIN SG mailing list. If the OT observes that the update indeed introduces changes to metadata, a beta feed will be created and announced to the SG and a change on the production will be delayed by a two-week testing period. A reminder will be issued a week before the actual change of the production feed.
- system backups are performed daily as a part of the standard PSNC backup routine
- virtual machine snapshots are performed prior to system updates
- four times a year a full virtual machine dump is performed
[eduGAIN-OPS] eduGAIN Operational Practice Statement
[eduGAIN-BCP] Best Current Practice