eduGAIN Steering Group Meeting

Tuesday 13th November 2018, 13:30 - 15:00 CET (in your timezone)

Please Note that the above time is CONFIRMED.

12:15 UTC
13:15 CET

Arrival & "Can you hear me now?" (see Connection Details)

12:30 UTC
13:30 CET

Welcome, Introductions & Agenda Agreement

12:45 UTC
13:45 CET

Membership Updates and Joining

13:05 UTC
14:05 CET

eduGAIN "the brand" (based on Haka email to eduGAIN-SG Mailing List)

  • Metadata "opt-out" vs "opt-in".
  • Metadata flow.
  • Discovery + login

13:25 UTC
14:25 CET


  • SIRTFI+ Registry, Scott Koranda (Scott is unavoidably detained and can't join the meeting).
  • Federation level security contacts (Nick R)

13:45 UTC
14:45 CET

Future SG Meetings

  • Last meeting of the year - GN4-3 updates will arrive in January 2019.
13:50 UTC
14:50 CET

Any other business, Summary and Actions

  • Is it necessary that the scans of the signed eduGAIN Declarations (with the signatures of NREN directors etc.) are available online?
  • OIDC

14:00 UTC
15:00 CET

Meeting Close (or we are running over time).

Connection Details


Federations in Attendance (29)

  1. Belnet
  2. IDEM
  4. TAAT
  5. RCTSaai
  7. DFN-AAI
  8. InCommon
  9. AAI@EduHr
  11. UKf
  12. PIONIER.Id
  13. SWITCHaai
  14. RIF
  15. GRNET
  16. FER
  18. Grid Identity Pool
  19. CAF
  20. GARR
  21. ARNaai
  22. CIF
  23. AAIEduMk
  24. SWAMID
  25. IRFed
  26. Haka
  27. HKAF
  28. LEAF
  29. IIF

Attendees (35)

  1. Brook Schofield, GÉANT
  2. Pascal Panneels, Belnet
  3. Davide Vaghetti, GARR/IDEM
  4. Muhammad Farhan Sjaugi, SIFULAN
  5. Sten Aus, TAAT
  6. Esmeralda Pires, RCTSaai
  7. Péter Molnár,
  8. Donald Coetzee, SAFIRE
  9. Guy Halse, SAFIRE
  10. Nick Roy, InCommon
  11. Wolfgang Pempe, DFN-AAI
  12. Miroslav Milinovic, AAI@EduHr
  13. Jiří Bořík,
  14. Rhys Smith, UK federation
  15. Maja Gorecka-Wolniewicz, PIONIER.Id
  16. Lukas Hämmerle, SWITCHaai
  17. Alex Mwotil, RIF
  18. Zenon Mousmoulas, GRNET
  19. Halil Adem, GRNET
  20. Anass Chabli, FER
  21. Anastas Mishev, AAIEduMk
  22. Andria Dionysiou, CIF
  23. Aouaouche El-Maouhab, ARNaai
  24. Chris Phillips, CAF
  25. Julie Menzies, CAF
  26. Davide Vaghetti, GARR
  27. Marco Fargetta, Grid Identity Pool
  28. Pål Axelsson, SWAMID
  29. Saeed Khademi, IRFed
  30. Timo Mustonen, HAKA
  31. Toby Chan, HKAF
  32. Tomasz Wolniewicz, PIONIER.Id
  33. Valentin Pocotilenco, LEAF
  34. Zivan Yoash, IIF
  35. *Marina Adomeit, SA2 Activity Leader

Apologies (6)

  1. Peter, ACOnet (mandatory internal meeting)
  2. Alejandro Lara, REUNA (Internal meeting)
  3. Nicole Harris, GÉANT
  4. Scott Koranda
  5. Raja Visvanathan, INFLIBNET
  6. Nicholas Mbonimpa, RIF


Welcome, Introductions & Agenda Agreement

The Chair welcomed everyone to the 7th meeting of 2018.

For details on new members and candidates see and work on progressing new members is underway.

Outstanding Issues with Federations

The three (3) outstanding actions will remain outstanding.

eduGAIN Compliance Issues

Nick stated that InCommon have a new engineer... not are able to modify members metadata without positive action by participants. Working to address this.

CAF - is looking at the lack of their MRPS.

Guy's question about why the existing validator exists and why can't the new validator be visible to send the correct message to federation. about using "why" and Tomasz answer - backed by Nick and Rhys. Guy clarified that there are warnings that are not issues in the new validator.

SIFULAN/Farhan - what to do about their key?

Chris - clarified that it is only for upstream metadata.

Guy asked about ECC certificates. Stefan has tried that. Maja to clarify if the MDS+Validator can do this. Rhys says that ..... Guy has a scenario with HSMs that don't support >2k RSA keys and ECC - smaller new federations might want to use USB based HSMs (Nitrokey, Cryptosick, et al) to gain experience before investing in more costly ones, and many of these still only support 2K keys but do aslo support ECC, so a 3K restriction rules out HSMs. So ECC is a path forward. Rhys said that this should be started and there can be a phased approach to move toward endpoint testing/support for ECC certificates.

[ACTION] Brook to confirm with Maja the readiness of the MDS+Validator for ECC support.


 * Nick stated that HAKA requires signed authentication requests from SPs and this could cause some interoperability problems and isn't included in the next version of SAML2Int.

Timo clarified that this message was a request from the HAKA Steering Group and wasn't universally supported by the HAKA team. They are wanting services to adopt eduGAIN.

Nick stated that the REFEDS Service Catalogue paper released by Heather could be used to highlight services.

Chris Phililps stated that use of eduGAIN witihn CAF is significant but they want it to be increased and improve the knowledge of reachability of services for key researchers (not just overall volume of users).

Miro stated "Catalogue for End Users". Chris suggested "Service Directory". Nick Roy said a quick win could be the adding of search over MDUI Display Name within MET. Tomasz said that the eduGAIN entities database has this feature but lacks URLs. Nick also suggested that having a button/form to request services being exported to eduGAIN could also be made available. Chris Phillips stated that some members of CAF have had the issue that there are services that aren't accessible (because they aren't in eduGAIN). Nick mentioned the ability to decorate entries within MET. Once we have a repository of this data we could drive discovery services via those feeds.

REFEDS 2019 work plan is being prepared.

Common requests for "what's in eduGAIN" from federation.


Scott Koranda is unable to join todays meeting. There are regular SIRTFI conference calls co-ordinated by Tom Barton. At the last call (last Thursday) there was a request to send this information to the eduGAIN SG for their comment on whether the output of the SIRTFI+ registry is likely to be injested into eduGAIN (or how would federations make this available). The TechEx SIRTFI presentation slides are also available to inform the SG of the progress of SIRTFI and SIRTFI+ registry work.

Rhys stated that SIRTFI+ creates an attack point that undermines the integrity of the federation trust model.  .... "merging" the metadata isn't possible in any software. The order of import is importand  - but it is unknown in various federation tools.

Nick Roy - if the SIRTFI decoration is imported into eduGAIN then the entity isn't decorated in their home federation.

Chris - there are a lot of unknowns in the area of this registry. "Sympathetic" tagging of R&S in CAF if they see it tagged in another federation.

Chris asked about SIRTFI for OIDC? No, or at least not yet. Davide is aware and it will likely be future work.

Rhys is going to deep dive into the SIRTFI mailing lists.

Davide stated that this is a real problem.

Nick said for the both of the SIRTFI simulations there was a need to get in touch with the federation security contact. Adding a security contact to

Should this be a URL or an email address (mailto:) or (tel:)

Pål asked whether we do SIRTFI for the federation?

It seems to be

RENISAC (spelling) is the group that co-ordinates R&E security coordination for the InCommon community with almost.

  1. collect the security contact information (up to 3 values - URL, phone, email)
  2. look at the overlap between Trusted-Introducer ...

Autopopulation of the security contact with contact email address? No.

Miro stated that if there are 2 options ....




Future meetings

There is no further meetings in 2018.