Nicole/Alistair et al,
1) (non-)Migration of personalised settings.
We store Zetoc Alerts using the Athens PUID. The PUID is used to associate one or more defined lists and their associated (user-supplied) destination email. We were pleased that JISC & Eduserv agreed to provide the PUID to the Athens/Shibb Gateway so that we could continue to make that link once we were Shibbed, which was out primary concern at that stage.
The A/S Gateway-provided ePTId will change if/when the site ceases to use the gateway, so migration to that from PUID would appear to be pointless. So, we have no immediate means of making the connection between a new Institutional-ePTId and either: A/S Gateway-ePTId or existing PUID. We continue to be interested in working with sites to aid migration and are sure there's stuff we can do, but each service will be different.
As noted in 'Technical recommendations for participants', 7.1.1 footnote 10:
"Migrating from one identity provider is not simple even when the scope can remain unchanged: in particular, values of eduPersonTargetedID are relative to the issuing entity, and would become invalid after any such migration without significant co-ordination between identity providers and service providers. SAML 2.0 introduces new functionality that may help to address this issue in the future."
2) WAYFs
Co-incidentally I have a draft announcement due to go out later today concerning our move to a tailored-WAYF for Zetoc from 4th Feb. I intended to copy to this list.
Sites are grouped geographically, rather than in one long list. Sites will be sent to their IdP, most commonly Athens, but institutional login for AthensDA sites or wherever else an institution formally asks us to send the user. We include a specific list for sites who want to perform pre-production testing of their IdP. We've initially set this to be the current membership of the UK Federation. We are maintaining a Mimas-wide list of sites, IdPs, Federation domain names, Athens Organisation Ids, IP/domain range(s), etc to support this and other functions.
3) Re Metadata currency, there is mention in the Federation documents, eg:
Rules of membership for the federation:
"3.1. The Member warrants and undertakes that:
3.1.1. all and any Data, when provided to the Federation Operator or another Member (as the case may be), are accurate and up-todate and any changes to Metadata are promptly provided to the Federation Operator;"
Re Shibboleth 1.2 metadata:
Technical recommendations for participants:
"4.3 Metadata Refresh
The metadata published by the federation is regularly updated to include new entities, to describe changes to existing entities, and to remove old entities either because they have left the federation or because the entity has been reported as compromised.
Entities working with old copies of the federation metadata may therefore be unable to communicate with new federation members, be unable to communicate with members whose details have changed, and be vulnerable to attacks based on compromised entities. For these reasons, all federation members are strongly recommended to refresh the metadata used by their entities on a regular basis. A daily refresh operation should be regarded as normal.
Metadata refresh involves the following steps:
● retrieving the revised metadata from the publication location given above, ● verifying the authenticity of the revised metadata (see next section), ● replacing the metadata in use by the entity.
Users of the Shibboleth software can make use of applications provided with the software (metadatatool is supplied with the identity provider, siterefresh with the service provider) to perform all three steps in a unitary transaction."
I think "daily refresh" may be over-the-top at this moment, but it is in everyone's interest to get data updated and cascaded in timely way. (I can supply details of v.recent problem getting 'someone' to update their metadata which took over two weeks and wasted effort.)
Cheers,
Ross
-------------------------------------------
Ross MacIntyre T: +44(0)161-275-7181
Mimas Service Manager F: +44(0)161-275-6071
Kilburn Building M: +44(0)778-095-6424
The University of Manchester
Oxford Road
Manchester M13 9PL U.K.
Email: [log in to unmask]
Skype: ross.macintyre
-------------------------------------------
________________________________________
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Nicole Harris
Sent: 25 January 2008 10:37
To: [log in to unmask]
Subject: Re: Personalised settings in the fed - can we take our Athens ones with us?
Hi Alistair
Mimas have done some work on this with their ZETOC service. Someone from Mimas may be able to comment??
Alistair Young wrote:
Is there anyone on the list who has enough knowledge to answer a rather fundamental question, that could decide whether using the federation is worth the hassle? The basic problem is personalisation of resources and the attributes used to do so. eduPersonTargetedId is used through the shibb-athens gateway but it's specced to be different for each SP. RefWorks through the gateway and RefWorks through the fed are two separate SPs with different entityId (I presume), so the spec says they cannot share the value of ePTID, except in exceptional circumstances. I'd argue the exceptional circumstance of losing all your references from RefWiorks because you change the middleware is cause enough to keep ePTID constant across these two SPs.
The bottom line is, if someone gets kicked off athens for not paying, all their users lose all their settings in RefWorks because the middleware has changed. The settings are still there, they just can't get access to them due to a combination of middleware specs and implementation changes.
It's not possible for an admin to login to RefWorks and transfer settings between "accounts". So you end up with multiple sets of settings depending on how you accessed the resource.
To me, that sounds a good enough reason not to switch to the federation, unless someone can allay these fears. Anyone fancy it?
We were hoping to answer these Qs between now and 2011 but that's not an option any more. It feels like we're being asked to evacuate Athens, leave all our possessions behind and build a new life in Federation City.
Alistair
--------------
mov eax,1
mov ebx,0
int 80h
--
Nicole Harris
Senior Services Transition Manager
JISC Executive
Brettenham House (South Entrance)
5, Lancaster Place
London WC2E 7EN
Tel: 02030066035
Mob: 07734058308
----------------------------------------------------------------------
Anything in this message which does not clearly relate to the official
work of the sender's organisation shall be understood as neither given
nor endorsed by that organisation.
----------------------------------------------------------------------
|