Prologue
When running a federation, there are multiple ways in which federations can publish their local entities into eduGAIN (i.e. “upstream”), and in which eduGAIN metadata can be published to a federation’s local entities (i.e. “downstream”).
Why is this important? Well, the choice made in how to do these two things has major consequences on the entities and about how much work they have to do to be globally interoperable – and consequently, how much pain this can cause actual end users!
The Accepted Picture
GÉANT has categorised each of the eduGAIN federations approaches to both upstream and downstream (data available here), presented from a federation operator point of view, and this has been presented at multiple events. Let’s take a look…
Upstream
There are 4 different ways of pushing local metadata into eduGAIN by a federation operator:
- Full opt-in – no entities are pushed to eduGAIN without the specific request from an entity to do so.
- IdP opt-in, SP opt-out – no IdP entities are pushed to eduGAIN without the specific request from an entity to do so; SP entities are all automatically pushed to eduGAIN unless the entity requests otherwise.
- IdP opt-out, SP opt-in – IdP entities are all automatically pushed to eduGAIN unless the entity requests otherwise; no SP entities are pushed to eduGAIN without the specific request from an entity to do so.
- Full opt-out – all entities are pushed to eduGAIN unless the entity requests otherwise.
So, let’s have a look at how federation operators do this:
The results are pretty clear – full opt-in is the choice that most federation operators have made, and the other choices are very much in the minority.
Downstream
Downstream – how a federation’s entities actually consume eduGAIN metadata, is a rather more complex picture:
There are 12 different methods documented, and there is no clear preferred approach. So, whether an entity actually consumes metadata for eduGAIN entities is entirely an unknown factor.
Conclusions
The data above suggests that the majority of entities are not exported into eduGAIN unless they specifically ask for it, and whether those entities can also consume metadata from eduGAIN is anyone’s guess.. Upstream opt-in must be the best solution, since that’s what most federations have adopted, and downstream distribution is something that everyone can decide for themselves.
Wrong.
My supposition is that this is entirely the wrong way to look a this problem. What’s most important is how many entities around the world are exposed to the different approaches, instead of how many federations choose a particular approach. This whole problem centres on how entities can interact with each other, globally, in an inter-federated environment. So let’s look again, from their point of view.
The ACTUAL picture
To look at things from the point of view of the amount of entities that each approach is exposed to, we need to normalise the figures based on the amount of entities in each federation. Why is this important? Well, the distribution of number of entities that each federation publishes into eduGAIN differs wildly:
So, assuming every federation is equal when drawing these conclusions is flawed. Taking the entity count into account, what does the picture look like now?
Upstream
Compared to the original data, we can see that the picture is now somewhat more nuanced that before (where “full opt-in” was the clear choice). This means that from an entity perspective, most entities are part of federations that do with full opt-out or IdP out-out, SP opt-in.
So, for IdPs, the most common approach is for full opt-out – meaning actual end users globally are most likely to have their IdP automatically exported into eduGAIN.
For SPs, the picture is somewhat murkier – 45% will be subject to opt-out and 55% opt-in.
Downstream
Looking at the data for downstream publication – how entities consume eduGAIN metadata, the picture is in fact a lot clearer than before (where there was no clear choice):
Now it can be seen that the clear majority of entities consume eduGAIN metadata by the simple process of that metadata being included in the entity’s home federation’s main metadata feed. The implications of this are that the majority of entities automatically consume eduGAIN metadata without having to do anything to enable it.
Actual Conclusions
Having looked at the data on different approaches to downstream and upstream publishing of eduGAIN metadata from the point of view of the entities, rather than the federations, we can draw the following conclusions:
- The majority of IdPs in the world are subject to opt-out, so are published automatically to the rest of the world
- For SPs, roughly half will be automatically made available globally while half will be kept local only.
- The majority of entities globally automatically consume eduGAIN metadata without having to specifically add configuration to do so.
And some personal observations
And to those conclusions, I’ll add a personal observation as a federation operator. We are in the business of attempting to enable seamless global interoperation between our customers/members, and the only way to enable that is to make the process as simple as possible for them. The way to do that is clear:
- All IdP entities should be opt-out (i.e. all IdPs should be published globally unless there’s a specific reason/request not to do that).
- Federations with a large amount of services with a global customer base should enact opt-out for their SPs (i.e. automatically make them globally available). Federations with services that are only of interest locally may wish to do opt-in with no real affect on eduGAIN.
- eduGAIN metadata should absolutely be pushed to entities without them having to do anything (i.e. include imported eduGAIN entities in the main federation feed). Without this, a federation operator is doing a major disservice to the end-user experience, as users will find global services that know about their home IdP, but their home IdP won’t know about the service. Users will not understand the error that results. And we’re supposed to be making their lives easier, not more frustrating.
All of this can be summed up simply – let the metadata flow!