WG - Federation Interoperability
Space shortcuts
Child pages
  • Entity Naming Conventions
Skip to end of metadata
Go to start of metadata

This is to capture issues and requirements around the naming of entities across federations.

  • Federations accepting certifications from 3rd parties
    • If a Federation publishes a LoA claim in its meta-data based on one or more 3rd party assurances eg Kantara LoA 2 IAF + OSIS ICAM LoA 2 Infocard profile, how do the various parties assured that they are referring to the same Entity so that the meta-data can be produced in an automated way.
  • Entities belonging to multiple federations publishing meta-data
    • A entity may need to choose different entityID for each federation they belong to if RP/SP are importing meta-data from multiple sources eg OIX, InCommon, and Kantara. This creates a issue for the RP/SP as a user coming from the same IdP will appear to be a different user depending on what trust Framework LoA the RP/SP was requiring. This happens when different Federations are certifying different trust frameworks and a given IdP belongs to multiple federations to get certified.
  • No labels

3 Comments

  1. Scott Cantor

    FWIW, the Shibboleth guidance on this is at https://spaces.internet2.edu/display/SHIB2/EntityNaming

    I'm a strong advocate of NOT varying names based on relationships. That leads to problems and has no advantages other than serving poorly thought out application assumptions.

    1. John Bradley

      I agree, We do however need to deal with how to reconcile meta-data from multiple sources.
      One solution is Entities not being listed multiple places. That will require more thought about how certifications are indicated in meta-data.

      Signing something and putting it in meta-data to prove a certification is relatively easy however revocation is the hard part.

      Perhaps the signed object points to a revocation list or some other way of checking validity.

      The simple URL for LoA works well if you trust the signer of the meta-data to validate it, however different federations will be abele to make different Trust framework assertions leading to people belonging to multiple federations.

      I am trying to inspire you to solve the problem(smile)

    2. Leif Johansson

      Having new names for each source scares me. There is some work in the GEANT3 (gn3-jra3-t2 for those who care) project to define a minimal common semantic for a metadata aggregator. I think I've successfully lobbied those guys to bring that work-item out of the GEANT closet and present it somewhere (here or the SSTC I suppose would be the obvious choices). The write-up is being done by Andreas Åkre Solberg (of simpleSAMLphp). Part of that spec is what do do (as an aggregator) when getting the same entity from multiple sources.