[WG-OTTO] OTTO WG Minutes 10/21
rainer at hoerbe.at
Thu Oct 22 05:58:56 CDT 2015
> Am 22.10.2015 um 12:00 schrieb Janusz Ulanowski <janusz.ulanowski at heanet.ie>:
>>> I'm also curious also how would it look like if client (for instance RP) has hardcoded (trusted source/federation url etc) and joins other federation (it was one of reasons to add memberOf, homeFederation and seperate entity metadata from federation one)
>> Hmm, if it is really hard-coding there will be a need for some kind of gateway I guess.
> I still think it's worth to consider such scenario - it would be like following graphs.
> In Edugate we introduced circle of trust metadata. SP/IDP admin had to only set individual URL as source of metadata (SAML profile) and that's it. Later he can manage membership of any federation (including Edugain, campus federations, biliteral etc) on our ResourceRegistry without changing anything on his software configuration. such approach is very appreciated by our members.
I see. I would not see any limitation here. Assuming that SAML Md would be generated on the fly, the single MD feed would be represented by a certain policy for the MD generator. The membership in other federation might be a multilateral decision, requiring assertions from both the respective FO and an opt-in from the entity operator. Anyway I think that it is important to separate the UI from the assertion. So the UI could stay the same, the IDP operator would opt-in into a bilateral federation (first assertion), and the FO of the other federation would confirm (second assertion). The policy that steers the generation of metadata out of the ledger would have to take this into account.
More information about the WG-OTTO