Versions Compared

Old Version 9

changes.mady.by.user Niels van Dijk

Saved on

compared with

New Version 10

changes.mady.by.user Niels van Dijk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To register at a national federation, an out of band mechanism is used. Once registration is complete the national federation issues a national federation membership Trust Mark to the entity. Once the Trust Mark is part of the leafs entity configuration the national federation can automatically load and validate the Leaf into the subordinate registration. Diagram 1 provides an overview of this flow.

PlantUML diagramImage Modified

Diagram 1: Leaf registration at NREN federation (source: https://gitlab.software.geant.org/edugain/oidfed-docs/-/commit/53373c7f3282089b74d1cce496e49e241fb86fdc)blob/main/Federation_Registry.puml)

To support the technical enrolment of the entity into the Trust Anchor, an An API was developed in support of the above registration flow, which was implemented into the [Gabriels TA].
Diagram 2 shows the enrolment flow.

PlantUML diagramImage Modified

Diagram 2: Enrolment endpoint (Source: https://gitlab.software.geant.org/edugain/oidfed-docs/-/blob/main/Enrollment_Endpoint.puml)

eduGAIN Interfederation

The eduGAIN interfederation has operates a Trust Anchor and registers the national federations as Intermediates. eduGAIN interfederation has no Leafs. The [TA developed as part of the testbed by Roland Hedberg] will be used and operated by the eduGAIN Pilot team. Registration of participating Intermediates is manual.

eduGAIN will provide at least one and may offer possibly more Trust Mark issuersTo :

  • The eduGAIN Trust Mark issuer is used to allow Leaf entities of national federation Intermediates to participate in eduGAIN, these request the eduGAIN Trust Mark from the eduGAIN Trust Mark issuer. Note the Leafs do not become direct subordinates of the eduGAIN Trust Anchor.
    To validate compliance, the eduGAIN Trust Mark issuer will validate the presence and validity of the national federation membership Trust Mark.






eduGAIN Components

  1. We assume 1 eduGAIn and 5 national feds

    - TA -> Roland testbed -  We setup the intermedats manually
    - Intermediate - Gabriels codebase includign the registration API
    - TM issuers
    - TMs
        - eduGAIN - Only national intermediates
        - National Fed Level Trustmark - Discovery, easier to resolve as compared to trust chain
        - REFEDs SirtFi - must be on national level.
        - VO membership - Independent TM
    - RPs -> Go implementation
    - OPs?
        - SSP (Marko) - Would a proxy also work with the SP side in a SAML fed?
        - Shib OP
        - Rolands OP
        - Can we proxy based on existng SAML IdPs? yes via SSP or SaToSa. - Ask Roland for readyness
        
    You may bring your own, but you are on your own, we will not support

    Do we also inject existing fed members (based on SAML metadata ) into the national federations?
    - Yes but in a different setup

    - Resolver: Most important for RPs as this will simplify RP life.

...