Use cases
Initial setup after installation
The instance may participate in one or more federations. "Federation" is a generic term here, encompassing SAML federations, a collection of OIDC parties, or an intra-organisation set of entities (internal federation). The instance will have an identity as either a service provider (SAML SP or OIDC RP), an identity provider (SAML IdP or OIDC OP), or both. These roles will define the deployment’s identity.
- After deployment, the "My Metadata" screen is initially empty.
- Using an "Add Role" button (we might rename it if a better suggestion arises), the user can select one of the following: SAML IdP, OIDC OP, SAML SP, OIDC RP.
- Regardless of the selected role, the user can set up a Display Name and a Logo.
- If the SAML IdP role is selected, a checklist of supported entity categories will be available:
- Research & Scholarship
- Anonymous Access (v2)
- Pseudonymous Access (v2)
- Personalised Access (v2)
- If the SAML SP role is selected, the following settings/attributes are available:
- Research & Scholarship
- Code of Conduct
Adding remote entity metadata
Context: The user can add metadata for the entities this deployment should know and trust.
- On the metadata management screen, the user presses "Add Remote Entity Metadata."
- The available options depend on the roles configured:
- If the instance has the SAML IdP role, the user can add downloaded SAML SP metadata as XML from a file or URL.
- If the instance has the OIDC OP role, the user can add a redirect URI, name, and description (the instance provisions the client ID and client secret).
- If the instance has the SAML SP role, the user can add SAML IdP metadata.
- If the instance has the OIDC RP role, the user can add an OP.
Specific features:
- Step back/forward during config changes (step-by-step wizard for adding a new entity/item)?
- Should metadata feed into SSP and SaToSa configurations, or should we limit the MVP to one platform?
- Add/remove entity metadata to participated federation(s)?
- Could remote entities be offered based on federation metadata?
Adding metadata source
Context: You can add an MDQ source and trust everything retrieved from it. In a future, more advanced version, you may also be able to add an OIDFed intermediate authority.
TBD
Deactivate/activate remote entity
- On the metadata screen, entities already added to the instance should be able to be deactivated and reactivated (via a button or checkbox).
Features: What about notifying the changed status to other known related entities?
Configure proxy mode
Context: If you added at least one of (SAML IdP, OIDC OP) and one of (SAML SP, OIDC RP), you can act as a proxy. In this case, a configuration option that was previously unavailable ("grey") becomes available as 'Proxy Configuration.'
Here, you can add identity and profile attribute mappings.
Features: Is proxying between SAML and OIDC for a later version beyond the MVP?
Edit data sources and data release (not MVP)
Context: This applies only if a SAML IdP or OIDC OP role is enabled.
Note: For the MVP, custom attribute release per remote entity is not implemented. Instead, there is a generic setup that may still be conditional on remote entity categories (e.g., CoCo gets more {attributes?}).
- On the Configuration screen, the user adds a data source:
- SQL
- LDAP
- Other...
- The user adds connection data for the data source.
- The user adds attribute mappings for the data source, e.g., DB field → attribute name.
Information architecture
Dashboard
- Overview of metadata management status.
- Quick access to recent activities and common tasks.
- Configuration
- Configuration of the local instance not related to remote entities.
- Attribute sources
Features: Originally suggested generic entity configuration management features; now only locally?:
- Export/import of config items/entities.
- Copy/delete (copy as a poor man's versioning).
- Editing of entities in the GUI (common configuration items, protocol-specific features).
- Raw config edit.
- Config check.
- Apply config.
- Git config save.
- Generic post-processor for configs, which could be used for configuration check, deployment, activation, and Git push.
- Versioning and rollback from Git (Git config restore).
- Dynamic updates to the configuration without requiring a full joint restart of the GUI, role components, or proxy service (by keeping them apart).
- Configuration of the local instance not related to remote entities.
Metadata Management
- Federation-level: Interface to add/edit federation-wide metadata.
- Individual SPs/IdPs: Interface to add/edit metadata for individual SPs/IdPs, with options for manual entry or file import.
Relation Management
- Select SP/IdP: Dropdown or search functionality to select an SP/IdP.
- Activate SP/IdP: Toggle to activate the selected SP/IdP.
- Attribute Release Policy (SP): Options to configure REFEDs entity categories for SPs.
- Requested Attributes (IdP): Options to select requested entity categories for IdPs.
My Metadata
- Display Name: Field to enter/display the name of the proxy.
- ?Supported Entity Categories: Checklist or dropdown to select supported categories.
- Logo: Upload functionality to add a logo.
Common actions → visual components
Navigation
- Top Navigation Bar: Links to main sections like Dashboard, Metadata Management, Relation Management, and My Metadata.
- Sidebar Navigation: For quick access to subsections within the main areas.
Forms and Input Fields
- Text Input Fields: For entering metadata, display names, and other textual information.
- Dropdown Menus: For selecting options such as entity categories, SPs, and IdPs.
- Checkboxes and Radio Buttons: For selecting multiple or single options, such as supported entity categories and requested attributes.
- File Upload Fields: For importing metadata files or uploading logos.
- Toggle Switches: For activating or deactivating SPs/IdPs.
Buttons and Actions
- Primary Action Buttons: For saving, adding, or submitting forms.
- Secondary Action Buttons: For cancelling, editing, or deleting actions.
- Icon Buttons: For quick actions like editing or deleting items in a list.
Tables and Lists
- Data Tables: For displaying lists of SPs/IdPs, including columns for relevant metadata and actions.
- Paginated Lists: For managing large datasets with navigation controls.
- Expandable Rows: For viewing detailed information about a specific SP/IdP within a table.
Modals and Dialogs
- Confirmation Dialogs: For confirming actions like deletions or important changes.
- Form Modals: For adding or editing metadata in a focused environment.
Search and Filter
- Search Bars: For finding specific SPs/IdPs or metadata entries.
- Filter Options: For narrowing down lists based on criteria like entity categories or active status.
Feedback and Notifications
- Toast Notifications: For temporary messages about actions (e.g., "Metadata saved successfully").
- Error Messages: Inline or modal messages for form validation errors or system issues.
- Success Messages: Inline or modal messages confirming successful actions.
Dashboard Widgets
- Summary Cards: For displaying key metrics and statuses (e.g., total SPs, active IdPs).
- Activity Feeds: For showing recent actions and changes.
Visual Indicators
- Status Badges: For indicating the status of SPs/IdPs (e.g., active, inactive).
- Progress Bars: For showing the progress of actions like file uploads or metadata synchronisation.
User Profile and Settings
- Profile Dropdown: For user account management, logout, and settings.
- Settings Page: For configuring user preferences and system settings.
Features for a later version
- Search (of what, where, by what attributes?).
- Proxy wizard.
- Mapping between local and remote admin users (we could restrict the MVP to require mutually identical or trusted users).
- Is proxying between SAML and OIDC for a later version beyond the MVP?
Topology graph.
- Reporting and analytics: statistics, issues, events/logs.
- Audit trail (in addition to basic reports)
- Management of multiple/remote proxy instances.
Entity lifecycle management: Draft, Test, Production, Support for parked entities/configs, Logically deleted.
- Publicly specified API to access/edit configuration/history of the service and its entities.
- Managing (meta)data exchange (at the proxy):
- Management of attribute filtering between IdPs and SPs.
- Management of mapping of attributes.
- Attribute transformation rules.
- Setting attribute values for entities.
- Possibly contentious:
- Validation of encryption and signatures of entities and their messages.
- Enforcement of authentication and authorisation policies (defined locally or by IdPs).
- Integration with MFA by the proxy.