Submitted by Martin Matthiesen on 11 December 2013
Clarin AAI Taskforce meeting 29.11.2013 11:00 -- 12:05 CET
Present: Daan Broeder, Dieter van Uytcank (MPI), Lene Offersgaard (UCPH), Oliver Schonefeld (IDS), Kai Zimmer (BBAW), Martin Matthiesen (CSC, secretary)
1) Meeting formalities
The meeting started at 11:00 CET. No changes were proposed to the agenda, Martin was chosen secretary
2) Status of the SPF
Czech (Charles University Prague) has not signed the SPF amendment to move power of attorney.
Copenhagen University has technically joined the SPF but cannot formally because of the unclear power of attorney.
Dieter is working on the issue and tries to get Prague to sign.
Metadatasharing within the SPF is not working as it should, we agreed on improvements under point 5.
The Finnish IdPs work with the SPF as do most of the Dutch IdPs. The situation in Germany is still problematic.
3) Implementing the CoC wihtin the SPF
After lively discussion we agreed on the following:
* Clarin recommends the implementation of the DP-CoC https://refeds.terena.org/index.php/Data_protection_coc to all associated Service Providers and Identity Providers.
* The CoC will be a future requirement for Clarin Centers and incorporated into the next revision of the Center requirements (http://www.clarin.eu/content/center-requirements-revised-version). Martin and Oliver will provide a draft amendment.
* The main goal of this Taskforce is to make interoperability work between SPs and IdPs. While we support the CoC, this Taskforce will concentrate on making the SPF work (getting SPs on board, ensuring proper attribute release). This means in practice that our first goal is to get the national IdPs to release proper attributes to the respective SPs. If we can achieve that short-term goal without the CoC, we will do so to get the SPF working. That should not stop individual centers from pushing the CoC, eg. DFN-AAI has expressed interest in pushing the CoC and Martin is in contact with Wolfgang Pempe on this.
4) Statement for http://www.geant.net/MediaCentreEvents/news/Pages/International_User_Advisory_Committee.aspx
Dieter is preparing a draft. There was complete agreement in this group that the most problematic issue in EduGAIN is the Opt-In prodecure for IdPs and SPs to join. This leads to the well known problem of SPs not able to offer logins and/or not being able to get attributes.
5) Streamlining of SPF metadata matters (Oliver)
The SPF metadata process is outdated at the moment. Clarin ERIC will get funding for a person responsible to act as a broker between the SPs and the different IDFs. We agreed to change the metadata process as outlined by Oliver:
1) SP admin add/delete/change their SP metadata in the CLARIN SVN in the appropiate file [1].
2) SP admin make sure, they did not break the SP metadata by validating it with the SAML metadata validator [3]. Of course, if errors pop up, they fix them.
3) SP admin notifies the SPF proxy by creating a ticket in CLARIN TRAC. This ticket includes the entityID of the entity that was added/deleted/changed and
is put in the proper queue (= component) for TRAC to automatically assign it to the SPF proxy
4) SPF proxy pushes metadata to federation and keeps track of actions in the ticket. Once the metadata change is completed, the ticket is closed by the SPF proxy.
In case of problems with the federation, e.g. logins from specific IDPs don't work, the SP admin first tries to diagnose the problem on their
own (e.g. by checking if the federation has the correct and up-to-date metadata). If problems persist, SP admins opens a ticket in the SPF
queue and together with the SPF proxy try to resolve the problem.
About metadata completeness: SP admins are required to put in as complete metadata as possible. mdui extensions and <RequestedAttribute >
elements are encouraged. English translations of descriptions, etc are mandatory.
Of course, this workflow need to be documented; probably on the SPF pages.
5) End of meeting
The meeting ended at 12:05 CET.
6) Next meeting
We agreed to meet again in January 2014. Martin will send invitations.
