gakunin registration system motonori nakamura, nii japan apan33 rd meeting (16 feb. 2012)
TRANSCRIPT
GakuNin Registration System
Motonori Nakamura, NII Japan
APAN33rd Meeting (16 Feb. 2012)
What to do to operate federation?
1. Accept applications from organizations (Universities / service providers)
Check descriptions in application forms
2. Register the organization to federation metadata, and distribute it to DS/IdPs/SPs
3. Further support for IdP / SP operation to reduce operation cost / improve usefulness
GakuNin Registration System developed and provided to GakuNin
subscribers since Feb. 2011 (for “production federation”) Since June 2011 for “test federation”
Most of process is done online only mailing a copy with signature/stamp is
required for production federation.
Verification of an application(for production federation)
Verification of each item in an application form Organization
does satisfy bylaws of GakuNin? entityID Validness of server certificate
DN (Distinguished Name) Expiration date Which CA the certificate is signed by?
We require public certificate basically.
Position of responsible person Contact address
Metadata management Automatic generation of entity metadata
according to an application for IdP/SP Marge the entity metadata into the federation
metadata
The registration system also supports: Periodical re-signing of federation metadata
“validUntil” is enabled, and valid for 2 weeks Re-signing is done at interval of a week
Update of certificate for IdPs / SPs Two certificates should be used at a time in transition
period for seamless access
Further support by the system
Reducing operation cost of IdPs/SPs
Improvement of Embedded-DS feature
Integrated administrative information exchange among IdPs / SPs
Reducing operation cost of SPs
Generation of SP entity metadata which includes information about required attributes “isRequired” of “RequestedAttribute” in the
metadata
Reducing operation cost of IdPs
Maintenance free configuration of IdP to send required attributes by each SPs using uApprove.jp uApprove.jp is required for observance of personal
information protection laws uApprove.jp shows and sends only attributes
required by the SP and approved by the user by:<afp:PermitValueRule xsi:type="uajp:AttributeUapprove" />
Automatic generation of “attribute-filter.xml” for an IdP to use selected SPs. (2Q 2012) Most of IdP organizations want to control list of
accessible SP by members of the organization
Improvement of Embedded-DS feature
Display only IdPs which allow/allowed to use the SP e.g: services which requires p2p (IdP-SP) contract Suppress an IdP in the listing on DS (Discovery
Service) in case the IdP does not allow access to the SP to avoid confusion of users (My IdP is on the list. But I can not use. Why??)
Integrated administrative information exchange
Imagine: An IdP may be stopped accidentally or by
maintenance. When a user, belongs the organization of the IdP,
visits an SP is failed to login, He may send complaint to SP administrators.
A solution for this miscommunication a sort of integrated system may be useful so that
administrators/users can see what is the problem at that time.
The GakuNin registration system will have such integrated announcement feature.
Summary GakuNin Registration System is constructed
Initially for reducing operation cost of GakuNin secretariat.
It also reduces maintenance cost of IdPs by providing automatic configuration features. by combination with uApprove.jp Useful to develop easy IdP hosting service to accelerate
increase number of IdPs It also provides convenience and avoidance of
confusion for users by cooperation with SPs using Embedded-DS
It also provides integrated information exchange channel among IdPs and SPs (planned)