GakuNin Registration System

Motonori Nakamura, NII Japan

APAN33rd Meeting (16 Feb. 2012)

What to do to operate federation?

1. Accept applications from organizations (Universities / service providers)

Check descriptions in application forms

2. Register the organization to federation metadata, and distribute it to DS/IdPs/SPs

3. Further support for IdP / SP operation to reduce operation cost / improve usefulness

GakuNin Registration System developed and provided to GakuNin

subscribers since Feb. 2011 (for “production federation”) Since June 2011 for “test federation”

Most of process is done online only mailing a copy with signature/stamp is

required for production federation.

Verification of an application(for production federation)

Verification of each item in an application form Organization

does satisfy bylaws of GakuNin? entityID Validness of server certificate

DN (Distinguished Name) Expiration date Which CA the certificate is signed by?

We require public certificate basically.

Position of responsible person Contact address

Metadata management Automatic generation of entity metadata

according to an application for IdP/SP Marge the entity metadata into the federation

metadata

The registration system also supports: Periodical re-signing of federation metadata

“validUntil” is enabled, and valid for 2 weeks Re-signing is done at interval of a week

Update of certificate for IdPs / SPs Two certificates should be used at a time in transition

period for seamless access

Further support by the system

Reducing operation cost of IdPs/SPs

Improvement of Embedded-DS feature

Integrated administrative information exchange among IdPs / SPs

Reducing operation cost of SPs

Generation of SP entity metadata which includes information about required attributes “isRequired” of “RequestedAttribute” in the

metadata

Reducing operation cost of IdPs

Maintenance free configuration of IdP to send required attributes by each SPs using uApprove.jp uApprove.jp is required for observance of personal

information protection laws uApprove.jp shows and sends only attributes

required by the SP and approved by the user by:<afp:PermitValueRule xsi:type="uajp:AttributeUapprove" />

Automatic generation of “attribute-filter.xml” for an IdP to use selected SPs. (2Q 2012) Most of IdP organizations want to control list of

accessible SP by members of the organization

Improvement of Embedded-DS feature

Display only IdPs which allow/allowed to use the SP e.g: services which requires p2p (IdP-SP) contract Suppress an IdP in the listing on DS (Discovery

Service) in case the IdP does not allow access to the SP to avoid confusion of users (My IdP is on the list. But I can not use. Why??)

Integrated administrative information exchange

Imagine: An IdP may be stopped accidentally or by

maintenance. When a user, belongs the organization of the IdP,

visits an SP is failed to login, He may send complaint to SP administrators.

A solution for this miscommunication a sort of integrated system may be useful so that

administrators/users can see what is the problem at that time.

The GakuNin registration system will have such integrated announcement feature.

Summary GakuNin Registration System is constructed

Initially for reducing operation cost of GakuNin secretariat.

It also reduces maintenance cost of IdPs by providing automatic configuration features. by combination with uApprove.jp Useful to develop easy IdP hosting service to accelerate

increase number of IdPs It also provides convenience and avoidance of

confusion for users by cooperation with SPs using Embedded-DS

It also provides integrated information exchange channel among IdPs and SPs (planned)