Subject Re: [eduGAIN-discuss] mari plan & next steps
From Jaime Pérez Crespo <jaime.perez@xxxxxxxxxx>
Date Wed, 29 Oct 2014 19:06:40 +0100

On 29 Oct 2014, at 18:29 pm, Peter Schober <peter.schober@xxxxxxxxxxxx> wrote:
>> That given, how exactly would that force Feide to align its
>> practices with the spec? It reminds me of a different discussion I
>> had last week regarding the CoCo. You could say Feide willingly
>> aligns with the spec, but since Feide is not the holder of the
>> attributes… If we are “forced” to align, what does that mean? Should
>> we go to each and every institution out there and threaten them to
>> kick them out of Feide if they don’t include
>> eduPersonScopedAffiliation and schacHomeOrganization for all their
>> users? Should we do that then even for those users/institutions
>> where sHO, for instance, doesn’t have any semantics and cannot
>> actually have any value?
> I regretted having typed "force" immediately when hitting send. It
> should have been "motivate" (you get to play with REFEDS R&S only if
> you comply).  And clearly this now is not about FEIDE qua "central
> IDP" doing anything, it about FEIDE as federation operator documenting
> and encouraging behaviour at institutions to help them interoperate
> with the outside world. Same as we "full mesh" types all do.

No worries Peter, I got your point and I even agree with you to some extent, but I wanted to point out that our capabilities as fedops are the same as in a mesh federation, even though we are H&S.

> Whether institutions connect LDAP servers to a cental FEIDE IDP, or
> connect LDAP server to their own IDP is immaterial here: You're in the
> same boat as all "full mesh" federations.
> So how come it should be more difficult for you (compared to most
> others) to get your institutions configured properly? That's the part
> I fail to get.

The thing is… All H&S federations will have that in common with mesh federations, unless the hub is not only a hub but a central directory. In our case, things are even harder than for most mesh federations, since we are H&S *and* we have one single IdP. *We* at Feide are the IdP. If I follow the example of R&S, then we have the following possibilities:

- We reject to provide some of the attributes required and therefore we are out of it. Our life is harder and miserable. Same for our institutions.
- We accept the R&S category in what relates to attribute release policy, but given that (some of) our institutions don’t provide certain attributes, we are kicked out of the REFEDS R&S. Our life is harder and miserable. So it is for all our institutions, regardless of them complying with the attribute policy or not.
- Again, we accept the R&S category, and we stay there *even though* some of our institutions don’t comply with the attribute policy. As a result, SPs in R&S won’t work for some of our institutions. The life of those institutions users is hard and miserable. So it is for the institution administrators, and subsequently the same for us as federation operators. It’s also like that for SP administrators who can’t get some of their potential clients to talk to them. Hence, our life in Feide is even harder and more miserable.

Of course I’m exaggerating a lot, but I think you can see my point. With the current scenario and technology, there’s no way out of this mess for us. Of course we could just manually adjust the attribute release policies per SP so that everyone gets what they need (and we can provide), but that doesn’t scale very well, right?

Jaime Pérez
mail: jaime.perez@xxxxxxxxxx
xmpp: jaime@xxxxxxxxxxxxxxxxx

"Two roads diverged in a wood, and I, I took the one less traveled by, and that has made all the difference."
- Robert Frost