05 May 2016
Reference/Subject:
SA5 T1 Recommendations: eduGAIN Policy Changes v2
SA5 T1 Recommendations: eduGAIN Policy Changes
Authors: Nicole Harris, Brook Schofield, Rhys Smith
Version
Status
V0.1
Discussion internally with Harmonisation task, SA5 Task Leaders and
eduGAIN team.
V1
V2
Socialised with eduGAIN SG.

Changed recommendation 1 to changing the definition in
Constitution rather than impact the Declaration.

Small amendment to text at recommendation 3.

Added proposed wording to manage the changes to the
Operational Team section of the Constitution.
Table of Contents
SA5 T1 Recommendations: eduGAIN Policy Changes ............................................................................. 1
1. Summary............................................................................................................................................. 2
2. Recommendations.............................................................................................................................. 2
3. Detailed Description of Change Requirements. ................................................................................. 3
3.1 Federation “Operator” .................................................................................................................. 3
3.2 eduGAIN Executive Committee ..................................................................................................... 3
3.3. eduGAIN Steering Group .............................................................................................................. 4
3.4 SAML in Constitution ..................................................................................................................... 4
3.5 eduGAIN Operational Team ......................................................................................................... 4
3.6 eduGAIN Practice Statements ...................................................................................................... 5
3.7 eduGAIN Profiles ........................................................................................................................... 6
SA5 T1 R ECOMMENDATIONS : EDU GAIN P OLICY C HANGES P AGE 2/6
1. Summary
S
As part of the GN4-1 Task on Trust and Identity Harmonisation (SA5 T1 project number reference) a
U
review of the existing eduGAIN policy set has been completed. The purpose of the review was to
B
update any processes that are currently not working or have been superseded within the policy set
J
and to review how eduGAIN could become more technology agnostic.
E
C
The review has been socialized with
various groups that have an interest in eduGAIN and was
presented at the eduGAIN TownT Hall meeting on 1 December 2015. eduGAIN Steering Group
/
members are now asked to comment
on and APPROVE the proposed changes.
R
2. Recommendations
E
F
E
The following is a summary of the
proposed changes:
R
E
1. CHANGE the definition of the term “federation” within the document to reflect the role of
N
the “federation operator” in representing the federation and add a definition of federation
C
operator to the definition set. Consider abstracting the definitions out of the constitution as
E
a standalone document.
Document changes required: CONSTITUTION.
2. CHANGE the construct of the eduGAIN Executive Committee as follows: “The eduGAIN
Executive comprises representatives from organisations that fund eduGAIN operations. The
current process for appointing the executive and executive members are documented on the
eduGAIN website”.
Document changes required: CONSTITUTION.
3. CHANGE the construct of membership of the SG as follows: “Each Participant Federation
should ensure that representatives can represent all technology profiles. Participant
Federations may vote on all constitutional changes and new profiles but my only vote on
changes to technical profiles they use.”
Document changes required: CONSTITUTION.
4. REMOVE reference to the eduGAIN SG “appointing the Operational Team”.
Document changes required: CONSTITUTION.
5. REMOVE all references to SAML within the Constitution and replace with “relevant
technology profile”.
Document changes required: CONSTITUTION.
6. Update the section on the Operational Team to describe relationship with MDS management
and reference future trust brokers as per the wording recommendations below.
Document changes required: CONSTITUTION.
7. ENSURE that the Federation Operational Practice Statement for the eduGAIN interfederation
service (mentioned in Constitution) and MDS Aggregation Practice Statement [MAPS]
SA5 T1 R ECOMMENDATIONS : EDU GAIN P OLICY C HANGES P AGE 3/6
(mentioned in existing Metadata Profile) currently referenced in policy are written by July
2016.
S
8. REMOVE the existing Attribute
Profile as a normative document and instead provide a best
U
practice guide for managing
attributes that links to entity categories and work in REFEDS on
“meta” attributes.
B
J
Document changes required:
PROFILES.
E
9. COMBINE the existing WebSSO
profile and Metadata Profile into a single SAML Profile, taking
care to acknowledge SAML1
issues.
C
Document changes required:
PROFILES.
T
/
The SG and current Chair of the RSG will be asked to how they would like to manage voting for these
issues. For the eSG to agree to aE revision of this Constitution requires an affirmative vote of at least
two-thirds of current Participant
F Federations. A Simple Majority process can be used to vote on all
other issues raised in this document.
E
R
E Change Requirements.
3. Detailed Description of
N
3.1 Federation “Operator”C
E
The current eduGAIN Constitution defines a federation as “An association of organisations that come
together to exchange information as appropriate about their users and resources to enable
collaborations and transactions”. The Declaration asks “the federation” to commit to a series of
statements and to sign the document. It is clear that the intention was not to ask the federation as
whole to acknowledge and sign, and most federations do not in themselves exist as a legal entity so
have no specific signing powers.
It has become common practice in other documentation to refer to the “federation operator” rather
than a Federation when asking for commitments. It is recommended that the definition of
“federation” be updated to accurately reflect the role of the operator in representing the federation.
It is also recommended that a definition of federation operator should be added to the definition set.
The eduGAIN SG may also wish to consider abstracting the definitions out of the Constitution as a
stand-alone document to allow the definitions to be associated with all the eduGAIN policy
documents.
3.2 eduGAIN Executive Committee
The current eduGAIN Constitution names the “GÉANT Exec” as the organization acting as the
eduGAIN Executive Committee, but this project function no longer exists so eduGAIN effectively has
no ability to sign-off changes at this level. This clearly needs to be rectified. The intention was to
give Executive oversight to the organisation funding eduGAIN as an appropriate governance model.
SA5 T1 R ECOMMENDATIONS : EDU GAIN P OLICY C HANGES P AGE 4/6
It is recommended that no single organisation be named within the Constitution to avoid future
issues with changing committee structures. It is also recommended that the document be phrased
S
to allow additional funding partners
to join an Executive Committee in the future.
U
B
It is recommended that the following
word be used to reflect the needs of the eduGAIN Executive
J
Committee: : “The eduGAIN Executive
comprises representatives from organisations that fund
E process for appointing the executive and executive members are
eduGAIN operations. The current
documented on the eduGAIN website”.
C
T
References within the definition/set will also need to be updated.
R
3.3. eduGAIN Steering Group
E
F
The current construct of the eduGAIN Steering Group has worked well and should not be changed,
E
but some concern has been expressed about how the SG can effectively represent multiple profiles
R
within eduGAIN that might require different skill sets. It is difficult to assess how this can be
E
managed without real life experience of the way in which different profiles are likely to grow.
N
C
It is recommended that the following wording be used to reflect the relationship of the SG to various
E
technology profiles: “Each Participant
Federation should ensure that representatives can represent
all technology profiles. Participant Federations may vote on all constitutional changes and new
profiles but my only vote on changes to technical profiles they use.” This will allow participants to
have a say on introducing new profiles into eduGAIN and reflect on the overall impact of the profile
on the workings of eduGAIN, but will restrict votes to participants with an active interest once the
profile is accepted.
The current eduGAIN Constitution refers to the SG as having responsibility for “appointing the
Operational Team”. The SG has never had this right and the OT is appointed by the GN Project
process. It is recommended that this reference be removed.
3.4 SAML in Constitution
When writing the eduGAIN Declaration and Constitution, the intention was to create a framework
that was technology agnostic. Unfortunately via the many revisions some references to SAML
appear in the Constitution (but not the Declaration). It is recommended that all current references
to SAML be replaced with the term: “the relevant technology profile”.
3.5 eduGAIN Operational Team
The current eduGAIN constitution describes the Operational Team, but does not mention
management of the current trust broker (MDS) in the list of functions. This does not present any
specific issues with the current set-up where SAML-only management and the MDS are implied, but
could cause issues further down the line when additional trust brokers are introduced. It is
SA5 T1 R ECOMMENDATIONS : EDU GAIN P OLICY C HANGES P AGE 5/6
recommended that a phrase be added to this section calling out management of the trust broker and
referencing MDS.
S
An open issue for consideration Uis what might happen if a future profile wanted to implement an
B
approach that led to multiple operational
teams or different infrastructure management processes.
J
E
The following changes are recommended:
C

Remove bullets 1 and 4 Tin section 2.3 of the Constitution: “Daily technical issues with
eduGAIN” and “Preparing
/ and publishing a Federation Operational Practice Statement for
the eduGAIN interfederation
Service.”
R

ADD a section 2.4 “TrustE Broker Operations” with the wording as shown below.
F
“2.4 Trust Broker
E Operations
R
Each Technical Profile
within eduGAIN will be associated with a trust broker role to
E
support metadata
exchange and technical interoperability between eduGAIN
N
members for a specific technology. Operation of the trust broker for each
C
technology profile MUST be assigned by the eduGAIN Executive Committee.
E
The Trust Broker Operator (TBO) is responsible for:

Daily technical issues related to their Technical Profile.

Reporting to and liaising with the central eduGAIN Operational Team (OT).

Preparing and publishing a Federation Operational Practice Statement for
their Technical Profile.

Supporting appropriate member support requests via the OT. “
Definitions of the Trust Broker Operator and Technical Profile should be added to the Constitution.
3.6 eduGAIN Practice Statements
In the current eduGAIN documentation, two eduGAIN Practice Statements are referenced:
Federation Operational Practice Statement for the eduGAIN interfederation service (mentioned in
Constitution) and MDS Aggregation Practice Statement [MAPS] (mentioned in existing Metadata
Profile). To the knowledge of the authors, these documents have never been written. It is now
essential that these documents are created:

As more and more federations join eduGAIN and publish entities more and more questions
about process are being asked. These Statements should address some of the issues with
SA5 T1 R ECOMMENDATIONS : EDU GAIN P OLICY C HANGES P AGE 6/6
process discussed at recent eduGAIN SG meetings: https://wiki.edugain.org/EduGAIN_SG20150430 and https://wiki.edugain.org/EduGAIN_SG-2015Oct provide further background.

As different technology Sprofiles are introduced, it is important that the processes for
U be clearly addressed.
operation via each profile
B
3.7 eduGAIN Profiles
J
E
The current eduGAIN profiles provide
a range of guidance around use of SAML within eduGAIN. To
C
support the introduction of further
T technology profiles and to tidy up existing practice, the following
recommendations are made:

/
R
The existing Attribute Profile
should be REMOVED as a normative document, as it is not felt
E
to be helpful as a guidance document. This should be replace with best practice advice on
F
managing attributes. This should include references to the various Entity Categories and
E
clear advice on how to manage scenarios where IdPs / federations provide different attribute
R
sets. eduGAIN should work closely with REFEDS in creating this document.
E

N
The existing Metadata Profile and WebSSO Profile should be combined into a single SAML
C
Profile document for ease of management. The creation of this document would be a good
E
opportunity to revisit the very limited set of MUST requirements and whether additional
requirements for federations should be added.