Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Add/Remove metadata (endpoint) for the entire federation
    • SSP: feeds into the configuration of Metarefresh
    • SaToSa: ?
  • Add/Remove metadata (endpoint) for individual SPs/IdPs

Relation

...

Management

  • Select a SP to make it 'active'
    • Attribute Release Policy - Only allow REFEDs entity categories (anoymousanonymous, pseudononymouspseudonymous, personalized, R&S)
  • Select an IdP to make it 'active'
    • Requested attributes - Select which entity category to request.

...

Setup user facing aspects of proxy

  • Displayname,
  • Supported entity categories
  • Logo


Features for

...

a Later Version

Assumptions

...

  • We assume the number of connected entities is less than X (<50)

Open Question

...

  • Do we have 1 entity endpoint (so only the whole proxy), or do we publish separate endpoints for each and every entity we have connected?

Proposed

...

Features

To be prioritised for an MVP

...

  • Local accounts and roles? Or a single locally-managed admin user?

Entity management

  • Configuration of SAML IdP
    • Select entity which exist based on federation metadata
  • Configuration of SAML SP
  • Configuration of OIDC OP
  • Configuration of OIDC RP
  • Generic entity configuration management
    • Export/import of config items/entities
    • Copy/delete (copy as poor man's versioning, should it also work on groups of items)
    • Editing of entities in the GUI (common configuration items, protocol specific features)
    • Raw config edit
      • Is the GUI a facade that allows only basic configuration for beginners? If so, how do we represent more complicated valid configs that were created manually?
      • What happens if the config is broken by the user's manual changes? Display an error in the GUI and allow rollback to the previous version?
    • Apply config
    • Git config save
    • Generic post processor for configs (, could be used to implement (config configuration deployment and activation and Git push)
  • Management of individual IDPs/Authorisation Servers/OPs and SPs/RPs/clients within the proxy (naming - "client" is more an Oauth2 term and too overloaded)SP proxy
  • Config checks (could also be one of the post-processors)
  • Versioning
  • Rollback from Git (Git config restore)
  • Topology graph
  • Management of multiple proxy instances
  • Management of proxy (related) data for individual entities
  • Entity lifecycle (expressed as states in the GUI? - what is the consequence of being in a certain state?)
    • Draft
    • Test
    • Production
    • Support for parked entities/configs
    • Logically deleted

...

  • GUI for internal admin of the proxy (for key internal settings apart from managed services' configs)
  • Federation/eduGAIN support
  • Additional support for federated identity management - what specifically?
  • API to access/edit service configuration/history???
  • Validation of encryption and signatures of entities and their messages
  • Enforcement of authentication and authorization authorisation policies - defined locally or by IdPs?
  • Integration with MFA by the proxy
  • Reporting and analytics - (sounds like an expansion of auditing - correctly chosen audit data and format might make this easier)
    • Statistics
    • Issues
    • Events/logs
  • Step back/forward during config changes (Step-by-step wizard for adding a new entity/item)
  • Dynamic updates to the configuration without requiring a full restart of the proxy service (GUI is apart from proxy services)

...

Key concepts and their (alternative) names

Proxy

Entity

Configuration

IDP/Authorisation Server/OP

SP/RP/client

These suggestions are for now mostly SAML flavoured to suit the target users:

  • Identity provider - IdP or OP (OpenID Provider), while Authorisation Server is a more specific role
  • Service provider - SP or RP/client ("client" is rather an OAuth2 term and is too overloaded)
  • Entity - Identity provider or service provider
  • Identity proxy - For now this, or "SP proxy", not "proxy" nor "client proxy". Consider "Identity Broker" to make this more general?
  • Configuration - settings (in a text file, optionally in a GUI) for an identity provider, service provider or SP proxy
  • Identity Federation - technical and organisational arrangement connecting multiple identity providers (IdPs) and service providers (SPs) to allow users to authenticate and access resources across different domains with a single set of credentials.

  • ...

Consider whether to use separate terminological  - do we want to use separate "branches" for OIDC/SAML - specific names or conflate them into our a unified terminology?...