These days federations are connecting to each other in inter-federation arrangements such as eduGAIN and Kalmar.

These first generation inter-federations, all, rely on the same architectural concept of a central Metadata aggregator. We are seeing multiple implementations of metadata aggregators:

• SimpleSAMLphp Aggregator
• Leif's saml-md-aggregator
• Chad's aggregator
• eduGAIN MDS from GÉANT2

These implementations are very unlikely to behave the same way. All those that have implemented or spent time thinking of aggregation of metadata has probably noticed that there are a bunch of special cases where there yet is not a well-defined expectation of what is correct.

Relying on a component in which the behaviour is not well-defined and understood may have security implications. It is also is desired that multiple implementation of the same role have equivalent, such that implementations can be used in the same infrastructure, and easily replacing each other.

With that background, the GÉANT3 Identity Federations working group, have started the work on a Basic Metadata Aggregator Profile, which is intended to define the basic expected behavior of an aggregator, being easily extendable. I do not expect that there at this moment is a consensus on this behavior; but the work with this profile might hopefully lead to that.

Let me introduce the first publicly available draft:

• Basic Metadata Aggregation Profile v0.1

The MDX lets an entity ask for the metadata of one particular entity.

Currently, this solves the scalability issue for the IdP, because it knows the entity ID (included in the authentication request), and it may use the MDX to extract metadata for the specific SP.

The same goes for the Service Provider, if it gets a message from the Discovery Service about which IdP the user wants, it may query a specifc IdP using MDX.

But... the discovery service would still need to know about the full list of identity providers. And for that, we are talking about a big chunk of XML.

My proposal would be that the metadata aggregator implements an additional access method in addition to the MDX, a simple REST based query protocol for listing all identity providers. The returned content should not be XML metadata (being overloaded with information meant for the SP and IdP, not the discovery service), it should not be XML at all, but JSON.

A lot of things are happening right now, in metadata land.

I'll try to include a lot of references for this article, letting it be a reference point for all the cool stuff that is going on in metadata land.

Let's start with the SAML 2.0 Metadata standard:

• SAML 2.0 Metadata (OASIS)

A really important extension is the Entity Attributes extension, which allows for generic key value pairs associated with entities.

• SAML 2.0 Metadata Entity Attributes

A useful document is published on how to embed keys, and some other restrictions on the use of metadata, to enhance interoperability. This is referred to from in.e. saml2int.

• SAML 2.0 Metadata Interoperability Profile

An important component in a many-to-many federation, is the IdP Discovery Service. Important here is the IdP Discovery Protocol:

• Identity Provider Discovery Service Protocol and Profile

An increasingly important component in cross-federation architectures are the central metadata aggregator. Right now, there are no well-defined fully distributed alternatives, at least that I am aware of, that could help us get rid of this central component that decreases security and reliability.

I've started working on an automated testing tool for validating behaviour of SAML 2.0 Service Provider implementations and deployments.

I've just started the work, and a public test user interface will be available later. For now, enjoy this video teaser...

<object width="960" height="540" type="application/x-shockwave-flash" data="/files/player.swf">
    <param name="movie" value="/files/player.swf" />
    <param name="flashvars" value="image=/files/fedlab_preview.jpg&amp;file=/files/fedlab_preview-Computer.m4v" />
    <img src="/files/fedlab_preview.jpg"  alt="Federation Lab"
         title="No video playback capabilities, please download the video below" />
</object>

I spent quite some effort on making this video playable on all modern browsers, iproducts, and using HTML5 at the same time. If you are not able to play the video, please let me know...

Feide OpenIdP is now live in a brand new version.

The source code is available as a module to SimpleSAMLphp (not part of the simpleSAMLphp distribution though).

• https://openidp.feide.no

The module is implemented by Thomas Graff, one of the members of the Feide team.

Feide OpenIdP allows self registration of users, self registration of SAML 2.0 SPs and supports OpenID.

The SAML XML XSD Schemas are large and be a bit complex to read through to get a good overview of the content of a SAML Request and Response. I've tried to summarize the essence of the schemas applied to an AuthnRequest and a typical Response.

• SAML 2.0 AuthnRequest (schema)
• SAML 2.0 Response (schema)

Here is an automatically updated list of available SAML 2.0 Service Providers, generated from a bunch of federations metadata exports:

• List of entitities