These first generation inter-federations, all, rely on the same architectural concept of a central Metadata aggregator. We are seeing multiple implementations of metadata aggregators:
- SimpleSAMLphp Aggregator
- Leif’s saml-md-aggregator
- Chad’s aggregator
- eduGAIN MDS from GÉANT2
These implementations are very unlikely to behave the same way. All those that have implemented or spent time thinking of aggregation of metadata has probably noticed that there are a bunch of special cases where there yet is not a well-defined expectation of what is correct.
Relying on a component in which the behaviour is not well-defined and understood may have security implications. It is also is desired that multiple implementation of the same role have equivalent, such that implementations can be used in the same infrastructure, and easily replacing each other.
With that background, the GÉANT3 Identity Federations working group, have started the work on a Basic Metadata Aggregator Profile, which is intended to define the basic expected behavior of an aggregator, being easily extendable. I do not expect that there at this moment is a consensus on this behavior; but the work with this profile might hopefully lead to that.
Let me introduce the first publicly available draft: