SAML Trust Relationship: Multi-Party Federation Metadata Re-Design

[nynymike]

The old federation page has a bad design... It just crashed my browser session because the page became unresponsive.

The InCommon metadata aggregate is now 36MB xml file, it used to be 10MB. I think its breaking down due to the fact that InCommon federation starting including European federation (interfederation with EduGain). Even before this the federation page was slow.

Here are my suggestions:

1. Add a new select box called Entity Type with values "Single SP" and "Federation / Aggregate"
2. If Entity Type "Federation / Aggregate" is selected in the Metadata Location input, the form fields for "SP Logout URL", "Configure RP", "Enable InCommon R&S" and "Released" should be hidden in the fom view.
3. If Entity Type "Federation / Aggregate" is selected, remove the Entity Location drop down values, "Generate" and "Federation"
4. Change label "Metadata Type" to "Metadata Location"
5. Check that federation / aggregate validation happens in the background.

[nynymike]

Shekhar, this is urgent. Many of our university customers use Federation metadata, and it's totally not working to either import, use create a trust relationship. We're going to need to find a way to parse this file on the server side, and use some communication with the browser to enable selection.

[shekhar16]

Mike, all UI issues are done.Please let me know about
5 .Check that federation / aggregate validation happens in the background.

[yurem]

Regarding point 5. Yes, validation happens in independent process on server.
But I think there are 2 design problems additionally:

1. On TR save server is trying to download this metadata file fully. A result user is waiting at leas one minute... I believe we can move this to validation process. On TR save we should check if remote resource exists and cancel download it.
2. The TR page with this metadata is very big: http://md.incommon.org/InCommon/InCommon-metadata.xml
   I get server error after some time. We should not load all federation URL on TR load. We should use filters. Once user enter keyword we should load only URL which conforms this filter. This will make U more user friendly.

[nynymike]

I have one more concern on validation. Note, that is an http url... if you read the Metadata Aggregates page, you'll notice:

All metadata aggregates are signed using the same metadata signing key and the SHA-256 digest
algorithm. To verify the signature on an aggregate, a consumer must obtain an authentic copy of 
the  InCommon Metadata Signing Certificate. 

We need a form field where the admin can specify the URL of the signing certificate.

[shekhar16]

GluuFederation/community-edition-setup@17aaf40
GluuFederation/community-edition-setup@eed3928

Above commit is persist entityType in ldap.

[shekhar16]

Instead of download metadata on validation time , I created a new thread when we are saving TR.
Any suggestions....

[nynymike]

I think it makes sense to download and validate in the background.

[shekhar16]

#349

[yurem]

Fix looks fine now

[nynymike]

We need to align with Shib IDP v3. It's unfortunate, but some changes were bound to get caught in the middle of the migration.