What is your security incident response policy or procedure to enable coordinated response across federation members?
| Organisation | Federation | Answers |
|---|---|---|
| AAF - Australian Access Federation | Australian Access Federation (AAF) | Currently under development |
| AAI@EduHr | AAI@EduHr | upon incident AAI@EduHr team coordinates activity with CERT team(s) |
| ACOnet | eduID.at | None so far |
| iAMRES | ||
| ARNES | ArnesAAI Slovenska izobraževalno raziskovalna federacija | We use federation mailing list and customer portal to coordinate if a coordinated resposne is needed. |
| Belnet | ||
| CANARIE | Canadian Access Federation | Contact tickets@canarie.ca with request to create a ticket and commence processing the request. |
| CESNET | eduID.cz | We have CESNET-CERTS team and a mailing list where all IdP/SP admins are reachable. |
| DFN | DFN-AAI | dedicated mailing lists, ticket system |
| EENet | TAAT | |
| Funet | Haka | Federation helpdesk initiated |
| GARR | IDEM | IdPs and SPs must keep log files for a minimum of six months. Members are expected to investigate and resolve security problems, in collaboration with IDEM and GARR-CERT. |
| HEAnet | Edugate | none |
| Internet2 | InCommon | None |
| Janet (UK) | UK Access Management Federation | Not formalised. |
| KREONET | KREONET Access Federation | We don't have yet. |
| LITNET | LITNET FEDI | all security incidents have to be reported to incident response team LITNET CERT |
| NII | GakuNin | Not clearly defined yet |
| NIIF/HUNGARNET | HREF / eduID.hu; not a formal body, thus no formal name | best effort |
| RedIRIS | SIR | None yet |
| RENATER | Federation Education Recherche | Our CERT + best effort of the federation team |
| REUNA | COFRe | Email contact |
| RNP | Comunidade Acadêmica Federada (CAFe) | Vulnerability analysis and update patches. |
| SUNET | SWAMID | We have mailing lists to reach out to IdP:s. We also have a contact list for SP:s |
| SURFnet | SURFconext | Alert mailing-list, blocking SPs or/and IdPs when there is a high risk security incident. |
| SWITCH | SWITCHaai | No formalized policy or procedure yet. |
| UNINETT | Feide | Handled through UNINETT CERT |
What are your drivers and concerns regarding eduGAIN?
| Organisation | Federation | Answers | How to Address? | ||
|---|---|---|---|---|---|
| AAF - Australian Access Federation | Australian Access Federation (AAF) | Identities beyond the AAF Boarders, Research Services, Lack of a support model | |||
| AAI@EduHr | AAI@EduHr | low interest of SPs | More central communication with SPs? | ||
| ACOnet | eduID.at | Convincing institutions to adopt Entity Categories, separating metadata availability from attribute release (IDPs) and access control (SPs) | Attribute release / entity categories work | ||
| AMRES | iAMRES | ||||
| ARNES | ArnesAAI Slovenska izobraževalno raziskovalna federacija | Missing list of interesting applications that could be used to endorse eduGAIN for our organizations. | More central communication with SPs? | ||
| BELNET | Belnet R&E Federation | Need a clear repository of the SP's offers (content, target public, etc.) | |||
| CANARIE | Canadian Access Federation | Clarity around how to describe 'equivalence' of entities in eduGAIN to our community | Pushing standardisation of MRPS | ||
| CESNET | eduID.cz | We are concerned about released attributes, but that could be solved by R&E entity category as we hope. | Attribute release / entity categories work | ||
| DFN | DFN-AAI | scalability (number of entites in downstream metadata) | |||
| EENet | TAAT | ||||
| Funet | Haka | Home organisations haven't yet had need to export their IdP to eduGain due to small amount of SPs. Users don't yet have real use cases for international federated log in. Adoption from big international SP would help (e.g. Kivuto OnTheHub, which is basically Microsoft Webshop) | More central communication with SPs? | ||
| GARR | IDEM | Drivers: IdP opt-out. Concerns: also if metadata are in place on both sides, this is not enough to make the service working | Addressing inconsistent metadata management practices | ||
| HEAnet | Edugate | test and private entities bloating eduGAIN metadata, we've had to increase memory allocations in Shibb IdP on a number of occasions (2.5GB but this may not be enough) | Encouraging sensible opt-out for entities. | ||
| Internet2 | InCommon | Interfederation via eduGAIN is our highest priority | |||
| Janet (UK) | UK Access Management Federation | Stability of MDS and adherence to SAML standards. | |||
| KREONET | KREONET Access Federation | driver: increasing KREONET uptake, issue: Korean government's security policy | |||
| LITNET | LITNET FEDI | - | |||
| NII | GakuNin | Consistency of policy, no details on the provider list | Pushing standardisation of MRPS, More central communication with SPs? | ||
| NIIF / HUNGARNET | HREF / eduID.hu; not a formal body, thus no formal name | ||||
| RedIRIS | SIR | Attribute set used by IdPs is minimum. A conversion from PAPI two SAML2int have to be done. | Attribute release / entity categories work | ||
| RENATER | Federation Education Recherche | We would like to get a benchmark of SP enrollment practices in the different federations | MRPS and see work on REFEDS wiki | ||
| REUNA | COFRe | eduGAIN member | |||
| RNP | Comunidade Acadêmica Federada (CAFe) | We are integrated into eduGAIN using and disseminating various services (SP's) for IdP's of CAFe. Furthermore, we would like to include a service provider in eduGAIN and help develop the international code of conduct. | ICoCo | ||
| SUNET | SWAMID | We have opt out for IdPs and recommend all IdPs to be present in edugain. | Standardising for opt-out for IdPs | ||
| SURFnet | SURFconext | 1. We have extensive documentation on edugain available for our federation members. 2. We use a hybrid architecture for eduGAIN. Dutch SP's should connect in mesh to non-SURFconext IdP's and they are not used to this. 3. We have strict policies for our (commercial) SP's and Code of Conduct is less strict. We don't know yet how we can have both policies within one federation. 4. We encourage our IdP's to be part of eduGAIN, but we don't push them. 5. We think it is a problem that eduGAIN IdPs are listed in all WAYFs of eduGAIN SPs and get access denied at 99% of them. | Need to understand and explore point 3 with Surfnet. | ||
| SWITCH | SWITCHaai | SPs of interest to our community slowly start driving the interest. Interoperability issues due to misconfigured entities (SP listed in eduGAIN but not consuming metadata or SP not in eduGAIN but listing interfered IdPs in discovery) | |||
| UNINETT | Feide | Attribute release policies, opt-in model making it difficult for SPs to get noticed. | |||