Current situation or problem:
Currently FOLIO requires the manual coordination of one-to-one trust relationships every time we have a new FOLIO SP or take down an old one, or whenever the SP or IdP updates metadata. Instead, provide basic support for the major Higher Ed SAML federations such as InCommon and/or eduGAIN so we can stop the manual coordination of one-to-one trust relationships.
- Configure FOLIO SP with the URI for federation metadata and the entityId of the campus IdP and use that to retrieve and configure the IdP metadata.
- Periodically check the federation metadata for updates and automatically bring in updates to the IdP metadata. The checking interval should be configurable as policies may differ between federations.
Out of scope:
- Authentication of users from IdPs in the federation other than the IdP specifically indicated.
- Support for authentication against multiple IdPs.
Proposed solution/stories (optional):
Links to additional information:
- SAML V2.0 Implementation Profile for Federation Interoperability
- Best practices when consuming InCommon metadata
- Federation best practices - InCommon Federation
- How to implement basic identity federation