InCommon Metadata Health Checks: What’s Up With That?
On Monday, February 19th, InCommon sent 629 messages to Site Administrators and Executives whose metadata published in the InCommon Federation does not meet the requirements of InCommon’s new community-built Baseline Expectations program. In these health check emails, we gave each organization a view of their published metadata and how it aligns with the requirements of Baseline Expectations for metadata elements. Within two weeks, we have seen a marked improvement in the quality of InCommon Federation metadata.
Here is a snapshot of how things looked before we sent the email - on January 1, 2018, and how they looked after - on March 5, 2018:
Some of these elements have seen a significant improvement in quality. We saw a large improvement in the percent of IdPs and SPs that meet all of the Baseline Expectations related to metadata. We also saw a relatively smaller improvement across the individual metadata elements. All of this tells us that many entity descriptors in metadata are fairly easy to correct, and that’s great news.
However, we still have a very long way to go to reach the goal of 100% compliance with Baseline Expectations. Barely over 2% of IdPs and just under 10% of SPs meet the requirements. Metadata user interface elements for IdPs are particularly important, given that users depend on those elements to pick the correct IdP from the global list of more than 2,600 IdPs! Historically, many sponsored partners have not paid a lot of attention to sources of information such as the InCommon participants list, or our inc-ops-notifications list. It is important for organizations that depend on these SPs to reach out to them and let them know that you care about the quality of their metadata, as well.
InCommon strongly encourages all Site Administrators to act on their monthly health check emails, and strive for 100% of their entities to meet expectations. If you want to test your own (or others’) metadata sooner than the next scheduled send date, you can use the process outlined in our wiki.
Please also remember that Baseline Expectations is about more than just metadata elements. It has requirements for "generally-accepted security practices" which means keeping your SAML software and related components up-to-date. There are currently 80 deployments of Shibboleth IdPv2.x in InCommon, and that version has been end-of-life for almost two years. Security vulnerabilities such as this example are reason enough for those sites to upgrade. In the coming months, sites which are found to have security flaws or other aspects which do not comply with Baseline Expectations will be removed from the InCommon metadata using a community-developed process, governed by the InCommon CTAB and InCommon Steering.
Please help your federating partners to use the infrastructure more effectively by doing a self-assessment of your organization’s baseline expectations posture, today.