SWITCHaai Resource Registry
The Resource Registry is a tool developed by SWITCH to manage information about Resources and Home Organizations participating in SWITCHaai, the so-called Federation Metadata.
Its intended audience are Resource and Home Organization Administrators.
It is accessible via https://rr.aai.switch.ch/ and requires
a SWITCHaai enabled account.
Information about the use of the Resource Registry can be found in the AAI Resource Registry Guide. This guide is meant as a complementary source of information that extends the examples and instructions on the Resource Registry itself.
Purpose
The Resource Registry serves multiple purposes:
Federation Metadata can be generated
Based on the information collected, the crucial
Federation Metadata files for the Identity Providers as well as
Service Providers get generated.
Each Identity Provider needs to know all potential Service Providers with
whom it should communicate and vice versa.
Each Identity Provider has to maintain an Attribute Release Policy (ARP) configuration. The Resource Registry provides them
tailored templates for the attribute-release.
Resources declare their Attribute Requirements
Within his entry in the Resource Registry, a Resource Administrator
specifies which attributes the Resource needs to get for a user in order
to provide access. In addition, attributes desired to get can be listed.
Desired attributes should provide additional benefit to justify their use.
The data protection principle counts: Process only data which is really
necessary!
Resources declare the Intended Audience
A Resource administrator can also specify to which audience the resource
is of interest, i.e. from which Home Organizations it will accept users.
For example, a Resource is only of interest to medical students. Then, there
is no point in adding that Resource to the metadata of the universities of
applied sciences.
However, it is still the duty of the Resource to configure its authorization
rules properly!
Federation Members can control Resources in their Domain
Each Resource needs to get approved before its entry in the Resource
Registry gets activated. Each Home Organization
approves Resources from its domain and from Federation Partners
it sponsers. It delegates this control to a number of people who
act as 'Resource Registration Authority Administrators' for the
Home Organization.
They get an alert by e-Mail, whenever approval is required for a new
Resource or for changes to an existing Resource entry.
Identity Providers declare which Attributes they support
Not all of the attributes specified for SWITCHaai are mandatory to implement. The Identity Providers can document in their Resource Registry entry which ones are implemented and potentially available to Resources.
Screencast of how to register a Resource
We created a screencast that demonstrates how to register a resource, which may be useful for first-time users of the Resource Registry.
Alternatives
SWITCH used to make the code of the Resource Registry available to interested parties on request. However, nowadays there are newer and better alternatives, which are more generic and better suited for use in different federations. This in contrast to the Resource Registry, which has never been a public open source project, which never has been intended to be a generic federation registry and which was specifically custom-tailored for SWITCHaai.
We therefore recommend instead to have a look at the Jagger, a federation registry developed by our Irish colleagues of HEANET, or the AAF Federation Registry 2, developed by our Australian colleagues from AAF. Both these tools initially used very similar concepts like the Resource Registry but have evolved over the years in independent open source projects.
Further alternatives, which use quite a different approaches and concepts, are the SimpleSAMLPHP-based Janus registry or the UK federation Metadata Toolchain, which is a comprehensive set of script to administrate and generate metadata.