UCTrust Metadata To List IdP Network Addresses

In order to use Shibboleth-based authentication for access to wireless networks, certain IP addresses of the guest's home institution's Identity Provider (IdP) system must be accessible before the authentication event.  This document describes an extension to the UCTrust Metadata for this.

Ensuring the Validity and Correctness of UCTrust Security Information describes UCTrust's management of federation-wide information, the authenticity of which must be verifiable by software processes.  Currently, one file, UCTrust-AAP.xml, is contained in the metadata to provide each campus's certifications for level of assurance.

The Proposal

Add a second file,

IdPAddresses.txt
, to the UCTrust metadata to list the IP addresses each IdP requires to be accessible.  This text file would have multiple lines, each line specifying one IP subnet that must be accessible in CIDR Notation.  Comment lines beginning with "#" are also allowed and will be used to indicate the UC location associated with a following list of address lines.  For example,

# [IdPAddresses].txt 2010-07-06-01
\#
# This file lists the IP addresses that must be accessible on the network to end-users in order to utilize
# Shibboleth [IdPs] within UCTrust.
\#
# UC Berkeley
128.32.177.0/24
128.32.203.0/24
# UC Davis
128.120.211.128/25
128.120.210.233/32
2001:DB8::/48
# UC Irvine
...

Processing Requirements