Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

This article is a work in progress.


Table of Contents

Introduction

Skolfederation is member of This article provides an overview of the technical integration between Skolfederation and Skolverket's interfederation FIDUS, enabling school organizers access to services provided within FIDUS from other member federations, such as Skolverket's which allows schools to access services like digitized national tests (DNP) . In this article, the technical relationship and integration between Skolfederation and FIDUS is explained.We often receive questions regarding why schools cannot login to a FIDUS service such as the DNP verification tests, or why the school IdP does not show up in the FIDUS discovery service from other FIDUS member federations. It addresses common issues schools face when attempting to access FIDUS services, such as the delayed appearance of an Identity Provider (IdP) in the FIDUS Discovery Service (DS). A common error is that there are several systems that have to publish and synchronize the latest federation metadata key factor in these delays is the synchronization of federation metadata across multiple systems to establish the interfederational necessary trust which is required for a successful login attempt. for login attempts.

The article introduces Approximate Maximum Update Time (AMUT) as a guideline for the maximum expected waiting time for an IdP change to propagate within FIDUS and other FIDUS member federations. AMUT values vary depending on the receiving service provider, with times ranging from 30 minutes for the FIDUS DS to over three hours for services like Beda. These estimates, current as of November 2024, help schools understand the timing and sequencing involved in metadata updates, ensuring smoother access to FIDUS services.

Resources

Approximate metadata update times

MetadataReceiving service providerApproximate maximum update time (AMUT)
IdP uploaded in Skolfederationhttps://skolverket.eduid.se/dnp/sp/1 h 45 min
IdP uploaded in SkolfederationFIDUS Discovery Service1 h 30 min
IdP uploaded in Skolfederationhttps://betyg.uhr.se/beda-inrapportering4 h 15 min

Please note that the AMUT values provided are as of November 2024 and are estimates. While systems typically update faster than these maximum values, unforeseen factors not documented here may occasionally cause delays. 

The above values have been calculated i dialogue with SUNET and UHR. Below, find a detailed explanation of the metadata flow and how the AMUT values are calculated in general.

Upstream IdP metadata flow

The following diagram describes the flow of metadata for IdP's uploaded to Skolfederation.

 

StepVariation
Comment
ActionApproximate maximum update time (AMUT)Metadata URLComment
A
Skolfederation member uploads their IdP metadata to either production or trial environment and IdP metadata added to each environments upstream feed.AMUT = 15 minutes

Upstream feeds:

Production:
https://fed.skolfederation.se/prod/md/skolfederation-idp-1_0.xml

Trial:
https://fed.skolfederation.se/trial/md/skolfederation-trial-idp-1_0.xml

If the IdP is visible in the corresponding upstream feed after 15 minutes the metadata publish in Skolfederation is OK.

Note that the metadata is published to AWS and presented using CloudFront CDN, which means that old metadata could be cached for a longer time than 15 minutes, increasing the AMUT.

B1FIDUS downloads IdP upstream feed and updates FIDUS IdP feed
60 minutes
AMUT = A + 75 minutes

FIDUS IdP feed:

https://md.fidus.skolverket.se/role/idp.xml

If the IdP is present in FIDUS IdP feed after AMUT 15 + 75 minutes, FIDUS has successfully retrieved and published the IdP metadata.

If the IdP is not present, FIDUS may have problems updating its metadata.


2FIDUS Discovery Service downloads IdP upstream feed and updatesAMUT = A + 75 minutes

If the IdP is visible in FIDUS DS after AMUT 15 + 75 minutes, the FIDUS DS has successfully retrieved and updated. 

If the IdP is not present, the FIDUS DS may have problems updating its metadata or service.

Important: The FIDUS DS has a shorter AMUT value compared to Beda and DNP. This means that even if your IdP appears in the FIDUS DS after 90 minutes, you will still need to wait until the service provider is updated (see step C.2 or D below).

C1FIDUS member federation downloads FIDUS IdP feed and publishes in member federation metadata
Up
AMUT = A + B.1 + up to each federations metadata update settingsFIDUS member federation metadata feed if applicable (not documented here)

If the IdP is present in FIDUS member federation feed after AMUT 15 + 75 + member federation update time, the member federation has successfully retrieved and published the IdP metadata.

If the IdP is not present, the FIDUS member federation may have problems updating its metadata from FIDUS IdP feed.


2In some cases, such as Skolverket's DNP
and other entities from Skolmyndighetsfederationen
, the SP downloads IdP's directly from FIDUS IdP feed and updates
Up
AMUT = A + B.1 + up to each service's metadata update settingsNot applicable

Not feasible to document as the update time is up to each service.

Usually, at this point to test if the SP is updated, a login with the IdP to the SP is performed.

D
FIDUS member federation service provider (SP 1) downloads its federation metadata and updates
Up
AMUT= A + B.1 +  C.1 + up to each service's metadata update settingsNot applicable

Not feasible to document as the update time is up to each service.

Usually, at this point to test if the AMUT is complete, a login with the IdP to the SP is performed.

E
Other update procedures and variations in the application which
adds
may add additional update timeVaries by service, if applicable

...

Not applicable