A federation can be built according to the hub-and-spoke or mesh principle. In short: in a mesh federation, each entity is responsible for its connections to other entities, whereas in a hub-and-spoke federation, all entities connect to the hub and the hub manages connections between entities on a central location. Within SURFconext, entities are used to this hub-and-spoke principle. However, if a Service Provider wants to participate in eduGAIN, it must follow the mesh principle. These pages describe how a Service Provider connected to SURFconext can participate in eduGAIN.
Hub-and-spoke principle
In a hub-and-spoke federation, a central "hub" exists between all connected Identity Providers and Service Providers. The main advantage of this principle is that all entities only need to create and maintain a single technical connection to a single entity: namely the central hub of the federation. The hub manages and passes through individual connections between entities. Due to this design with a central hub, extra features can be rolled out easily and centrally, such as strong authentication and user consent. SURFconext is an example of a hub-and-spoke federation.
Click the image above for a schematic overview of a hub-and-spoke federation.
Mesh principle
Most federations employ the mesh principle. In a mesh federation, there is no central "hub" through which connections between entities flow. Thus, Identity Providers and Service Providers must create and maintain connections to each other themselves. Contrary to a hub-and-spoke federation, entities typically have multiple technical connections to other entities.
In a mesh federation, Identity Providers and Service Providers must typically do more work themselves that could otherwise be done by the central hub. Examples are configuring attribute release, maintaining a discovery service, supporting multiple protocols and software and managing connections between entities.
Click the image above for a schematic overview of a mesh federation.
eduGAIN and SURFconext
Although SURFconext is a hub-and-spoke federation, Service Providers connected to SURFconext who want to offer their service to Identity Providers from other federations, must use the mesh principle. This means these Service Providers must make some technical changes to their Service Provider setup. These pages describe which changes must be made.
If you are an Identity Providers connected to SURFconext who wants to use a service from another federation through eduGAIN, you don't have to make any technical changes. Service Providers from other federations are connected to the central hub and thus operate according to the hub-and-spoke principle. These pages describe what you must do to use a service through eduGAIN (in Dutch).
The image below depicts how the (technical) connections flow through SURFconext and eduGAIN:
Above the dotted line you can see how Identity Providers and Service Providers connect to each other within SURFconext (hub-and-spoke). Below the dotted line you can see how entities connect within eduGAIN (mesh). You can also see how a Service Provider from SURFconext connects to an Identity Provider from another federation (through eduGAIN), and how a SURFconext Identity Provider connects to a Service Provider from another federation (through the hub).