IDEM MDX
The IDEM GARR AAI Service implemented a new metadata distribution system named IDEM MDX. IDEM MDX is based on the MDQ protocol (Metadata Query Protocol [1]) and does not replace the actual system [2], but will work alongside it.
MDQ is based on HTTP and a REST-like interface. Unlike traditional metadata distribution systems based on large aggregates, MDQ allows you to dynamically distribute the metadata of individual entities. The system sends metadata in response to requests received from federation entities. When an entity (IdP or SP) has to interact with another, it issues the request for metadata via MDQ, and it gets only those of the requested entity.
The result is that federation softwares do not anymore need to waste large portion of memory to host the metadata aggregates and startup and update times are drastically reduced. The average reduction of memory and loading time is between 80 and 90%. In contrast, MDQ requests are light and negligibly increase wait times during federated logon. Entities store metadata distributed via MDQ in a cache, so they don't have to query the service each time they interact with another entity. The cache lifetime details are defined in the configuration instructions.
The metadata served by IDEM MDX are based on the actual ones, thus they follow the same requirements and the same filtering rules in force in the IDEM Federation, though for security reasons the metadata are signed with a different certificate. The service is load balanced and highly available. For more informatiob about the architecture and the implementation, please check out the presentation given at WS GARR 2021 [3] where the service has been previewed.
The use of MDQ does not entail any changes to the usual federated access process. In the example that follows a user tries to access a resource (Service Provider A). After being redirected to the Identity Provider (B) for the authentication, she can log in. Entities will instead request the respective metadata via MDQ. Requests will only be issued if the entities have not interacted previously or if the metadata cache expired.
Federated access flow with MDQ queries.
IDEM GARR AAI Service
[1] https://github.com/iay/md-query
[2] The traditional Metadata Distribution System is available at https://md.idem.garr.it, check out https://wiki.idem.garr.it/wiki/Metadata for more information.
[3] https://www.eventi.garr.it/it/ws21/programma/speaker/832-mario-cosimo-damiano-di-lorenzo