School me on hub and spoke federations

Leif Johansson leifj at
Mon May 13 16:58:09 EDT 2013

On 05/13/2013 10:00 PM, Tom Scavo wrote:
> On Mon, May 13, 2013 at 2:12 PM, Mike Flynn <shibbolethlynda at> wrote:
>> Was recently asked to look at as federation for another client.
>> Looking at their fed they call it a "hub and spoke" federation.  Their
>> metadata only consists of a single SP/Idp pair that Kennisnet maintains.
> There are a handful of federations in the EU alone that are of the
> "hub-and-spoke" variety. They are typically much easier to manage
> since all transactions flow through a single choke point called an IdP
> Proxy, a term (from the SAML specs) that refers to a SAML-to-SAML
> gateway. One such federation is SURFnet, for example. SURFnet reported
> at the annual meeting last month that they will deploy 2-factor
> authentication throughout their federation by the end of this calendar
> year. They can do that because they're a hub-and-spoke federation. By
> deploying 2-factor at the IdP Proxy, they in effect make 2-factor
> available to all SPs in the federation in one fell swoop.
The down side is that they tend to suck for inter-federation.
>> Does not look to work like the more traditional federations (a'la InCommon
>> etc).
> Right. InCommon relies on a model something called "full mesh," with
> every SP interacting with every IdP. Very different. Of course each
> federation model has its strengths and weaknesses. There is no One
> Federation Model to Rule Them All.
> Tom
> --
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list