Recently there has been a debate on federations’ opt-in versus opt-out policies regarding eduGAIN. Generally, this refers to an eduGAIN participant federation’s policy on how its local IdPs and SPs are exported to eduGAIN. If a federation has an opt-in policy it means that an IdP or SP registered to that federation needs to explicitly ask to be exported to eduGAIN. Conversely, an opt-out policy means that an IdP or SP is exported to eduGAIN automatically unless it chooses to be excluded.
In the early days of eduGAIN, federations started with an opt-in policy, but some federations have later adopted an opt-out approach: either for IdPs only or both IdPs and SPs. Research communities are starting to ask all federations to switch to an opt-out policy (or even to make opt-out mandatory in eduGAIN), not only because it makes eduGAIN grow faster, but also because it makes it easier to guarantee that a registered SP will reach all its required users and vice-versa. It should be noted that not all IdPs/SPs are interested in cross-national login due the scope and availability of services.
The opt in/out question is related to an another fundamental question in identity federations: is a federation a service or an infrastructure component? Some people see federation as a technical infrastructure component like DNS: a trusted SAML metadata exchange service that enables IdPs and SPs to learn from each other. Those federations focus more on the technical trust requirements of a federation, like the policies for registering and managing the entities in the federation.
The federations who consider themselves as a service add behavioral requirements for IdPs and SPs on top of the technical infrastructure: for instance, the IdPs are expected to fulfill certain baseline Assurance criteria for their user identities and SPs are required to fulfill certain data protection criteria for the attributes they receive from the IdPs. This makes those federations more like closed clubs where everyone needs to commit to a certain code and others are not let in.
A consequence is that “infrastructure” federations feel that opt-out is a natural way to extend the coverage of the infrastructure; the more connected entities the infrastructure has, the more successful the infrastructure is. The “service” federations, in turn, feel uneasy with opt-out, because their services promise that all IdPs/SPs are bound by the federation’s behavioral rules. Enabling login to IdPs/SPs in eduGAIN alters the service promise because in eduGAIN potentially a large number of peer-IdP/SPs are committed to different policies than in the federation’s closed club. Therefore, in those federation, it is appropriate that the IdP/SP needs to opt-in i.e. take an active step to acknowledge that entering eduGAIN exposes it to peer entities that are bound by different policy conditions.
As long as the eduGAIN participant federations’ local policies are significantly different from each other, it cannot be expected that all federations are willing to adopt an opt-out or an opt-in policy. The lack of harmonisation of federation policies draws boundaries between the federations in eduGAIN – but this is difficult to address because of demands placed on federation to serve local needs and processes. This does not mean that we cannot find pragmatic ways to overcome the differences in eduGAIN.
The most promising approach in use is to tag the entities with appropriate policy labels called SAML2 Entity Category attributes, which allows the entities to filter out the peer entities that do not match their criteria. Examples of these are the Code of Conduct, which provides a consistent way to express SP data protection requirements across federations and the emerging SIRTFI framework, which will provide a process to express assurance criteria for security and incident response.
REFEDS is strongly encouraging entities within federations to adopt Entity Categories as part of its 2016 New Year’s Resolutions – all federations and federation members are encouraged to look at the resolutions and we would love to hear about your progress!