View from Marriot Waterfront, San Francisco

It’s been 18 months since REFEDS last held a meeting on the other side of the pond, so joining up with Internet2 and InCommon for “Identity Week” was a great opportunity to catch up with colleagues from the US, Canada, Australia and New Zealand to name just a few.  As the meeting was predominantly presentation based, there are no formal minutes of the meeting so this post serves as a summary of the main discussion points from the REFEDS meeting and at the ACAMP Open Space sessions.  If you have any further comments please add below or let us know over on the REFEDS list. All of the presentations from the meeting are available on the REFEDS website.

1.  Entity Category Work completion.

Immediately before leaving for San Francisco, there was a lot of discussion on the REFEDS mailing list around the “Research and Scholarship” Entity Category, and finalising an international definition of this category.  The work to date was presented in the REFEDS meeting, and further discussed at an Open Space session in ACAMP.

Next steps are to get the R&S category signed off by REFEDS Steering and to complete work on the “library” and “affiliate” proposals.  The first should happen as part of the 2013 workplan, with the other categories being early goals for 2014.

Something missing in this space is a good CEO / Senior Manager briefing on safe attribute release and how institutions need to implement a practical, organisation wide policy on the management of PII and attribute release. Andrew Cormack has previously written several papers for REFEDS on this issue, and continues to be a good source of information over on his blog.  An update communication possibly be something commissioned by REFEDS in 2014.

2. Marketing Materials?

As a whole, REFEDS has not taken a role in communicating directly with Entity Organisations, relying on federations to communicate this information down to its members.  This still seems the sensible approach, as REFEDS could easily muddy the membership relationship.  However, many federations asked if REFEDS could produce some simple marketing materials that could be reused by federations to communicate common issues and goals.  We have started this process in 2013 by looking at a REFEDS newsletter for Service Providers, and will review what can be done as part of the 2014 workplan.

3.  Governance, or Advocacy?

One of the main papers presented at the REFEDS meeting was a review of eduGAIN governance undertaken by the CEO Forum.  REFEDS has separately submitted notes on the discussion at the meeting to the CEO Forum, however the core conversation piece at the meeting seemed to indicate that attendees did not think governance was the issue.  It was rather felt that eduGAIN has an advocacy and communication problem, which could be resolved by a dedicated effort to help support entities through the process of achieving end-to-end metadata flow within eduGAIN.  We await the outcome of the consultancy process with interest.

4.  Incident Response

There were two interesting conversations around Incident Response at the meeting, and a discussion on the REFEDS FOG list at the same time.  This also echoed discussions had at the VAMP meeting in Helsinki, so would definitely be an area we think REFEDS should be pursuing in 2014.  The core concept in this discussion was that Service Providers need both a common understanding of what IdPs within any given federation are committed to in terms of incident handling, and also a proactive stance from IdPs to report incidents to SPs when they arrive.

The recent review of federation policy reveals the following:

  • Most federations have some sort of statement on ‘observing good security practise’, but do not go in to detail as to to what this might be.
  • Some federations have further wording requiring members to co-operate in the event of a complaint about member behaviour.
  • No federations require IdPs to proactively report security incidents as they occur. This is typically expected to be an LOA2 reporting requirement.

This lead to a larger conversation around the differing requirements of LEVELS of asssurance, which parcel these requirements up in to all encompassing levels, lighter weight assurance profiles (of which entity categories are comparable) that can be applied on a community level, and issues of supporting SLA requirements within VO environments.  Summaries of the ACAMP discussions can be found here and here.  This conversation should definitely continue as part of the assurance work areas in 2014.

4.  Monitoring and Testing.

Another common theme across the meeting was the effort currently being put in to monitoring SAML, OAuth and OpenIDConnect endpoints and testing implementations of products in these areas against profiles.  Roland Hedberg  ran a session on testing SAML solutions and Leif discussed SAMLbits in the REFEDS meeting.   Significant work in this area has taken place as part of the GEANT3+ project: it would be good to see these work more widely exposed and used in 2014.

5.  K-12 Federation. 

In the country update sections of the REFEDS meeting, it was clear that many federations are now looking at K-12 federation implementation.  This has been supported by discussion on the the REFEDS and FOG lists within 2013.  A session was held during ACAMP on the topic and it was clear that the conversation should continue to happen.  REFEDS is definitely the place for that, and we will look at whether the best approach is seeding conversation on the main list, setting up a special interest group or implementing specific work items in 2014.


Another common topic of conversation throughout the meetings was the role of ORCID within federations.  Three common requests came up:

  • Would ORCID consider acting as an “IdP of last resort” for researchers wanting to engage in Virtual Organisations but without an obvious IdP to use?
  • Can federations pass ORCID as an attribute either within eduPerson or SCHAC?
  • Would there be any benefits for federations buying API access to ORCID for closer and more immediate integration between the 2 systems?

ORCID representatives are on the REFEDS list and have attended REFEDS meetings and we very much look forward to having further conversations with them.

7. Social / Guest / IdP of Last Resort.

The simple message from this session at ACAMP seemed to be can we please solve this problem in 2014!   REFEDS should offer a small list of commonly used ‘other’ IdPs, including a range of options that fit the variety of models required by services.  This is likely to include a variety of options including use of mainstream social IdPs, federation run guest IdPs and community run guest IdPs.  Services such as the GARR IdP in the Cloud and the SWAMID Student IdP should be reviewed and promoted and solutions to this problem.

All of the proposals above will be considered and presented back to the community for voting on part of the 2014 planning process, so please watch this space!