In line with the tradition, REFEDS opened on Sunday with the first meeting of the Trust and Identity series that unfolded during Tech Ex2017.
Nicole Harris highlighted REFEDS developments in the year so far and gave a preview of that work expected in 2018, some of which are listed below:
- Two consultations have been completed in 2017: MutliFactor Authentication (MFA) and the REFEDS Assurance Framework (first round). Next consultations in the pipeline include: single factor, good entropy, assurance v2, CoCo and Academia. GDPR will be a key factor in 2018, this will hopefully drive the adoption of CoCo.
- A version2 of R&S is also planned, but this work will not start until the completion of work on recommendations for identifiers in the InCommon Deployment Profile Working Group and the Kantara revision of SAML2Int.
- The Federation Operator Survey 2017 will be launched shortly. Last year there were 33 responses from 66 known federations. The goal is to get more answers in 2018.
- The following REFEDS working groups continue: FOG, ORCID, OIDCRe, SIRTFI, IoLR (IdP of Last Res), Entity Category development and Assurance. A short update on all of them is provided below.
- REFEDS will also publish a strategy towards the end of 2017 begin of next year to more clearly show REFEDS drivers and values.
- No significant changes to the budget are expected, but REFEDS SC is discussing moving from a 1 year planning cycle to a 2/3 year planning cycle; this would ensure a continuity for some work and reduce some overhead in coordinating funding.
REFEDS has clearly consolidated its position in defining best practices for the R&E federation operators as was also evident during the many references to REFEDS specifications during the week at TechEx. However, the deployment of some of these specifications such as R&S and also Sirtfi remains a challenge. To date 11% of the IdPs in eduGAIN support R&S, 7% of the eduGAIN IdPs support Sirtfi and 6% CoCo. This is a complex space; institutions in many cases feel there is a risk associated to release attributes to services they have no contractual relationships with. REFEDS in 2018 will try and address some of these concerns, but the engagement of federation operators is needed. There was a lot of discussion during the week as to why institutions do not adopt R&S. Factor such as control, SPs not applying enough pressures on campuses, key people not being involved in the decision process and so on.
Changing the Way We Think
Brook Schofield, Maarten Kremers, Leif Johanson and Nick Roy proposed some new ideas.
Brook proposed treating privacy like a DRM problem. The idea is to give some control back to the users, using embedded apps in the browsers. This approach could also help in the attribute release space, as users could then decide to add additional attributes which would not be normally released. Niels van Dijk encouraged people to look at iRMA the privacy-friendly authentication app.
Marten relaunched the eduID idea. Typically a person has one account per institution. Lifelong learning is becoming more popular and challenges the way in which federations have been shaped, as institutions may not be the sole guardians of affiliation (which would become a combination from different sources). Switzerland and Sweden are already working on this.
Nick proposed to define baselines practices for IdPs and with the aim to make the whole identity infrastructures behave in a more deterministic way. A typical scenario was provided: a researcher in Europe wants to use SPs in the US. The IdP where the user belongs to has no idea this user is involved in a research so they filter out some SPs; the user cannot access the service. It is mostly a policy problem to address (although if all IdPs exposed all their metadata they would need to implement metadata query, maybe a way to ‘containerise’ MDQ should be looked at). We should start a campaign #empathyforusers and engage with IdPs.
Leif proposed to contextualise trust management. Metadata is being aggregated more and more from different places (see for instance SATOSA), so how do we trust the endpoints? Leif’s proposal was the most radical as it would require a re-engineering federations so that they can manage more context instead than one.
Leif noted that federations deployment should be simplified; it would help if federations were able to use more commercial software and able to build a layer on top of that. The way how the network is built should be used as guidance.
Working Group Updates
REFEDS runs a number of working groups to support the community and four of the groups were available to present at this meeting.
The key changes:
- Dropped SAML2 MD entity attributes.
- Uses ePAssurance for user.
- Seeking for SPs and IdPs for a pilot.
Sirtfi – Adoption of Sirtfi is growing. Key aspects of Sirtfi are operational security, Incident response, traceability and participant responsibilities. Sirtfi is self-asserted by adding an assurance tag in the metadata. Coordination work to collect post event incident practices is being planned. The usage of a Sirtfi registry to allow entities that support Sirtfi to publish metadata was discussed during one of the ACAMP sessions.
Hannah Short reported that RENATER is planning to deploy it. AARC, that sponsors some of the work for Sirtfi, produced an online training. The course was released in Sept and comments are being collected to produce an updated version.
IdP of last resort (IoLR) – The group is scoping the service specs for Open IdPs to deliver a service that meets the research SPs requirements. Based on the self-assessment document to be complied by each Open IdP, individual VOs/Research Communities can decide whether to accept the IoLR or not. There was a lot of discussion on the requirements and their interpretation.
OpenIDre – Work is progressing and involves a wide range of people also outside the fed ops communities. The main activities at the moment focus on: harmonize between SAML and OIDC, OIDC Federation and general liaising with other related groups.
The initial document on harmonising SAML and OIDC generated many inputs and it has been now split into two parts:
- Implementation best practices (REFEDS).
- And the RFC work on mapping (IETF) – There are two profiles (basic and advanced) to translate attributes from SAML to OIDC have been delivered. Further an edu scope document is being prepared to clarify OIDC scope for R&E.
The current work on OIDC federation is online on github. Future activities towards the end of year include standalone federation aware OP implementation in python, polish and document federation RP libs, OIDC hackathon in Rome and a design meeting.
The Discovery Problem
Heather Flanagan reported on the work done in the RA21 (Resource Access for the 21st century) WG to define a better discovery. The group includes many publisher and could have a significant pressure on federations to implement a better discovery service. They will put together best practices, based on piloting on different approaches. Three different pilots are foreseen. For all pilots the main aspect to clarify is central vs embedded discovery.
Current Work Plans
Heather also led the discussion on scoping the requirements for a service catalogue to list the available service offering and technologies among federations. There were many comments about its scope, its remit (should this be undertaken by REFEDS or should this be something that eduGAIN team should deliver) etc. REFEDS is now soliciting inputs via the wiki.
Keith Wessel reported on the InCommon deployment profile and invited participants to join future discussions later in the week at TechEx. Many of the topics being discussed are relevant and impactful for R&E federations and all input is welcome.
Brook’s presentation concluded the meeting reporting on the eduGAIN roadmap. The eduGAIN SAML2 profile (to make eduGAIN technology agnostic) is about to be deployed. eduGAIN has also strengthened the support team to better address eScience requirements. Plans are to create best practices on CoCo, R&S, SAML2Int, MFA and Sirtfi. An eduGAIN Townhall meeting is planned in Dec, time and date still to be announced.