A REFEDS meeting concluded a 2 day workshop organised by GEANT to review T&I plans and strategy for the next two to four years, held in a snowy Amsterdam.
The REFEDS meeting was opened by Nicole Harris who presented the results of the REFEDS yearly survey. Compared to last year, the number of responses increased from 33 to 39. We hope to see the numbers keep increasing!
The results of the survey showed no significant changes for federations budget – many federations still run on a zero or non-defined budget. This has significant impact on the ability of these federations to step up and delivery the services required for more complex use cases, such as robust incident response and well populated attribute release. There was a slight increase in the number of staff within federations, but many are still dependent on one or two critical staff members, which presents challenges for resilience.
The REFEDS Survey also highlighted that there is a general problem in the R&E community to keep critical staff and to get new talent. The meeting proposed establishing a “Trust and Identity Fellow” position and for the community to do more to engage with developing talent straight out of university, akin to the Surfnet “Young Talent” programme.
There were however some interesting takeaways:
- 28% of federations offer central subscription services and many are planning to offer them. This is a change and shows that more federations are stepping into a role of more active support for institutions.
- 35% of federations said to have an incident response plan. REFEDS will be asking these federations to share their plans to support efforts to build up a more robust incident response framework across federations.
- On the technology side, the interest in OIDC keeps increasing, which confirms the trend to a more hybrid approach to OIDC and SAML offerings from federations.
- The picture for R&S support has changed with about 11% of all eduGAIN IdPs (it was 6,6% last year) and 9.7% of eduGAIN services support R&S. In the case of services, it is worth noting that in many cases proxies are used and therefore the real number of services may be higher. Although this is promising, we would rather see numbers at a much higher level of support. This will again be a focus for 2018.
- Support for CoCo has not moved significantly. This can be assigned to multiple factors including the complexity of the approach, the desire to wait for a version2 of CoCo and poor support for data protection approaches within organisations. It is hoped that the GDPR impact will help with adoption.
- Sirtfi saw significant usage increase in 2017, with multifactor authentication suport (MFA) also picking up.
- The usage of Metadata Registration Practice Statement (MRPS) template is not mandatory, although 32% of the responders use the template. Other federations have their own MRPS documents, which in some cases are a bit outdated, and not very informative. There is discussion to enforce the template for all federations.
- In terms of community needs, OIDC, MFA, metadata registry and general support for IdPs emerged this year as priority focus areas.
- The survey also indicated that REFEDS should focus on discovery support, SP catalogue (aimed at federation operators, not to users) and interfederation guidance.
An interactive session followed to review the purpose of REFEDS and to assess the value that REFEDS brings to federations. There was agreement that REFEDS should continue as it is, namely as a global forum for all R&E identity federations, regardless of whether they are in eduGAIN (there is a bar to participation in eduGAIN, but not in REFEDS). The inclusive aspect and the fact that REFEDS is considered by research collaborations as the global place to engage with all federations were highlighted as REFEDS strengths. The meeting participants felt that the focus for REFEDS should remain on federation operators, and on helping federation operators to get information on what happens internationally and to get endorsement on their current work.
There was also consensus that given the budget and the effort, REFEDS is not the suitable place to run services, with the exception of things like MET.
Leif Johansson (SUNET) noted there is some assumption in the REFEDS community on how we scale trust and how the bottom up approach is working remarkably well for this group. Those aspects should be captured in the mission statement. Some examples of a mission statement were drafted by participants are are shown below:
“REFEDs advocates the use of federations by providing a neutral forum for discussion, the ability to develop standards, best practices for new and existing federations, to enable scalable access to global services that are useful Research and Education.Founding and Furthering Functional Federation”
“REFEDS facilitates sharing and creation of common components/flows/needs for federation operators and their communities”
“REFEDS turns local trust into global trust in digital identity for Research and Education by harmonizing policy, practice and tools”
The last part of the meeting was devoted to discuss the workplan for 2018. A summary is provided below:
- OIDC WG will continue and it would be nice to see more active participation in this group.
- IdP of last resort will be closing down soon as they have concluded their work.
- Sirtfi is progressing well and will continue.
- Entity Categories: there is a consultation just open on academic institution entity category, feedback is welcome (deadline 8th Jan 2018).
- Promotional material: REFEDS produce material when needed. If there are new ideas or requirements on what REFEDS should focus on, this is the time to signal that.
- Standards and specification: work is ongoing to publish some work as REFED RFC documents. This is progressing well, soon there should be the first document published.
- MET will continue – attendees asked for the metadata feeds used by MET to be published somewhere (i.e. on MET itself).
- Identifiers – There are at least 5 used identifiers to date (two more are being created). It was agreed that REFEDS should revisit R&S and usage of identifiers in the specs.
- SUNET is involved in running the Swedish eIDAS proxy. There is now a strong collaboration at technical level among eIDAS. Sunet would like to create a collaboration forum to connect those people that are running/will be running an eIDAS proxy in a country. Please contact Leif.