This month we have a series of blog posts from long-time participants in the federation space on where they see identity federation going in the future.
Blog post by Lukas Hämmerle (SWiTCH)
Federations on their Way into the Future – A view from Switzerland
15 years ago, SWITCH made its first steps into the uncharted territories of federated identity management for academia. In the backpack: little experience, great enthusiasm, and the multifunctional Swiss army knife known as “Shibboleth”. Today, we are still on the hike but with a fully functional and heavily used identity federation accompanying us. It currently includes all higher education organisations in Switzerland and more than 1,200 services that their users can access via the SWITCHaai federation. On top of this, an additional 1,900 international services are available via eduGAIN, to which our users have been connected from eduGAIN’s launch in 2011.
Even though we have gained quite some height in these 15 years, we are still far away from the summit. And we sometimes also ask ourselves, in which direction should we travel next, what opportunities will the future guide us to and how will the federation landscape look in 15 years from now? In the following I present you with three highly speculative scenarios and I am looking forward to hear your opinion on the future of federations.
Walking and running at the same time
One of the first decisions to make when building an identity federation is what architecture to use. Traditionally, there have been these three options:
- Fully distributed full mesh architecture;
- Hub & spoke architecture where all entities connect to a hub; and,
- Central login architecture with one single Identity Provider that connects to user directories of all organisations.
Four out of five federations have chosen the full mesh architecture, on which eduGAIN is also based. It’s the easiest option to start with from a federation operator’s point of view. However, the other two more centralized architectures have also advantages. For these federations it is easier to introduce support for new protocols or features (e.g., multi-factor authentication) since a central component is involved in every login. On the other hand, there are a few usability limitations that make the two latter architectures more difficult to deploy in a full mesh context, like eduGAIN. Therefore, in the past few years hub & spoke federations like SURFconext or WAYF.dk became “meshier” while some of the mesh federations like SWITCHaai and SWAMID started to move to a more centralized model. The latter hope to benefit from some long-term advantages of this centralization process that started with the creation of the SWITCH and SUNET edu-ID services. They also realized that introducing new changes in the distributed full-mesh federations takes very long (i.e., years) and requires efforts that can be considerably reduced if implemented centrally.
I therefore suspect that in 15 years many more of the established federations will transition to a fourth option, a hybrid architecture model. In this model organisations are still represented by an individual entity in SAML metadata and maybe even still run their own Identity Provider. However, there will be a central component in these federations, which does most of the heavy lifting. Also, I suspect rather than a classic hub, that this hybrid model will have at its heart a central login with some customization options for the organisations whose user directories are connected to the hub. This model provides the best aspects of the full mesh and central login architecture models. It allows the federation operator to sustain in a ‘fully-meshed’ world while still being flexible and agile enough to react to new trends.
Wandering why there is no SAML?
I remember that some colleagues in our community were already declaring the death of SAML about ten years ago with the advent of OpenID. The OpenID hype came… and went again. Next came OpenID Connect, incorporating concepts of OpenID and building on OAuth2. Again, five years ago some people claimed that this will replace SAML for sure. Today, at least in the academic world, the wide use of OpenID Connect has yet to come. Like with OpenID, many of the big social identity providers (Facebook, Twitter, etc.) push their OAuth2/OpenID Connect-based APIs in the sense that they allow their users to log in to other services but they hardly accept users from other (competitor) identity providers. Looking at Google trends for the above-mentioned protocols, search queries for OpenID Connect are about a fourth of SAML while interest for both is increasing almost in parallel. OAuth, on the other hand, is searched twice as often as SAML, which probably has a lot to do with its usage in mobile apps.
I therefore think that even in 15 years SAML will still be substantially used in academic federations. However, as SAML and OpenID Connect can be used in parallel quite well, most Identity Providers in established federations most probably will also support OAuth2/OpenID Connect as the same time. The same goes for most hub & spoke federations. One of the reasons for this is that OAuth2/OpenID Connect is well suited to authenticate users in some applications where achieving the same with SAML is difficult, most notably mobile Apps. However, even though SAML in many areas is more complex and requires more efforts to operate, it has its strength in dealing with user attributes, federating services and – having “security” not only in its name but also its core principles – in providing a solid security foundation. Also, many problem areas (complex technologies, attribute release issues, privacy) that sometimes are associated with academic SAML-based federations today are inherent or of generic nature. They would not vanish just by replacing SAML with another technology. On the other hand, SAML has some advantages (scalable federation management due to metadata) that currently have yet to be added to OpenID Connect.
In the end, multiple factors will play a role to which extent SAML still will be used. Just because something is newer, better and seemingly easier, it does not mean it also will be adopted. Other factors play role too. A major one: additional benefit vs additional effort to switch to a new technology. If that were not true, everybody would be have been using IPv6 exclusively for years.
The best view comes after the hardest climb
Almost 90% of all identity federations known by MET have already joined the eduGAIN interfederation service today. I suspect the remaining federations will follow and for new federations joining eduGAIN will become the default. Therefore, in 15 years most academic users worldwide will have an eduGAIN-enabled account that will allow them to access eduGAIN services world-wide. Most of today’s federations will then have close to 100% of their IdPs enabled for eduGAIN.
Sure, eduGAIN still will consist of heterogeneous participants and therefore there will still occasionally be issues when exchanging trusted identity information. But thanks to some well-defined profiles, easier guidelines and a central eduGAIN health monitor, the overall eduGAIN service quality will be considerably better than today. Also, federation operators will work together more closely, which is facilitated by eduGAIN. Thanks to its high coverage and its privacy-preserving aspects, eduGAIN services like InAcademia will also help to sustain the eduGAIN core infrastructure and maybe even help financing some federations that today lack personal and financial resources. If InAcademia cannot help making federations more sustainable, hopefully the eduGAIN Member federations can agree on a new business model where services in eduGAIN would pay an annual fee like it is already the case in some federations.
The first few steps of every journey are the hardest ones … except when others have taken them before you
Much like the Internet was created by and first used by the academic community, the federated identity management principles were first pioneered by the world wide academic community in form of eduGAIN and will now also be reused by other sectors, most notably governments. Some nations already have or are currently starting national identity infrastructures that use the same principles (privacy by design, user attribute consent, attribute release with data minimization in mind) like the academic identity federations today. Once national identities are established in a country, one can ask himself: Is this is a threat or an opportunity for sector specific academic identities?
Even though some dream of a single identity that can be used for almost every aspect of (digital) life, most people probably are not so unhappy that they have different identities for accessing web shops, e-banking sites or their university e-learning courses. The national e-ID services are cross-sector solutions that must be quite generic and focus on the lowest common denominator. Therefore, not all needs can be addressed by these solutions, which leaves room for sector-specific identities. Only a dedicated identity for education and research purposes allows addressing the specific needs and use-cases of this community. Therefore, I suspect that the academic identities and national identities will co-exist and that they will complement each other. Federations will rely on national identity data as this will be beneficial for the academic community: e.g., to make student enrollment easier, retain a good identity data quality for their users, and reduce some bureaucratic processes.
It feels good to be lost in the right direction
The above speculations probably don’t sound very visionary or disruptive, even though we live in a fast-changing world. However, on one hand it took us 15 years to where we are today as new infrastructures cannot be built over night. On the other hand, these rather careful speculations don’t seem so surprising given you just were reading an article from somebody who suspects that even in 15 years internet users will still mostly use username and password to access services in their daily life.
Thanks to my colleagues Ann Harding , Christoph Graf and Thomas Lenggenhager for their valuable inputs. You can also learn more about SWITCH’s hike into the future with the SWITCH
edu-ID on the