With approximately 70 people attending, REFEDS enjoyed another highly interactive and informative meeting at the Internet2 Technology Exchange in Orlando. While the initial plan was to focus the agenda on just a few core topics, there was just too many interesting topics to discuss! The presentations are of course online for your viewing (or reviewing) pleasure.
As usual, the meeting started with a quick REFEDS tutorial and highlights from recent activities:
  • The first RFC approved by REFEDS was published! “The Entity Category Security Assertion Markup Language (SAML) Attribute Type” RFC 8409
  • The Single Factor Authentication (SFA) profile and Assurance Framework were published!
  • eduPerson was approved by both MACE-DIR and the REFEDS SC to move under REFEDS management.
  • The Service Catalogue white paper was completed.
The Code of Conduct v2, aimed at SPs so they can assert they are ‘good citizens’ with regards to the GDPR requirements, was published in May. Implementing it, however, requires a monitoring body to be registered with a nation’s data protection officers – which no one knows how to do yet. So, stay tuned on this one!
Probably one of the more significant moments of the REFEDS meeting was the formal turnover for the management of the eduPerson scheme from Internet2’s MACE-DIR working group, now closed, to REFEDS.  The eduPerson scheme started nearly twenty years ago, “before there was a mechanism for moving attributes around” according to Ken Klingenstein (Internet2). With it’s transition to REFEDS, the focus will be on improving the internationalization of the scheme. More on the transition and future of eduPerson will be covered in a future blog post.
Attribute exchange is critical to identity federation, and improving the user experience is critical, too. With that in mind, discussion shifted from eduPerson to logos. Currently, there is no standard guidance around logos – their size, format, if and/or how they should be presented in metadata varies from federation to federation. The discussion at REFEDS was designed to inform the overall conversation, and further discussions continued later in the week at ACAMP. At the end of the day, one SP represented in the audience summed up the general feeling in the room: “We don’t care what the guidance is, just do something.”
A topic that remained hot throughout the week was OIDC. The OIDCre working group has been very busy, and a consultation on how to map SAML attributes into OIDC was  kicked off right after the REFEDS meeting. In addition to the consultation, the OIDCfederation draft needs more review. In particular, the authors are looking for additional use cases to explore the interesting possibilities around an OIDC federation.  While the standards body for OIDC is the OpenID Foundation (OIDF), more work might happen in REFEDS – one suggestion in the audience was to create an implementer’s group within REFEDS to help pool experience in deploying this kind of federation.
And speaking of new work in the federation space, the Federation 2.0 Working Group, chaired by Tom Barton (U. Chicago/Internet2) and Judith Bush (OCLC) kicked off last week as well. Tom Barton chaired the panel session around the next generation of federation, which included:
  • Baseline Expectations (Nick Roy, InCommon) – how and why to help organizations do their part to maintain a federation
  • SAML Metadata (Rhys Smith, JISC) – how to create various managed services to make managing metadata easier for all members
  • EduID (Maarten Kremers, SURFnet) – centralizing identifier creation through a life-long, user-controlled identity that will be used by universities and exist forever
Two other ongoing working groups presented the latest in their space as well: Assurance and SIRTFI. For the Assurance WG, the SFA profile was published, but it’s worth noting that this new profile does not actually build on the earlier MFA profile. The SIRTFI group has two main items in their queue: completing the federated security incident response readiness documentation, and the creation of a requirements document for a SIRTFI+ registry. The registry would allow institutions whose federations do not support SIRTFI to assert into a registry that could then be (somehow) aggregated into a larger metadata feed. The details here are a bit fuzzy, so if you’re interested, join the SIRTFI working group to discuss!
While the Internet2 Technology Exchange is primarily a US-focused meeting, hearing about what’s happening in Europe is always interesting. Licia Florio and Marina Adomeit are the coordinators of the new GN4-3 Work Package. In scope for that project are improvements to eduroam, eduGAIN, eduTEAMS, and inAcademia. People can expect to see a more service-centric approach with specific service owners guiding each task component (Services, Incubator, Operations, and Enabling Communities).
Keeping with the global view, Heather Flanagan reported on what’s happening in the identity federation space around the world. In Central and South America, the RedCLARA made a strong point at their recent TICAL conference that it’s time to look beyond the network to the services that use the network. Supporting identity federation is critical to the services on those networks. In the Asia Pacific, the TF-IAM
group in APAN is moving beyond the need to understand governance and the value proposition for federations to needing hands on tutorials for how to stand up the necessary tools. In Africa, several of the regional NRENS such as WACREN and UbuntuNet are turning their attention to creating identity provider services for their customers. Every region has something happening in our space, and it is critical that we keep lines of communication open if we want the work to be interoperable and efficient.
The big picture view of the world, and REFEDS place in it, wrapped up with a discussion of how REFEDS should respond to the Federated Identity Management for Researchers (FIM4R) requirements. If you haven’t read the paper, you should, but the new requirements include:
  • increase research representation in FM governance
  • sustain operation of critical FIM services
  • Provide avenues for ongoing coordination
  • Baseline of research user experience
  • release R&S attributes
  • provide usability essentials
  • remove interoperability barriers in eduGAIN metadata processes
  • admit research organization sto federations
  • enable researcher mobility
  • security incident response readiness
  • harmonization of research community proxy operations and practices
  • follow the proxy model and related AARC guidelines
  • re-use shared AAI services
  • sensitive research user experience
Chris Phillips went into detail regarding how InCommon’s CACTI working group is responding to FIM4R. For REFEDS, however, the most immediate response is that the research representation that already exists within REFEDS needs to be maintained. We need to make sure we’re publishing solid advice around the usability issues important to all stakeholder community.