With nearly 100 people in the room, the REFEDS 41 meeting in New Orleans provided another excellent opportunity to share knowledge, experience, and ideas with representatives from the global R&E FIM community. Topics ranged from updates on actives areas of work within REFEDS, thoughts on improving metadata, the ever-present challenges around attribute release, and a particularly engaging opportunity to experience a TRANSITS exercise. All slides from the dozen topics covered during the meeting are available on the meeting website

Data About Metadata

For many years, federations implemented localized practices on what needed to be in their entries within the federation’s metadata. Over time, and particularly with the grown of eduGAIN, this inconsistent collection of metadata has created a wealth of challenges for interfederation as well as for localized FIM applications. Tom Barton described some of those challenges as he talked about the “Impact to Researchers of IdP Non-Compliance”. This in turn set the stage for a broader discussion on establishing a “Federation Baseline Maturity” model, a discussion led by Nicole Harris. There are other things that might be done to an entity’s metadata, such as local assigned but globally defined trust marks as described in Niels van Dijk’s session on “Pixie Dust”.

Federation Incident Response Exercises

With the growing success of SIRTFI, federation operators are starting to consider more in the way of combined incident response activities. Hannah Short brought forward a proposal to run an “eduGAIN Crisis Management exercise”, and Marina Adomeit and Licia Florio offered an update from the eduGAIN Security team.

As something new for REFEDS, Nicole Harris walked attendees through a sample incident response scenario, based on the TRANSITS exercise done in the Task Force for Computer Security Incident Response Teams (TF-CSIRT). While this kind of activity is normally done over several days, the experience of exploring different scenarios and how to consider responses to security incidents from both organizational and legal perspectives. 

InAcademia, IdPaaS, and Consent-informed Attribute Release

Moving from the topics of data about metadata and security incident response, we looked at some of the latest work in the attribute release space. Marina Adomeit provided an update on InAcademia, an online service for student validation. Tom Barton and Niels van Dijk then talked about work happening in the IdP as a Service space, where inCommon is kicking off a working group to discuss what this might look like, and how that work might migrate into REFEDS (possibly as a part of, or perhaps in place of, the IdP of Last Resort working group).

Whether one is looking at a generic IdP as a Service, or a specific organizational IdP, the question of how to support user-enabled attribute release is still a significant area of work and concern. Ken Klingenstein offered an update on the Consent-informed Attribute Release project, deployed in production at Duke University. This has the potential to be a massively useful tool for IdPs to put control of attribute sharing directly into the hands of users, and from there supporting a better attribute release policy for all.

OIDC and Shibboleth

Last but definitely not least for the day was the official announcement regarding the handover of the OpenID Foundation’s certified code that will allow native support for OIDC within Shibboleth. The heavy lifting on this was done by Henri Mikkonen and Janne Lauros of CSC, with support from the Shibboleth Consortium Development team. The addition of native OIDC support to Shibboleth makes one of the most popular FIM tools in the R&E world even more powerful. 

Next Meeting

Our next meeting will be held on Monday, 8 June 2020 in Brighton, UK, in conjunction with TNC2020. A call for agenda items will go out a few weeks before the meeting. We look forward to seeing you there!