By Heather Flanagan (REFEDS coordinator)

When I worked in university IT many years ago, universities were just beginning to grapple with the idea of moving their email systems from in-house servers to Google. The response was divided, with faculty members generally falling into the camp of “you’ll host my email in big tech over my cold, dead fingers,” while students were asking, “why doesn’t this look like my Google account and have all the same features?” Within three years, though, faculty members began to ask why they couldn’t have the same seamless experience as their students. This shift in mindset led to a mass migration to Google, a move that seemed unthinkable just a few years prior.

Fast forward to today, and we find ourselves in a very similar situation, but this time, it’s not about email—it’s about academic identity federation. I see a lot of parallels here. Federation operators and possibly university administrators feel the need to own and manage the identities of their constituents. It’s a matter of control, security, and tradition. However, the individuals—students, faculty, researchers—are on the cusp of something new. They’re beginning to embrace the idea of having their own digital identities, ones that they control and prefer to use across various platforms and services, both academic and non-academic.

What We’re Up Against

We have several challenges to our current way of doing things:

  • SAML is an Unmaintained Protocol: SAML is increasingly seen as outdated. It’s an unmaintained protocol, and as the world of identity evolves, SAML will not keep pace with new demands and technologies.
  • Governmental Push Towards Verifiable Credentials: Governments worldwide are moving towards frameworks that support verifiable credentials, arguably a more flexible approach to identity that allows individuals to own their own online identity and share it in a secure, privacy-respecting way.
  • The Rise of OpenID Connect and OAuth: The protocols that transport these verifiable credentials are more often OpenID Connect and OAuth, not SAML. These newer protocols are rapidly becoming the standard for identity management, particularly in sectors outside of academia.
  • Underfunded Federation Operators: Federation operators, often underfunded and stretched thin, are usually only able to maintain their existing infrastructure. This lack of resources makes it challenging to innovate or adapt to new frameworks, leaving them clinging to SAML and other legacy systems out of necessity rather than choice.

I’d also add that modern identity systems do much better at functionally separating the concepts of identity, authentication, and authorization in ways that most SAML implementations don’t seem to manage. Does it make sense to continue to try and push the implementation of things like entity categories when migrating to a better framework will be a better long-term solution?

What We Need to Do

I think we need to consider a couple of things. We either need to prepare to close our doors or redefine what we do.

  • Find a Migration Path to the Newer Framework: It’s imperative that we begin to chart a path from our current reliance on SAML to the newer frameworks that are taking hold. This migration won’t be easy, nor will it be quick, but it’s necessary if we want to stay relevant and meet the needs of our constituents.
  • Redefine the Role of Federation Operators: As we migrate to new frameworks, we also need to redefine what it means to be a federation operator. In this new landscape, the role may shift from one of managing identity directly to one of facilitating and supporting a broader ecosystem of identity services. This could involve working more closely with other sectors, embracing new protocols, and finding innovative ways to support the academic community.

Does REFEDS Have a Role in the New Framework?

This brings us to a critical question: does REFEDS have a role in this new framework? On the one hand, REFEDS could play a significant role in shaping how these new identity frameworks are implemented within academia. On the other hand, it may be time for us to consider merging our efforts with other initiatives that are already underway, aligning with whatever makes the most sense for our specific regions and institutions. It’s a natural evolution; ending doesn’t mean we’ve failed, it means it’s time to make room for something new.

What is clear is that we need to have a conversation about this—sooner rather than later. The landscape of identity is changing rapidly, and if we don’t adapt, we risk being left behind.

Conclusion

Just as we saw with the transition from in-house email systems to Google, the world of academic identity federation is on the brink of a major transformation. The move from SAML to newer frameworks like OpenID Connect and OAuth, driven by the rise of verifiable credentials, is inevitable. Our challenge is to navigate this change thoughtfully, ensuring that we continue to meet the needs of our academic communities while embracing the opportunities that these new frameworks offer.

We’re going to be talking about this further at upcoming REFEDS meetings. I hope to see you there, bringing your own thoughts and ideas to the table!