The Attributes for Collaboration and Federation Working Group will have participants from the key stakeholder groups that need/use, "own" and protect common attributes used in federated access exchanges. The working group will explore reasons default attribute release policies (ARPs) are not in place at most campuses, propose a default list of attributes for InCommon IdP operators, develop and execute a roadmap for adoption of Research and Scholarship Service Category as well as a default attribute release policy (ARP), and review and enhance online content for identity provider administrators so they have a clear set of steps to follow to implement the desired approach.
The InCommon Federation was founded on a principle of privacy protection (based on local authentication and limited attribute release to SPs) with an expectation that campuses would actively manage their Attribute Release Policies and adopt attribute release “bundles”, based on the needs of their respective campus communities. However, this approach, influenced by a conservative interpretation of privacy regulations such as FERPA, and a common assumption that the primary driver for attribute release is enterprise contracts, has resulted in very restrictive Attribute Release Policies on campuses.
The Research & Scholarship (R&S) Category, was created as a scalable way for campus IdPs to easily create a global attribute release policy targeting SPs that have been validated as supporting Research & Scholarship. The underlying principle is that for people accessing these SPs, associating their name with their work is more important than remaining anonymous.
Unfortunately R&S, while a great idea, is an opt-in model and has not been adopted by enough institutions to make federation “work” for research organizations. A joint InCommon Steering, InCommon Technical Advisory Committee (TAC) and InCommon Assurance Advisory Committee (AAC) priority for 2017 and the first 6 months of 2018, is to “flip the bit” of R&S, i.e., make it an opt-out model that is a social expectation and the technical default (as much as possible), and dramatically increase the adoption across current higher ed and research identity providers. Otherwise, frustrated research organizations may seek alternatives to the InCommon federation.
In addition, many non-R&S SPs only require a unique identifier or alternatively an email address to allow access to services. These attributes (including in some cases a user’s name and campus affiliation) are usually considered “directory information” under FERPA guidelines, and unless a student specifically requests to block release of that information, could be released by default to ALL SPs.
The InCommon Technical Advisory Committee (TAC), InCommon Steering, and the InCommon Assurance Advisory Committee (AAC) are committed to re-addressing this issue of basic attributes needed for federation, and working with InCommon participants and their campus stakeholders to ensure attribute release meets the needs of the community.
This will initially be an invitation-only membership working group in order to ensure we have the right stakeholders contributing their ideas and expertise. However, webinar(s), email lists, and the WG wiki will be used to communicate with the community. (See member roles in the right sidebar.)