DRAFT
Next steps with OIDC
The TAC’s involvement with OIDC/OAuth2 as a protocol for federation (or possibly as a Shib/OAuth2 gateway) was discussed at the 2016 Tech Exchange in Miami. The decision was to spin up a WG to survey the community, and take next steps based on the results of the survey. This Work Plan item is that “Next Step.” What should we do?
Discovery 2.0
Current models of IdP discovery depend on a [monolithic] SAML aggregate that allows a discovery service to know about ‘all’ relevant IdPs. In a world where there is no longer an aggregate (or where aggregates are too large for software to realistically work with) there needs to be a way for SPs to get a list of IdPs that meet their requirements, and then to obtain the metadata needed for each IdP the SP needs to make users aware of. Alternatively, some kind of fundamental change in how discovery works - for example being driven by the right side of a scoped user identifier plus webfinger (OIDC discovery model) may be necessary.
Current known scaleable discovery implementations:
Attribute release
The InCommon Federation was founded on a principal of privacy protection (limited attribute release to SPs). This approach may have contributed to very restrictive Attribute Release Policies (ARPs) on campuses (along with Privacy Laws and FERPA). The Research & Scholarship Attribute Bundle was created as a way of assisting Research and Collaboration organizations with getting campus IdPs to release the attributes they need from researchers and collaborators, when accessing their resources with federated credentials. Unfortunately, R&S while a great idea, has not been adopted by nearly enough institutions to make federation “work” for research organizations. This item is more of an Outreach effort to communicate to campuses the importance of having a more open attribute release policy, particularly for those R&S SPs in the InCommon/eduGAIN metadata.
Federation Interoperability
Build on the work of the SAML v2.0 Implementation Profile for Federation Interoperability to update and extend saml2int and/or propose additional R&E federation-specific profiles that may be taken to REFEDS for review/adoption.
Improve Community Access/Visibility to TAC (See: InC TAC)
Complaints from participants that would like to see TAC working on specific issues (known concerns from the Research community) or at least visibility into what’s being done, have prompted this Work Item. This is a direct response to the lack of “Openness” by TAC (and others). From an internal perspective, it’s frequently difficult to find TAC documents or WG information unless you happen to have the link to it. This project will focus on a “temporary fix” that will make TAC work items and additional content more visible to the community, and accessible from a common site. A longer-term solution will align with a future redesign of the Internet2/InCommon web site.
Service Provider (SP) On Boarding
Currently Identity Provider organizations provide testing and onboarding guidance for new service providers. This process has allowed InCommon to scale in this regard, but over time, has contributed to the variability in service provider configurations. It also places undue burden on IdPOs to spend time explaining detailed requirements to new service providers and ensure these new members interoperate accordingly.
The Service Provider OnBoarding activity would explore how service providers are onboarded by IdPOs and make recommendations for services, technologies, and processes for better aligning practices across federation service providers.
As a side note, there are implications on Identity Provider Operators as well as Service Providers. It is proposed that this is out of scope (for now) for this work task.