Introduction
The research and education sector has over the past decades developed a global identity federation ecosystem which has simplified access to content, services and resources for their community. The eduGAIN interfederation comprises over 80 national federations connecting more than 8,000 Identity and Service Providers. On a national level even more services and institutions are connected. The sector has been able to achive this by creating a highly interoperable ecosystem, where both a high level of technical, as well as policy and trust interoperability has been accomplished, through the joined implementation of various specifications. The joined journey of establishing this ecosystem has enabled the emergance of a global research and education trust and identity comunity with strong bonds and decades of experience in deploying and operating identity federation at scale.
REFEDs, the Research and Education FEDerations group, has been instrumental in providing an open meeting place for articulating the mutual needs of research and education identity federations worldwide. Over the years, REFEDS has addressed issues and topics based on the interests and requirements of its participants. This includes mostly policy, but also some technical and outreach topics in areas such as interfederation, privacy, assurance, relationships with partner communities, marketing, and support of emerging federations.
While REFEDs as such has no bias towards a specific technical implementation, the fact that the SAML 2.0 specification is currently the dominant protocol in identity federation in R&E has had some impact on various specifications created by REFEDs. This ranges for protocol specific sections, to assumption on how a specification would be implemented operationally. The rise of protocols like OpenID Connect, OpenID Federation and the emergence of decentralized, wallet based ecosystems requires a revisit of the specifications. Not only should it be investigated in what way the specifications may be implemented in these protocols, in addition we must assume a multi-protocol ecosystem will emerge and exist for several years to come. This means the specifications may also need to take into account how to go between protocols as it may be required to translate between not just technical credentials, but also policy and trust frames.
This document provides a first assesment on how the current REFEDs specifications (Nov 2023) may be leveraged in an OpenID Federation (Draft 31) based federation and in a wallet ecosystem based on OpenID Federation and the OpenID4VC specifications. For the latter it should be noted that as this ecosystem and its standards are still being developed, the statments and assumptions on how REFEDs specification may be relevant should be considered speculative.
REFEDs specifications
source: current list (Nov 2023) - https://refeds.org/specifications (Nov 2023)
...
Specification types
REFEDs identify 4 5 types of specifications:
- Entity Category, defined in RFC8409, are is a metadata 'labelslabel' applied to either identity providers or services which may be used under certain conditions, as signal that they belong to the category which is described in the Entity Category specification, to indicate a grouping of entities. Metadata consumers which understand the Entity Category can alter their behaviour depending on the categories that the entity belongs to. Entity Categories may be used to signal commonly used attribute requirements, or commitment to a certain set of behavioural rules.Entity Attribute are metadata labels applied to either . Taking "Hide from Discovery" as an example: identity providers in this category do not want to be listed by default in discovery services; metadata consumers may be service providers that build their own discovery interfaces, or the metadata consumer may be a third party discovery service.
- Assurance Certification, defined in SAML V2.0 Identity Assurance Profiles Version 1.0, is a metadata label which can be applied to identity providers or services to signal assurance certificationsthat the entity conforms to the requirements of an identity assurance framework. The Assurance Certification can be self-asserted, or require validation by the registration authority (federation). An entity may conform to more than one Assurance Certification.
- Profiles, which define a standard to signal certain behaviour in a federated authentication transaction, and how to respond to such a request.
- Metadata Extension, provide an extention to existing metadata profiles.
- Frameworks, are currenlty basically assurance frameworks, which provide a structured means of describing or defining the main sources of assurance provided within the federation by the member entities of or the federation itself.
- An entity category may be used to expres a certain behaviour from the entity, or compliance to certain commonly understood policy. For example in R&S: "Service Providers that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part". Such Entity Categories may be very usefull as these can be used to inform issuers and user about the verifiers intentions. If an entity category is asserted by the
The Entity Category capability of grouping of entities which have similar hehaviour, goal or purpose seems like a usefull capability
Research and Scholarship
Hide From Discovery
The discovery process, and hence the user flow for an issuer is fundementally different from discovery as used in multilateral SAML federations. Hence this specification is deemed not relevant
OpenID Federation implementation of specification types
OpenID Federation shares many concepts with the existing SAML based federations as currently deployed in R&E. The basic entities (OP, RP and trusted third parties like TA or IA) and the interactions between these can all be represented in OpenID Federation in a similar fashion as these exist in a SAML R&E federation.
- Entity Category: In OpenID federation, a Trustmark is defined as the way to signal certain behaviour of entities. A Trustmark is issued by a Trustmark Issuer, which in turn must be acknowledged in the Trust Anchor
(metadata)to signal the Trustmark is part of the federation. A TA may set rules to enforce that a Trustmark must be present in the entity metadata, which in turn leads to the mandatory requirement for entities to have the Trustmark before a trust chain can be established. The presence of a Trustmark may also be used to filter OPs in support of the discovery process. Trustmarks may be self issued, in which case they still need to be present at the TA. The Trustmark may be owned by a Trustmark Owner outside of the federation and delegate issuance. The Trustmark Owner may provide a delegation jwt to a Trustmark issuer so it can prove the legitimate issuance of Trustmarks.
One critical difference between Entity Categories and Trustmarks is that the same Trustmark cannot be both Self-issued as well as issued by a Trustmark Issuer. - Assurance Certification Signalling assurance certifications may be done using so called Trustmarks.
- Profiles, signalling certain behaviour as part of a transaction is generally covered in the underlying standards like OpenID Connect and OAuth 2.0 by e.g. scopes and claims. The capability for signalling is often available, however the semantics may need to be adopted
- Metadata Extension, provide an extension to existing metadata profiles is allowed in the OpenID Federation specification. For broad acceptance and implementation of an extension it may be needed to engage with the OpenID Foundation, e.g. via de RandE working group
- Frameworks, are currently basically assurance frameworks, which provide a structured means of describing or defining the main sources of assurance provided within the federation by the member entities or the federation itself.
Table 1 provides an overview of the specifications that were evaluated, and identifies the areas in the specification that would need modification to adopt OIDC and OpenID federation. Because of the commonalities in the structure of the Personalized Access, the Anonymous Access and the Pseudonymous Access Entity Category, only the first one was extensively evaluated, see Chapter 6. It was assumed similar modifications will be required for the Anonymous Access and Pseudonymous Access specification.
Overview of findings
...
| specification name | type | Applies to entity | Asserted by | Level of Modification needed? | In scope for OpenIDFed | In scope for wallets | Attribute profile |
|---|
Specific requirements
| SAML Specific Protocol requirements | ||||||||
|---|---|---|---|---|---|---|---|---|
| Personalized Access v.2 | Entity Category | IdP/OP | Registrar |  |  (T) | | |
|
| Personalized Access v.2 | Entity Category | SP/RP | Registrar | | (T) | | | ^^^ |
| Anonymous Access v.2 |
| Entity Category | SP/RP | Registrar | | (T) | |
- operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part
- not be used for access to licensed content
- will not use attributes for purposes that fall outside of the service definition
- shared user identifier
- person name
- email address
- affiliation (optional)
|
| |||||||
| Anonymous Access v.2 | Entity Category | IdP/OP | IdP/OP | | (T) | | | ^^^ |
| Pseudonymous Access v.2 | Entity Category | SP/RP | Registrar | | (T) | | |
|
| Pseudonymous Access v.2 | Entity Category | IdP/OP | IdP/OP | | (T) | | | ^^^ |
| Research and Scholarship (R&S) v1.3 | Entity Category | SP/RP | Registrar | | (T) | | |
|
| |||||
| Research and Scholarship (R&S) v1.3 | Entity Category | IdP/OP | IdP/OP | | |
- will release attribute bundle attributes to R&S Service Providers for a significant subset of user polulation
- persistent, non-reassigned, non-targeted identifier
| (T) | | |
| ^^^ | ||||||||
| Hide From Discovery v.1 | Entity Category | IdP/OP | IdP/OP |  | |
|
| Assurance v. |
- proof of successful authentication [ only ]
- signaling that they do not wish to receive personalized data
- organization
- affiliation (optional if no affiliation exists)
- Section 4, RC3
- Section 5 (extention already possible)
- Section 7
- Section 8
- release all required attributes in the bundle for a significant subset of user polulation
- organization
- affiliation (optional if no affiliation exists)
- Section 4, RC3
- Section 5 (extention already possible)
- Section 7
- Section 8
- release all required attributes in the bundle for a significant subset of user polulation
| 1 | Framework | IdP/OP | IdP/OP |  | | | |
|
| MFA Profile v.1 | Profile | | | | |
| ||
| SFA Profile v.1 | Profile | | | | |
| ||
| Sirtfi v1 & v2 | Assurance Certification | SP/RP | Registrar | | (T) | | ||
| Sirtfi v1 & v2 | Assurance Certification | IdP/OP | IdP/OP | | (T) | | ||
| Security Contact | Metadata Extension | IdP/OP, SP/RP | IdP/OP, SP/RP | | | |
|
Legend for relevance column: Under investigation; 
Not relevant; Relevant; (T) Trustmark required
Indication of required changed: No changes required; Minor updates to wording required; Significant updates to wording required; Significant updates to wording and/or implementation required
Detailed discussion
Generally speaking, the information from the specifications is distributed in two ways:
- Entity metadata and/or
- As part of the transaction (e.g. in specific attribute values)
When a specification defines specific metadata elements to be be present, if is often required to have a protocol specific section in the specification. Not only is the technical format different (XML vs JSON), but there is also a difference in the way certain capabilities are expressed, e.g. Entity Categories vs Trustmarks, see later). When the specification only deals with 'on the wire' information, which is transmitted as part of the transaction, like e.g. attribute assurance, it if often much easier to adopt the specification to use in OIDC and OpenID federation, as often it suffices to just use the equivalent OIDC claim to transport the same values that were defined in the SAML based specification.
Personalized Access v.2
REFEDs has defined a set of functionally similar specifications "Research and Scholarship", "Anonymous Access", "Pseudonoymous Access" and "Personalized Access". All of these specifications share the fact that they express the capabilities in entity metadata. To investigate the potential impact of introducing the use of OIDC and OpenID Federation, the Incubator has made an in depth analysis of the impact on "Personalized Access Entity Category". The document which was created is not intended as a proposal to replace the existing specification, but rather as a practical exercise to asses the impact. The document can be found here: https://github.com/surfnet-niels/REFEDs-specifications/blob/main/personalized.md
Generally speaking the following was noted:
- The layout of the existing specifications should be adopted significantly to allow for incorporating new protocols.
- Many sections, even if these do not specifically reference an implementation, make use of SAML specific jargon. This includes the name of the thing itself: an Entity Category is defined in the SAML specification.
The OIDC specification supports the concept of contact details, but only as a simple multivalued list of strings. In the SAML version of the specification a more fine grained methodology is used, where technical, administrative and support contact details are identifiable. To resolve this issue, the proposal in github suggests a new claim, "contacts_detailed", supports the same granularity as is used in the SAML implementation of the specification.
The use of entity labels, "Trustmarks" in OpenID Federation, is subject to specific rules as layed out in the OID Fed specification. As such it is not possible to have the same Trustmark exist both as a self-issued and at the same time as a trustmark issued by a trustmark issuer, which is what the current specification suggests (SPs and IdP may both publish support for the entity category, however the SP version is vetted by FedOps, whereas the IdP version is self issued). This might lead to the need to have different trustmark identifiers per protocol. This is probable not optimal as it may lead to ambiguity in the implementation of the same specification between protocols.
- OpenID Federation has a well developed mechanism to delegate the issuance and ownership of Trustmarks. These capabilities may allow REEFDs to be owner of the relevant Trustmarks without the need to implement a technical infrastructure which would have to be part of the actual authentication transactions.
- It seems like a good idea to include the definition of a personalized scope to streamline the exchange of personal data
Assurance Framework
The assurance profile already has a provision (section 7) on how to use the specification with OIDC. All statements which are part of this specification are expressed as claim values.
MFA and SFA framework
The Multi- and Single Factor Authentication profile express all statements at transaction time. Both specifications already describe how to use these both in the SAML and in OIDC. For both SAML and OIDC the specification is relevant to the transaction at hand. In a wallet ecosystem, it might be relevant to transport this MFA or SFA information as part of the credentials statement made by a wallet, as such information refers to the LoA of the credentials stored in the wallet. To describe such information, it may require a specification similar to the existing RAF, or perhaps RAF may be extended to include this information.
SIRTFI
The SIRTFI specification leverages metadata to signal compliance for both SPs/RP as well as IdP/OP. When discussing the SIRTFI specification the following was noted:
- The layout of the existing specifications should be adopted significantly to allow for incorporating new protocols.
- Many sections, even if these do not specifically reference an implementation, make use of SAML specific jargon. This includes the name of the thing itself: an Entity Category is defined in the SAML specification.
The OIDC specification supports the concept of contact details, but only as a simple multivalued list of strings. The SIRTFI specification mandates the presence of a security contact, as described in the Security Contact specification. To resolve this issue, a new claim, "contacts_detailed", could support the required granularity that is needed.
The use of entity labels, "Trustmarks" in OpenID Federation, is subject to specific rules as layed out in the OID Fed specification. As such it is not possible to have the same Trustmark exist both as a self-issued and at the same time as a trustmark issued by a trustmark issuer, which is what the current specification suggests (SPs and IdP may both publish support for the entity category, however the SP version is vetted by FedOps, whereas the IdP version is self issued). This might lead to the need to have different trustmark identifiers per protocol. This is probable not optimal as it may lead to ambiguity in the implementation of the same specification between protocols.
- OpenID Federation has a well developed mechanism to delegate the issuance and ownership of Trustmarks. These capabilities may allow REEFDs to be owner of the relevant Trustmarks without the need to implement a technical infrastructure which would have to be part of the actual authentication transactions.