Post quantum cryptography for OpenID Connect and OpenID Federation

new proposal

How ready are OpenID Connect and OpenID Federation for post-quantum cryptography algorithms such as ML-KEM? I propose a lab & research activity to verify if the most prominent OIDC and OIDFed Trust Anchor, OP and RP implementations for our community — go-oidfed Lighthouse, go-oidfed OFFA, SUNET inmor, Shibboleth OIDC and OIDFed Plugin and SSP OIDC and OIDFed module, Satosa, Keycloak to name a few – can handle signing and encryption with post-quantum cryptography algorithms. 

update radsecproxy in OpenWRT TLS-PSK support 

new proposal

upgrade openwrt radsecproxyversion to the latestversion and provide UCI interface according to the guideline documented in eduroam  configuration guides and "TLS PSK configuration" guideline. 

Document radsecproxy TLS PSK configuration and develop guideline for TLS PSK enrollment 

new proposal

TLS-PSK standard is a candidate to replace traditional eduroam proxy hierarchy and make more secure the eduroam infrastructure with proper F-TICKS logging

refactor geteduroam server to use pkcs11 library to support HW cryptogrphy modules

new proposal

geteduroam has an internal CA, which is currently using openssl. Check and exrend openssl to be able to configure and use pkcs11 to communicate with a Hardware Security Modules or smart card. Check and test espcially the x86 PC TPM modules, Apple Secure Enclave. 

Microsoft Entra vs Federations

New proposal

The idea proposed by various parties is to investigate MS Entra and make sure - possibly by means of guide documents, helper code or proxies - it works flawlessly with the federation technologies of our community. It is part of the topic to find out what are the gaps and pain points.

More Manageable Keycloak

New proposal

In plenary discussion at TIIME as well as local NREN discussions in Hungary and elsewhere it was established that keycloak is an operator's favorite due to its good UX. At the same time automated metadata processing or OIDFed capabilities are lacking. The goal is to remedy these shortcomings.

nginx and new Shib Service provider

New proposal

Proposed in discussion with Scott Cantor from Shibboleth consortium during TechEx 2025 Denver. The idea is to re-use the java-based main logic of the shibboleth code with not only its native apache module but also in nginx with the same functionality.

multi-protocol discovery service

New proposal

At TIIME 2026 in the OIDFed discovery service session there was a near unanimous call for multi-protocol discovery services that will work in a world where there are both SAML and OIDFed entities of relevance. The task is to investigate and create a proof-of-concept for such a service.

SATOSA GaP analysis for OIDFed

New proposal

In a multi-protocol future, there will be a great need for proxies that can translate between protocols such as SAML and OIDFed. SATOSA is such a proxy. While there are certainly various python libraries that can be used for prividing OIDFed functionality, the exact landscape should be analysed and a gap assessment should be made. This point was made by the audience on both TechEx2025 and TIIME2026.

Model Context Protocol for AI + Trust and Identity

New proposal

The model context protocol (and a few similar solutions) are used in the word of AI for agents (both AI and human) to access machine learning and inference resources. The Authentication and Authorization challenges are vast and not dissimilar from what our TI community have experienced. Since MCP is likely to be used in NREN context, the incubator should investigate the landscape. It is very likely that the vast amount of agents could benefit from an OIDFed-like technology, and that the authorization model could approximate a Membership Menegament Service (MMS) model well known in our community.

Some questions to resolve are: 

• AI agent identification in the context of a multi-agent system.
• Delegation from humans to artificial agents with clearly defined limits. 
• In accordance with the AI Act, traceability and auditability, ensuring trust, accountability, and the ability to revoke permissions if needed, while still working seamlessly across multiple institutions through the identity federation.

Analysis of the Advantages and Disadvantages of Generative AI for Digital Identity Wallets.

New proposal

Generative AI opens up new possibilities for improving the security, usability, and efficiency of digital identities. On the other hand, the same technology can exacerbate threats such as identity theft, document forgery, deepfake attacks, and data leaks.

However, digital identity wallets based on standards such as VC, OIDC4VCI, and OIDC4VP are evolving into a central trust infrastructure in government agencies, educational institutions, and online services.

Despite this importance, a comprehensive analysis of the positive and negative impacts of generative AI on digital identity wallets is still lacking.

This work provides a comprehensive analysis of the advantages and disadvantages of generative AI for digital identity wallets and proposes a model for their secure and standards-based use.

Since digital identity wallets are still under development, it makes sense to explore solutions that leverage generative intelligence to improve their secure design and development. In other words, how can Gen-AI enhance a digital wallet without compromising users and their data? Gen-AI can be also helpful during the design phase.

For example:

• How data validated by multiple VCs can be meaningfully combined with GenAI for a dedicated goal?

• Given the variety of VC formats, how can AI assist in converting VCs between formats or languages without compromising their validity?

• How can AI assistants be integrated into a wallet without exposing user data to leakage or misuse?

Before we can deploy AI in these or similar scenarios, we need to understand the associated risks.

Therefore, the objectives can be summarized as follows:

- Investigation of the positive application possibilities of Gen-AI to improve functionality and user experience

- Analysis of security risks such as spoofing and data breaches through generative models

- Evaluation of the compatibility of Gen-AI with the standards VC, OIDC4VCI, and eIDAS2.0 (we can disscuss it whether it is difficult)

- Development of proposals (model proposal) for the responsible use of Gen-AI in digital identity wallets

The scope of work can be limited to educational scenarios.

P.S.: We briefly discussed Gen‑AI risks in the wallet team, but none of the team members have deep knowledge in Gen‑AI area. Therefore, I thought it would be useful to explore this specific topic together with a student.

OIDFed comprehensive testing

under development

Group discussion at TIIME (scribed by Mihály)

The incubator could meaningfully contribute to the OpenID Foundation's Certification test suite by defining and possibly implementing test cases. 

• An initial list for areas to test. Functional requirements:
• Multi language support. Obviously critical in our sector (R&E), but really, everywhere. By default an educational institution at least in the EU will have to support at least English + their local language, and in many cases, like e.g. Switzerland the need to support EN, FR, DE and IT simultaneously.
• Trustmarks: this capability is currently not well represented in the tests
• (Handling of) Metadata policy

Non-functional requirements:

• Scaling: large leaf count environments (possibly thousands), long trust chains (is the increment linear or at least polynomial?), etc.
• Stress testing: can cheap HTTP calls generate costly background processes (i.e building trust chains), possibly leading to DOS attacks and the need of throttling methods?

Shibboleth SPv4 alternative agents

under development

Mihály Héder based on Discussion at Shib consortium update, Denver 10 december 2025

Building on the recent work done by the shibboleth consortium, now it will be possible to create light-weight agents (as in modules in web server stacks) for various web applications. These agents would be able to take leverage of all functionality that is maintained in the shibboleth java code, which will be run as a 'hub', including SAML stack, OIDC, OIDFed (under development), etc. The target could be nginx, django, potentially others.

Good risk for reward as we have relevant skills on team and it enables several function points all at once.

Satellite eduroam (satroam..?) development

 pending discussions

David Patterson

Authenticating to eduroam over Low Earth Orbit (LEO) satellite connectivity has the potential to extend connectivity to areas with no infrastructure, or where 4/5G mobile coverage is poor.  Satellite eduroam (satroam) could enable NRENs to provide secure connectivity for emergency medicine, disaster relief, environmental research, and addressing the digital divide in marginalised regions. 

The proposal is for Jisc to coordinate the following activity:

• Coalition. Establish a small-scale collaboration with up to 3 additional NRENs to share expertise and insights, and help shape the future development of satroam 
• Testing. Support proof-of-concept testing of satroam, to include: authentication processes; alternative LEO providers; diverse geographical regions; end user groups.
• Use cases. Produce examples of satroam, and identify future areas of investigation.

This follows proof-of-concept testing, conducted in partnership with KENET (Kenya), as part of the GÉANT Twinning Programme: How Jisc and KENET extended eduroam to rural Kenya using satellite internet - Jisc. The work in Kenya is based on Jisc's Extending eduroam service, which allows users to authenticate to eduroam over 4/5G. 

Public VC credentials

under development

Branko Marović (UoB/AMRES), Mihály Héder

Using a Go implementation for public verifiable credentials (credentials that are not primarily issued to a wallet but published on a website or other public surface), developed by WP9 with OpenBadges 3.0 to certify software quality or related software team practices, other use cases could be implemented. This implementation is accompanied with a suitable certificate framework and dataset, which would probably need to be adapted for other user cases.

The task is to investigate suitable use cases and how they could be achieved. One example is a reviewer appreciation certificate (see the topic list). Others include a range of educational use cases where OpenBadges 3.0 is applicable. An additional interesting concept is that the subject of the credential does not necessarily have to be a person - it could be a repository, a company, a group, or similar.

Note (Mihály): We need to define a bit more, investigate moodle/canvas/etc integration modes, or integration with IdP dashboards.

Convergence of Password/passkey Managers and Wallets

under development

Mihály Héder

From the point of view of user experience of an ordinary web user, the landscape is getting quite confusing. Thanks to user education and frightening stories about stolen password and breaches, an increasing number of users rely on complicated password variations or generated passwords and because of this, to saving passwords. This can be done in browsers, which depending on browser accounts (like google accounts signed in to chrome) get stored centrally. Others learn about end-to-end encrypted, hosted dedicated password managers, such as Bitwarden, ProtonPass, etc. Yet another route is to rely on OS-level, such as some Android and Windows solutions. With the rollout of Passkeys by big providers such as google users have to use some sort of manager software to store those.  In this diverse set of identity tools most users will have to use, the wallet ecosystem provides new ways of getting confused. Strictly based on theoretical models of user acceptance (an not other considerations such as security, sovereignty, etc) we can hypothesize that users will prefer those solutions that integrate everything, such as a potential google wallet version in the future and won't prefer a dedicated wallet app such as paradym, wwwallet, lissi, sphereon, etc. Then the follow-up question is how to provide an open source alternative (such as keepass{xc}) or at least European alternative (proton) integrated with wallet functionality for those users who are interested in this.

Scalable, interoperable revocation (in EUDI  wallets)

ready for consideration

Stefan Liström (SUNET)

Marina Adomeit (SUNET)

Revocation is not only a mandatory privacy enhancing feature for end-users, it is also a core security feature. Both use cases for revocation need to be implemented in a future EUDI wallet ecosystem. There is currently however no clear solution for interoperable, scalable revocation in the EUDI. This activity investigates and describes the possible approaches for scalable, interoperable ways to handle revocation. The activity should try to test at least two of the approaches with respect to requirements on scalability and interoperability as may needed for the EUDI.

Passkey registration to User Profile Page (Shibboleth)

ready for consideration

Timo Tunturi (Aalto Uni)

Mihály Héder (SZTAKI)

This proposal is continuation to earlier incubator work where User Profile Page for Shibboleth was implemented as means for the user to view the available user data and the tokens issued on behalf of user (https://github.com/GEANT/shib-idp-profile).

Shibboleth project is working on WebAuthn authentication flow and has define the scope for the Passkey management as "The inbuilt flow represents the minimum viable product for implementing such a feature. In the future other plugins may provide this functionality". 

We propose following task for the next Incubator Cycle to provide additional features for Passkey maangement

• Add Passkey registration to UserProfile. Work should be done in cooperation with Shibboleth team to guarantee best integration to interfaces provided by Shibboleth project. 
• The user must be able to register and manage multiple Passkey credentials. 
• An optional API providing organization tools to list and remove Passkeys of users. 
• An optional administrative function to allow an administrator to define requirements for authenticators (via Attestation).

Possible outcomes: prototypes, documentation, open source code for the relevant FOSS projects.

ReviewerAppreciation Certificates

under development

Mihály Héder (HUN-REN)

Branko Marović (UoB/AMRES)

There is a widely acknowledged crisis in research assessment, which by now prevents the realisation of its most important norms that ensured progress in the past. CoARA, a consortium of 700 research institutions and the most recent effort addressing this problem, describes the issue as follows:

"Assessment processes relying predominantly on journal- and publication based metrics can be a hurdle to the recognition of diverse contributions and may negatively affect the quality and impact of research. They also contribute to an unhealthy research culture and an unaffordable publication system." (CoARA mission statement, March 2024, https://coara.eu/app/uploads/2024/03/CoARA_Presentation_-5min_.pdf)

Part of the problem lies in managerial approaches, best addressed through CoARA’s advocacy.

However, an overlooked element is tooling (or rather the lack of it) that streamlines the creation and propagation of publication records (via the now near-universal DOI system), while other contribution types remain neglected. As a result, researchers’ records are automatically enhanced for publications but not for other forms of achievement.

From a T&I perspective this is troubling. Even the few existing forms of recognition (typically reviewer certificates in PDF format) are tied to email addresses as primary identifiers, combined with surnames and initials, with all the associated problems. For other contribution types, such as peer review, experiment reproduction, software as a research outcome, or PhD committee work, no universal mechanism exists, despite the general recognition that certificates or credentials should be issued at the point of activity. ORCID’s academic activity records and Clarivate’s Publons address this only partially, and in ways tied to specific platforms.

With the emergence of Verifiable Credentials and the GÉANT community’s experience in building global collaborations, there may be scope to contribute to reform efforts. Specifically, this topic should explore how eduPerson, SCHAC, and other schemas familiar to the T&I community could be integrated into a reviewer appreciation data model at Crossref, and the possible forms in which such data could be expressed. One such form is Verifiable Credentials, building on recent work in this area. In this case, the certificate would have a public mode (i.e. not only issued to a wallet but also published on a website), following the approach developed in WP9 for certifying software projects - a technologically similar project.

Possible outcomes:

Proof-of-Concept, reports, educational materials, research assessment community engagement

Note: this could be a use case for WP9's public certificate issuance platform.

OIDFed of groups and people

under development

Mihály Héder (HUN-REN)

Academics are expected to have a public persona, complete with a public, unique identifier tied to their real name (ORCID), public affiliations, etc. This is necessary to fulfill one of the most important ethos of science, sharing knowledge, which in practice also creates a need to promote publications, collaborations, research agendas, etc. This sets academics apart from citizens in general, who are interested in maximal achievable online privacy. 

This special feature of academic life means that academics could be interested in not only a public profile page such as ORCID, Academia.edu, ResearchGate, etc. but even in public endpoints representing them. With and OIDFed leaf endpoint, together with a trust mark ecosystem acedemics could build trust chains to each other. This is crucial as often they have to collaborate with peers the don't know beforehand and they are resorted to the public academic track record (see the other topic "Automatic collection of Verifiable Academic Efforts") and guesswork. A main use case would be partner finding, verifying new hires and publising. In the latter domain editors should establish that the person submitting is real in the first place (email, ORCID can be self-generated) and that the affiliation is real. Memberships, such as IEEE or other could also be interesting.
The idea can be extended to research groups, projects and companies that all have an interest of a public profile in good standing. 

Possible outcomes

report or publication

PoC solutions

SAML Legacy

Under development

Mihály Héder

While much of the current focus of our T&I community is aimed at OpenID Federation, which could be the future of Research and Education Federations, it is inevitable that several NRENs will stick with the old SAML technology for a long period of time. This raises the question: what novelties could the TI Incubator work on to ease the life of these federations? With the OASIS working group behind SAML discontinued, the update of cryptographic primitives might be a challenge to be tacked. Another issue could ensuring the expression of new kind of data in SAML, as well as ensuring that there are well working and well-documented SAML-OIDFED proxy solutions.

Metadata Event Streams

Under development

Pete Birkinshaw (Mimoto)

Mimoto has a simple proof-of-concept for notifying services of changes to remote data status, immediately, using persistent streams of JSON over web sockets. This activity would be to implement other clients and servers, decide on a data format for messages, and to test viability. 

Data types include federation information, metadata aggregates, MDQ entity records, and so on. It's not specific to SAML but may help to make older SAML services more responsive.

Clients open web sockets to an event server and receive lightweight notifications of changes in realtime. The simplest response to such messages is to reset a cached copy of the specified record and reload the record when requested. This technique appears to be faster and simpler than using existing approaches - a client to redownload an aggregate on remote changes should be possible with only a small shell script. The disadvantage is the need for an event service capable of supporting many concurrent connections - it may not be feasible in some languages and application frameworks. 

Fticks-like functionality for OIDFED

Under development

Mihály Héder, 

Niels van Dijk, Davide Vaghetti, Andrijana Todosijevic

As the case of eduroam shows, good, comprehensive usage statistics can help management, decision-making and popularization of a service. For this, the funtionality should be part of the default configuration, anonymous and batch-like to ensure complete anonymity and peace-of-mind of the operators in that they sufficiently protect their users. We propose that provided a sufficient level of k-anonymity (it is guaranteed that each individual cannot be distinguished from another k (say, 100, 1000) individuals in a dataset) and no significant performance sacrifice, such usage statistics would be acceptable and favorable at OP-side to reported to the NREN and to eduGAIN.