Introduction
The research and education sector has over the past decades developed a global identity federation ecosystem which has simplified access to content, services and resources for their community. The eduGAIN interfederation comprises over 80 national federations connecting more than 8,000 Identity and Service Providers. On a national level even more services and institutions are connected. The sector has been able to achive this by creating a highly interoperable ecosystem, where both a high level of technical, as well as policy and trust interoperability has been accomplished, through the joined implementation of various speficications. The joined journey of establishing this ecosystem has enabled the emergance of a global research and education trust and identity comunity with strong bonds and decades of experience in deploying and operating identity federation at scale.
REFEDs, the Research and Education FEDerations group, has been instrumental in providing an open meeting place for articulating the mutual needs of research and education identity federations worldwide. Over the years, REFEDS has addressed issues and topics based on the interests and requirements of its participants. This includes mostly policy, but also some technical and outreach topics in areas such as interfederation, privacy, assurance, relationships with partner communities, marketing, and support of emerging federations.
While REFEDs as such has no bias towards a specific technical implementation, the fact that the SAML 2.0 specification is currently the dominant protocol in identity federation in R&E has had some impact on various specifications created by REFEDs. This ranges for protocol specific sections, to assumption on how a specification would be implemented operationally. The rise of protocols like OpenID Connect, OpenID Federation and the emergence of decentralized, wallet based ecosystems requires a revisit of the specifications. Not only should it be investigated in what way the specifications may be implemented in these protocols, in addition we must assume a multi-protocol ecosystem will emerge and exist for several years to come. This means the specifications may also need to take into account how to go between protocols as it meay be required to translate between not just technical credentials, but also policy and trust frames.
This document provides a first assesment on how the current REFEDs specifications (Nov 2023) may be leveraged in an OpenID Federation (Draft 31) based federation and in a wallet ecosystem based on OpenID Federation and the OpenID4VC specifications.
REFEDs specifications
source: https://refeds.org/specifications (Nov 2023)
Specification types
REFEDs identify 4 types of specifications:
- Entity Category, defined in RFC8409, are metadata 'labels' applied to either identity providers or services which may be used under certain conditions, as described in the Entity Category specification, to indicate a grouping of entities. Entity Categories may be used to signal commonly used attribute requirements, or commitment to a certain set of behavioural rules.
- Entity Attribute are metadata labels applied to either identity providers or services to signal assurance certifications.
- Profiles, which define a standard to signal certain behaviour in a federated authentication transaction, and how to respond to such a request.
- Metadata Extension, provide an extention to existing metadata profiles.
- Frameworks, are currenlty basically assurance frameworks, which provide a structured means of describing or defining the main sources of assurance provided within the federation by the member entities of the federation itself.
Overview of findings
specification name | type | Applies to entity | Asserted by | Attribute profile | Entity behavioural rules | Attribute requirements | In scope for OpenIDFed | In scope for wallets | SAML Specific Protocol requirements |
---|---|---|---|---|---|---|---|---|---|
Research and Scholarship (R&S) v1.3 | Entity Category | SP | Registrar |
|
|
| |||
Research and Scholarship (R&S) v1.3 | Entity Category | IdP | IdP |
|
| ^^^ | |||
Hide From Discovery v.1 | Entity Category | IdP | IdP |
| |||||
Anonymous Access v.2 | Entity Category | SP | Registrar |
|
|
| |||
Anonymous Access v.2 | Entity Category | IdP | IdP |
|
| ^^^ | |||
Pseudonymous Access v.2 | Entity Category | SP | Registrar |
| |||||
Pseudonymous Access v.2 | Entity Category | IdP | IdP |
| |||||
Personalized Access v.2 | Entity Category | SP | Registrar | ||||||
Code of Conduct v.2 | Entity Category and Best Practice | ||||||||
Sirtfi v1 & v2 | Entity Attribute | SP | SP |
Legenda for relevance column: Under investigation Not relevent Relevant Updates to wording and/or implementation required