Introduction

The research and education sector has over the past decades developed a global identity federation ecosystem which has simplified access to content, services and resources for their community. The eduGAIN interfederation comprises over 80 national federations connecting more than 8,000 Identity and Service Providers. On a national level even more services and institutions are connected. The sector has been able to achive this by creating a highly interoperable ecosystem, where both a high level of technical, as well as policy and trust interoperability has been accomplished, through the joined implementation of various specifications. The joined journey of establishing this ecosystem has enabled the emergance of a global research and education trust and identity comunity with strong bonds and decades of experience in deploying and operating identity federation at scale.

REFEDs, the Research and Education FEDerations group, has been instrumental in providing an open meeting place for articulating the mutual needs of research and education identity federations worldwide. Over the years, REFEDS has addressed issues and topics based on the interests and requirements of its participants. This includes mostly policy, but also some technical and outreach topics in areas such as interfederation, privacy, assurance, relationships with partner communities, marketing, and support of emerging federations.

While REFEDs as such has no bias towards a specific technical implementation, the fact that the SAML 2.0 specification is currently the dominant protocol in identity federation in R&E has had some impact on various specifications created by REFEDs. This ranges for protocol specific sections, to assumption on how a specification would be implemented operationally. The rise of protocols like OpenID Connect, OpenID Federation and the emergence of decentralized, wallet based ecosystems requires a revisit of the specifications. Not only should it be investigated in what way the specifications may be implemented in these protocols, in addition we must assume a multi-protocol ecosystem will emerge and exist for several years to come. This means the specifications may also need to take into account how to go between protocols as it meay be required to translate between not just technical credentials, but also policy and trust frames.

This document provides a first assesment on how the current REFEDs specifications (Nov 2023) may be leveraged in an OpenID Federation (Draft 31) based federation and in a wallet ecosystem based on OpenID Federation and the OpenID4VC specifications. For the latter it should be noted that as this ecosystem and its standards are still being developed, the statments and assumptions on how REFEDs specification may be relevant should be considered speculative. 

REFEDs specifications

source: https://refeds.org/specifications (Nov 2023) 

specification nametypeURIdoisupporting material
Research and Scholarship (R&S) v1.3Entity Categoryhttp://refeds.org/category/research-and-scholarship  
DOI
https://wiki.refeds.org/display/ENT/Research+and+Scholarship
Hide From Discovery v.1Entity Categoryhttp://refeds.org/category/hide-from-discovery
DOI

https://wiki.refeds.org/display/ENT/Hide+From+Discovery
Anonymous Access v.2Entity Categoryhttps://refeds.org/category/anonymous
DOI 
https://wiki.refeds.org/x/aQA2B
Pseudonymous Access v.2Entity Categoryhttps://refeds.org/category/pseudonymous
DOI
https://wiki.refeds.org/x/aQA2B
Personalized Access v.2Entity Categoryhttps://refeds.org/category/personalized
DOI 
https://wiki.refeds.org/x/aQA2B
Code of Conduct v.2Entity Category and Best Practicehttps://refeds.org/category/code-of-conduct/v2
DOI
https://refeds.org/category/code-of-conduct/
Sirtfi v1 & v2Assurance Certification

https://refeds.org/sirtfi

https://refeds.org/sirtfi2

DOI
https://wiki.refeds.org/display/SIRTFI/SIRTFI+Home





MFA Profile v.1Profilehttps://refeds.org/profile/mfa
DOI
https://wiki.refeds.org/display/PRO/MFA
SFA Profile v.1Profilehttps://refeds/org/profile/sfa
DOI
https://wiki.refeds.org/display/PRO/SFA
Error Handling v.1Profilehttps://refeds.org/specifications/errorurl-v1
DOI
https://wiki.refeds.org/display/PRO/Error+Handling+URL+Profile





Security ContactMetadata Extensionhttp://refeds.org/metadata/contactType/security
DOI
https://wiki.refeds.org/display/SIRTFI/SIRTFI+Home





Baseline Expectations v.1Frameworkhttps://refeds.org/baseline-expectations
DOI
https://wiki.refeds.org/display/BASE
Assurance v.1Frameworkhttps://refeds.org/assurance
DOI
https://wiki.refeds.org/display/ASS/Assurance+Home


Specification types

REFEDs identify 5 types of specifications:

Generally speaking, the information from the specifications is distributed in two ways:

When a specification defines specific metadata elements to be be present, if is often required to have a protocol specific section in the specification. Not only is the technical format different (XML vs JSON), but there is also a difference in the way certain capabilities are expressed, e.g. Entity Categories vs Trustmarks, see later). When the specification only deals with 'on the wire' information, which is transmitted as part of the transaction, like e.g. attribute assurance, it if often much easier to adopt the specification to use in OIDC and OpenID federation, as often it suffices to just use the equivelent OIDC claim to transport the same values that were defined in tha SAML based specification.

OpenID Federation implementation of specification types

OpenID Federation shares many concepts with the existing SAML based federations as currently deployed in R&E. The basic entities (OP, RP and trusted third parties like TA or IA) and the interactions between these can all be represented in OpenID Federation  in a similar fashion as these exist in a SAML R&E federation.

Table 1 provides an overview of the specifications that were evaluated, and identifies the areas in the specification that would need modification to adopt OIDC and OpenID federation. Because of the commonalities in the structure of the Personalized Access, the Anonymous Access and the Pseudonymous Access Entity Category, only the first one was extensivly evaluated, see Chapter 6. It was assumed similar modificatiosn will be required for the Anonymous Access and Pseudonymous Access specification.

Overview of findings

specification nametypeApplies
to entity		Asserted
by		Level of Modification needed?

In scope for OpenIDFed

In scope for wallets

Attribute
profile		SAML Specific
Protocol  requirements
Personalized Access v.2Entity CategoryIdP/OPRegistrar(warning)(warning)(warning)(tick) (T)(tick)(tick)
  • Use of SAML specific terms like IdP and SP
  • Section 4, RC3
  • Section 5 (extention already possible)
  • Section 7; SAML specific example. should probably move under 5.1.1
  • Section 8; SAML specific example. should probably move under 5.1.1
Personalized Access v.2Entity CategorySP/RPRegistrar(warning)(warning)(warning)(tick) (T)(tick)(tick)

^^^

Anonymous Access v.2Entity CategorySP/RPRegistrar(warning)(warning)(warning)(tick) (T)(tick)(tick)
  • Use of SAML specific terms like IdP and SP
  • Section 4, RC1.1
  • Section 5 (extention already possible)
  • Section 7; SAML specific example. should probably move under 5.1.1
  • Section 8; SAML specific example. should probably move under 5.1.1
Anonymous Access v.2Entity CategoryIdP/OPIdP/OP(warning)(warning)(warning)(tick) (T)(tick)(tick)^^^
Pseudonymous Access v.2Entity CategorySP/RPRegistrar(warning)(warning)(warning)(tick) (T)(tick)(tick)
  • Use of SAML specific terms like IdP and SP
  • Section 4, RC3
  • Section 5 (extention already possible)
  • Section 7; SAML specific example. should probably move under 5.1.1
  • Section 8; SAML specific example. should probably move under 5.1.1
Pseudonymous Access v.2Entity CategoryIdP/OPIdP/OP(warning)(warning)(warning)(tick) (T)(tick)(tick)

^^^

Research and Scholarship (R&S) v1.3Entity CategorySP/RPRegistrar(warning)(warning)(warning)(tick) (T)(tick)(tick)
  • RFC8409
  • Section 4.3.1
  • Section 4.3.3
  • Section 5 (moving mention of <md:RequestedAttribute> mechanism to SAML 2.0 specific part of section 5 would already suffice)
  • Section 6 (SAML specific example and identifier handling)
  • Section 7 (SAML example)
Research and Scholarship (R&S) v1.3Entity CategoryIdP/OPIdP/OP(warning)(warning)(warning)(tick) (T)(tick)(tick)^^^
Hide From Discovery v.1Entity CategoryIdP/OPIdP/OP
(question)(question)
  • Use of SAML specific terms like IdP and SP
  • Section 5: SAML specific example
Assurance v.1FrameworkIdP/OPIdP/OP(smile)(tick)(tick)(tick)
  • Section 7 already discusses the use of the "eduperson_assurance" claim as the mechanism to provide assurance information in OIDC
MFA Profile v.1Profile

(smile)(tick)(question)(tick)
  • No changes needed, however has dependency on Security Contact Metadata Extension
  • For use with wallets more context is needed
SFA Profile v.1Profile

(smile)(tick)(question)(tick)
  • No changes needed, however has dependency on Security Contact Metadata Extension
  • For use with wallets more context is needed
Sirtfi v1 & v2Assurance CertificationSP/RPRegistrar(warning)(warning)(warning) (tick) (T)(tick)

Sirtfi v1 & v2Assurance CertificationIdP/OPIdP/OP(warning)(warning)(warning) (tick) (T)(tick)

Security ContactMetadata ExtensionIdP/OP, SP/RPIdP/OP, SP/RP(warning)(warning)(tick)(tick)
  • No OIDC or OpenID Federation specification present.
  • Requires extention of OIDC Metadata model

Legenda for relevance column: (question) Under investigation; (error) Not relevent; (tick) Relevant; (T) Trustmark required
Indication of required changed: (smile) No changes required; (warning) Minor updates to wording required; (warning)(warning) Significant updates to wording required; (warning)(warning)(warning) Significant updates to wording and/or implementation required

Detailed discussion

Personalized Access v.2