Un-Affiliated IdP Self-Assessment Form: http://bit.ly/iolrForm
Working Group Logistics
The World Clock Meeting Planner - Details
|Location||Local time||Time zone||UTC offset|
|San Francisco (USA - California)||9:00 AM||PDT||UTC-7|
|Madison (USA - Wisconsin)||11:00 AM||CDT||UTC-5|
|London (United Kingdom - England)||16:00 PM||GMT||UTC|
Agenda, Live Scribing and Meeting Notes: http://bit.ly/iolrNotes
Current Work Items
- List Research SPs that might be in need of Un-Affiliated IdPs
- See email thread, "Re: Other SPs for unaffiliated IdPs"
- Review sustainability strategies
- See email thread, "Re: Funding an unaffiliated IdPs
- Consider addressing the orphaned user problem by leveraging ORCID iDs
- Update Self-assessment form for self-declaring Un-Affiliated IdPs
firstname.lastname@example.org (currently 47 subscribers)
To subscribe, visit https://lists.refeds.org/sympa/subscribe/iolr
Older Work Items
- Internationalize the Requirements for R&S Un-Affiliated IdPs
Start from the InCommon IdP of Last Resort WG requirements
- Define Acceptable Bases of Trust
Self-assertion? Reputation-based? Tagging by fed. operator?
- Mitigate “Single (IdP) Point of Failure” for Users
- The most difficult challenge: "What if my un-affiliated IdP of choice goes out of business? What happens to all my existing access paths?"
This is the wiki space for the IdPs of Last Resort (IoLR) Working Group. To participate in this group, please subscribe to the mailing list.
Service Providers (SPs) often find that the population they want to serve includes individuals who are not represented by campus-based or other institutional Identity Providers (IdPs). In other cases, the individual's organizational IdP can not (or will not) release attributes necessary for the operation of the SP. The two most commonly encountered accommodations for users in this situation both suffer from serious inadequacies. First, SPs can opt to issue credentials and run an authentication service for those users lacking an adequate federated solution. The drawback is that this forces the SP owners to take on the unwelcome role of issuers and managers of user credentials. It is not their core mission and it can easily become a substantial support burden. The second fallback is to accept external IdPs such as Google. This gets the SP owners out of the credential management business, but brings other issues. To take Google as an example, Google’s IdP-like service comes with several caveats: Their business model is premised on monetizing user and usage data; As a non-SAML solution, they don’t support the Enhanced Client or Proxy (ECP) Profile, a critical requirements for some key research services; They also reserve the right to throttle usage if it gets above what they consider an acceptable level of use.
A different approach is clearly needed. Ideally, individuals lacking a suitable IdP could be invited to register with a participating IdP that offered no-cost, easy self-registration processes. This REFEDS Working Group is charged with specifying how such a service should be structured and establishing processes for reviewing and approving IdPs that seek to be designated as "Un-Affiliated IdPs", or informally, "IdPs of Last Resort" that meet the Service Providers' requirements. For some additional background, see the 2015 Final Report of the InCommon Technical Advisory Working Group, IdPoLR.
The following terms apply to all REFEDS Working Groups:
- When a working group is agreed, REFEDS Participants will be asked if they wish to participate. Working Groups tend to be small, so consensus can be achieved quickly between participants.
- A chair for the group is chosen from the REFEDS Participants.
- TERENA provides facilities for the working group, including meeting support, wiki space, mailing lists and, where appropriate, funding.
- An appropriate output from the group is produced. Currently, this is typically a draft white paper or a wiki page.
- When the Working Group is in agreement, the chair shares the outputs with the wider REFEDS community with an open period for discussion and comment. This is typically a period of 4 weeks, but may be longer if appropriate.
- After this period of time, the REFEDS Steering Committee signs off on the work item. Work is either written up as a formal white paper, left on the wiki but promoted as finished work or occasionally submitted as an Internet Draft.
Pete Birkinshaw, Digital Identity Ltd | http://www.digitalidentity.ltd.uk
- Un-Affiliated IdP Working Group Draft Annual Report, 2017
- 2015 Final Report of the InCommon Technical Advisory Working Group, IdPoLR