Please use this page to record ideas that you would like to include in the 2020 REFEDS workplan.  Copy and paste the table below.  Ideas don't need to be fully formed but the more scope we can get the easier it will be to assess whether idea should be taken forward.   We look forward to all your ideas! 

Want to know what was proposed in 2019?  Have a look here.


Title<title of your proposal here>
Description<description text here>
Proposer<your name here>
Resource requirements<money? effort? coordination? unicorns?>
+1's<for others to voice their support - add your name here>


TitleeduGAIN Baseline

Input into a baseline expectations for eduGAIN.

(Question: is this the same WG of this name that has started meeting and it's listed here just as a formality, or a new WG?)

Resource requirements

Scott Koranda; Tom Barton

TitleRevise Cloud Services Cookbook
DescriptionThe Cloud Services Cookbook,, was posted to the Refeds wiki with a few updates made from it's original version created by the Big Ten Academic Alliance. It hasn't been updated since 2016, however. It would be very useful to devote some resources to updating SAML-specific recipes as well as add OIDC and protocol-agnostic recipes.
ProposerKeith Wessel
Resource requirements

People resources, brain power, and possibly a Festivus miracle. 

  • WRT people resources, has anyone considered collaboration with IDPRO ( for more info, see, or nudge Heather Flanagan )
+1'sAlbert Wu, Janemarie Duh, Corey Scholefield
TitleExtensions to MDQ
DescriptionThe RA21 and SeamlessAccess projects have defined two extensions to the MDQ protocol, one to enable a search capability and one to enable a "webfinger" query to determine "what the server knows". Leif Johansson has provided an example implementation with pyFF. This proposal is to have REFEDs help formalize these extensions, perhaps by working with Ian Young to evolve the MDQ specification. 
ProposerScott Koranda and Leif Johansson
People resources for help with planning and organization and to help shepherd the update. 
+1'sAlex Stuart
TitleDynamic errorURL

After login at a service the service (SP) may be missing some information or requirements of the login, for example

  • To few attributes sent from the IdP
  • Required attribute valued is not sent from the IdP
  • The service requires REFEDS MFA capability of the IdP but not supported by IdP (according to IdP Metadata)
  • The IdP doesn't seem to support the forceAuthn SAML flag (either a SAML error from the errorURL or the AuthenticationInstant is not refreshed

There currently is no best-practice for how a service should inform users of non-technical shortcomings of logins. It would be convenient if IdP:s could supply URL:s to different support pages that services could referer to depending on pre-defined problems with logins. Many login problems are not detected until after login.

ACAMP at TechEx had a session regarding this. Notes and Post-ACAMP work are available at

ProposerPål Axelsson
Resource requirementsA short term working-group to write up an errorURL profile with recommendations
+1'sAlbert Wu, Fredrik Domeij, Tom Barton
TitleMake Microsoft ADFS handle REFEDS MFA Profile

REFEDS MFA Profile uses the authnContextClassRef in the SAMLRequest to signal that MFA should be used for authentication. Microsoft ADFS cannot handle this authnContextClassRef and returns a FatalProfileException during authentication.

Diskussion notes from TechEx ACAMP session regarding REFEDS MFA in ADFS:

ProposerFredrik Domeij <>
Resource requirementsA working-group to help Microsoft add support for REFEDS MFA in ADFS, or to find a work-around to make ADFS usable in REFEDS MFA authentcation
+1'sTommy Larsson <>, Johan Peterson <>, Pål Axelsson
  • No labels