Page History

FOG: Federation Operators Group

OIDC(re): OpenID Connect for Research and Education

 SIRTFI

Activity to investigate and report on the various ways Identity Federations have implemented incident response handling internally.

The result should provide national federations with insight on what to expect when contacting a peer, and opportunity for alignment and improvement. In addition it could support Sirtifi and eduGAIN e-Science support activities within AARC GEANT projects.

Template for federation operators.

Scoping tools to automate Sirtfi response testing and compliance.

Un-Affiliated IdP Working Group Draft Annual Report, 2017.  Need to consider how to use this in conjunction with Academia to differentiate IdPs.

Continue on work to define ways of tagging IdPs of Last Resort and defining a specification for minimum requirements of such an IdP within federation environment.

Work progressing well, second round of consultation planned.  MFA profile in place, work on single factor / good entropy expected.

Various work has been put into better defining the baseline requirements for activity in federations - including via InCommon and the REFEDS assurance group.  This work will look to operationalise this work in the context of existing federations and eduGAIN.

Work is underway on baseline expectations for IdPs and an Assurance Wireframe.  The assurance working group will continue in 2017. The intention is to expose the assurance profile to a community consultation until end of March and then update the assurance profile and publish it as an AARC deliverable. After that, in AARC2, we probably need to have a small pilot before it can be rolled out. 

Conduct a post-mortem for entity categories in general.

Work for REFEDS R&S next steps: R&S2, affiliation, academia

Abstract attributes

 - define approaches to abstract attributes to allow groups of attributes to be used.

 - feed into proposals to produce guidelines on attribute release for edugain.

 - create registry of attributes if appropriate.

Exchanging entity attributes outside of those with global definitions (e.g. R&S, Sirtfi etc) creates a potential for mounting conflict; part of handling this is orchestration and handling. There may also be tags that are defined within a federation, but not cross federation. This creates a vocabulary control challenge. Who handles the responsibilities among the fed ops to consider this and does this need managing? This work area will initially focus on discussion here (best practice), clarifying use cases and create a matrix to inform the discussion.  Recommendations on future steps to support this (including potential registries, rules for stripping using MDQ etc.) will be made.

The existing identifier complexity is maddening. Possibly push for adoption of the Subject-ID spec everywhere an identifier is needed, to reduce complexity for all involved going forward. Replaces eduPersonTargetedID, SAML 2.0 persistent NameID, eduPersonUniqueID and (partially) eduPersonPrincipalName. Might help align with private/public identifiers in OIDC.

Federation Trust 2.0

Design, resource, and deploy a global metadata distribution infrastructure for both per-entity and aggregate metadata serving needs, for all federations to use, at global scale.

Per-entity metadata and dynamic federation ideas force a rethinking of how Federations Operators signify their validation or endorsement of certain metadata statements, and consequently a rethinking of much of the process of operating a federation. Deliverables:

1. Define workflows that endow trust in dynamic federation metadata, ie, work out operational aspects of Roland's paper.
2. Define an architecture or design in which it is easy for each recipient to validate dynamic metadata.
3. List ramifications for standard federation operating procedures in a dynamic metadata environment.