Nick Roy, Tom Barton, Mark Scheible

1. Metadata aggregates grow quickly. Per-entity metadata is close to reality. The SP will no longer be able to provide a JSON feed unless it is configured to serve only a limited set of IdPs. This suggests a paradigm shift for discovery to start using AJAX searches on a reliable back-end that has the full list of IdPs. Is there a role for an eduGAIN discovery service?
2. Discovery for OpenID Connect Federation: How to achieve a consistent user experience for SAML as well as for federated OIDC?
3. Discovery in mobile apps: What to recommend to developers regarding a consistent user experience?
4. Update the REFEDS Discovery Guide with the findings

Per-entity metadata and dynamic federation ideas force a rethinking of how Federations Operators signify their validation or endorsement of certain metadata statements, and consequently a rethinking of much of the process of operating a federation. Deliverables:

1. Define workflows that endow trust in dynamic federation metadata, ie, work out operational aspects of Roland's paper.
2. Define an architecture or design in which it is easy for each recipient to validate dynamic metadata.
3. List ramifications for standard federation operating procedures in a dynamic metadata environment.

This activity investigates and reports on the various ways Identity Federations have implemented incident response handling internally.

The result should provide national federations with insite on what to expect when contacting a peer, and oppertunity for alignment and improvement. In addition it could support Sirtifi and eduGAIN e-Science support activities within AARC GEANT projects.

Federated Auth sucks when it comes to de-provisioning, as it is very hard for services to determine if and why a user is no longer logging in. As a result account (and other) data may remain at the SP long after the user was using the service. This is an issue from data protection and security perspective. Various efforts have been proposed and attempted in past years, none actually involving the authoritative source for the identity: The Idp

This activity investigates the possibility to create a IdP(protocol?) extension that would allow services to query an IdP if a user is still active in a scalable, secure and privacy preserving way.

Consent is used often within identity federations. While on a national level it may be clear what asking and giving consent entails, unfortunately consent does not mean the same thing in various countries as the legal grounds for consent vary. Also there are many ways to implement consent. What makes a good consent page and what does not? When is it (not)   user friendly, what should be shown to make it legally usable? What are the best practices around consent globally?

This activity investigates what it means to ask and give consent in various countries. In addition it describes recommendations for 'good' and 'bad' consent pages similar to the Refeds Discovery Guide.

R&E federations are and will be confronted more and more with external identities, i.e. identities not created at institutions. These include identity providers of last resort, social identities but also identities from collaborative organisations, eGoverment or banks.

Work on external identities is going in national federations, REFEDs, AARC and GEANT.  This working group will investigate and bring together work in these activities, and discuss and report on these various aspects and findings to the broader REFEDs community. In addition the role and impact of external identities in relation to eduGAIN will be investigated.