The document discusses the multilateral federation in research and education, detailing the use of SAML since the mid-2000s and highlighting key participants like LIGO and CERN. It emphasizes the importance of trust and standardization in federation processes, as well as the need for adopting OpenID Connect to improve identity management. Challenges include software support and the necessity of developing test profiles while outlining the required use cases and implementations for research computing.

1. Research and Education
Working Group
https://openid.net/wg/rande/
Nick Roy - Internet2
Nathan Dors - University of Washington
Davide Vaghetti - Consortium GARR
Roland Hedberg - Catalogix
OIDF Workshop
VMware, October 22, 2018

2. What’s Up With Research and Education?
We have been doing multilateral federation since the mid-2000s using SAML
Roughly 60 national-level R&E federations, mostly run by national research and
education networks (NRENs)
~5,000 organizational identity providers
~11,400 service providers
2

3. 3

4. Some Big Participants
LIGO (Nobel Prize in Physics, 2017 - Gravitational Wave Observation)
CERN (Nobel Prize in Physics, 2013 - Higgs Boson)
Square Kilometer Array
Murchison Widefield Array
NIH - National Institutes for Allergy and Infectious Disease
Research journal publishers/libraries (STM, ACM, NISO, etc.)
(many others)
4

5. “LIGO uses tools created by many other scientists and technologists to help make discoveries. This
collaboration includes 1000 scientists from over 80 different universities and research institutes around the
world. It is a significant challenge to keep track of LIGO participants, their roles, and what shared
resources they have access to. Furthermore, LIGO is collaborating with astronomers all over the globe
who are looking at the sky at the same time, but with different types of instruments, and needs ways to
share discoveries securely. LIGO has employed many tools created by Internet2 to help with these
daunting tasks, including Shibboleth, Grouper and COManage. Likewise, InCommon services such as the
InCommon Certificate service and the InCommon Federation services have become integral parts of
LIGOs daily operations.”
- Warren Anderson, LIGO Scientist and IAM Manager
5

6. 6

7. Schemas/Standards/Profiles
OASIS SSTC SAML 2 (SSO, Metadata IOP)
eduPerson
Schac (Schema for Academia)
isMemberOf
inetOrgPerson
REFEDS Research and Scholarship, SIRTFI, MFA profiles
7

8. Discovery
8

9. Trust Is Key To Participation
Federation registrar acts sort of like an EV certificate authority for IdPs and SPs
Signed metadata and signed SAML responses
Federations enforce legal/policy/business process requirements and international
standards
Agree to exchange metadata according to community standards
Supplement with profiles to enable:
- Attribute exchange
- Incident handling
- Assurance
- etc.
9

10. How Do We Adopt OpenID Connect?
Need a root of trust (Roland’s / Andreas’ OIDC Federation work)
Need an operational model that comes out of our experience running federations,
combined with Roland and Andreas’ work
Need to map attributes / schemas / entity attributes into:
- Claims
- Metadata statements
- Scopes
- Some way to represent group membership/entitlements
10

11. The Path To Get There
OIDCRE Working Group in the OIDF
REFEDS OIDC Working Groups
InCommon OIDC Deployment Working Group
11

12. What Is Needed
Use cases
- API access
- Non-web stuff to support research computing (command-line access to
supercomputing resources, etc.)
- Mobile applications at colleges and universities
Implementations
- Identity Python
- Shibboleth OIDC
- CAS
- (We still need to develop the federation tooling) 12

13. Challenges and Benefits
Support for multilateral SAML has always been a challenge in software not
developed by the R&E community, mainly due to lack of test suites, uneven
support for SAML metadata
Need to develop test profiles
Many of our challenges are shared (see also: FastFed (discovery), iGov
(metadata/assurance), EAP/token binding (acr=phr))
13