Trust and Internet Identity Meeting Europe
17.-20. Feb 2020: Workshops and Unconference

Baseline expectations

(Thomas Barton)

One of the common problems facing Federation is the process of change management. Things change. Who is maintaining it and how this change will be faced and brought forward optimized is an issue in its own?

#1 IdPs and SP operators who don’t pay attention and FO who aren’t effective at managing that:

  1. Federation operators are the ones who will own the relationship with their members – these members will change in the future and this might very easily fall off radar.
  2. Decreasing skills in house at Higher Eds
  3. “Cloud first” approach to campus IT is common

Federations need to keep up with the constant changes. We should care about these problems because it connects with trust in the federation infrastructure. Its value slowly declines without attention to these completely non-technical issues. Trust and willingness to rely on them goes down increasingly. Trust more generally is replaced with risk and liability and how we manage it. If I will outsource operations, I need to have some assurance on how they will manage the liability that I still face. How do I share that with this third party that is providing this part of my operation? If these companies were being certified the relying party can then decide and help them face their worries about possible liabilities. This is how it works in the business concept – it does not apply to the education environment. We are not a transaction carrier, we’re all working together. We are although supported by our organizations, we are not part of the transaction.

There are three parties in the inCommon, to which the baseline expectations apply to: Federation operators, Identity Providers and Service Providers.

InCommon Baseline Expectations for Federation Operators

Focus on trustworthiness of their federation as a primary objective and be transparent about such efforts Generally accepted security practices are applied to the federation’s operational systems Good practices are followed to ensure accuracy and authenticity. We want the metadata to enable secure and trustworthy federated transactions. Frameworks that improve trustworthy use of Federation, such as categorizing, are implemented and adoption by members is promoted Work with relevant Federation Operators to promote realization of baseline expectations

InCommon Baseline Expectations for Identity Providers:

The IdP is operated with organizational-level authority The IdP is trusted enough to be used to access the organization’s own systems Generally-accepted security practices are applied to the IdP Federation metadata is accurate, complete and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL

InCommon Baseline Expectations for Service Providers:

Controls are in place to reasonably secure information and maintain user privacy Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SPs purpose Generally accepted security practices are applied to the SP Federation metadata is accurate, complete and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly

Why is this a problem in the first place? Change is a problem. Federations need to face this and have a process in place on how and when to address it.

How the Baseline Expectations program works:

Automated health check: Gives specific, actionable info to the right people at the right time Community Dispute Resolution: Formal, transparent resolution of concerns about federation entities Community consensus Amend Participation Agreement All manner of outreach

From February 2018, a health check was in place, focusing on how all three actors were responding to the baseline expectations. The metadata health kept going up until January this year. The parameters being measured were %IDP Meets BE, %SP Meets BE, % Organizations Meets BE. There is a vast amount of resources thrown into checking this alone. There was a big campaign to establish connections with all members and receive proper feedback.

There are 24 IdPs not in full aligning with Baseline as of this moment – they mostly have responded that they are working on it and only a small amount has not responded. A big part of them are test IdPs as well.

Is there a way to estimate how many inCommon participants required a call for example to get their attention? Why is this an issue?

IdPs are considered to be more enterprise adjusted rather than research and education related.

Research is the most relevant part when it comes to education organizations.

The Baseline roadmap is in development. The following are a first draft of suggestions on how to go about this roadmap, which will be surely changed and transformed along the way.

1st quarter 2018 – 1st quarter 2019: Create BE processes, redo contracts, work on metadata quality 1st quarter 2019 – 4th quarter 2019: errorURL. REFEDS. MFA for academic IdPs shib v3.3+. 3d quarter 2019 – 4th quarter 2020: R&S for academic Open Source IdPs. SIRTFI all entities 1st quarter 2020 – 4th quarter 2021: Academic IdPs must use “collaboration ready” software (R&S, MFA, SIRTFI)

Discovery should be added to the roadmap.

There are many very good candidates for the next generation Baseline. It will be extended in the future- the current roadmap is also connected to the ability of the member organizations to approach change.

Discovery should be a burden added to SPs. In theory the process generally needs enough SP representation and at this moment there is not enough of it.