FIM4R reloaded: addressing challenges in Federated Identity Management

The Federated Identity Management 4 Research (FIM4R) group met in Montreal on the 16-18 of September 2017, kick-starting a new cycle for the group and a new relationship with the AARC (Authentication and Authorisation for Research and Collaboration) project.

AARC has committed to use FIM4R as its Community Engagement Forum to present results of the AARC pilots and other project developments. This will ensure that research collaborations participating in AARC can report on their experience, gather inputs on the work done and can hopefully help other research collaborations with similar use-cases. The first results will be presented at the next FIM4R meeting in 2018.

The FIM4R group was created in 2011, and gathered photon & neutron facilities, social science & humanities, high energy physics, climate science, life sciences, fusion energy and many ESFRI projects together. Its goal was to identify obstacles that prevented international research collaborations from using federated access. As result, in 2012, a paper was published that documented common requirements and recommendations to research communities, identity federations and funding bodies to make federated access more pervasive. The paper, in combination with the AAAI study led by TERENA (now GÉANT) paved the way to the EC-funded AARC project and provided requirements for work addressed in eduGAIN and REFEDS.

The Montreal meeting ‘reloaded’ FIM4R; one of the group’s goals is to highlight progress since 2012 and to address the prevailing challenges for FIM technologies in international research collaborations.

What has changed since 2012?

Certainly there is a much better awareness about FIM technologies. eduGAIN is now fully in production and eduGAIN benefits (and its limitations)  are much better understood. Compared to 2012, federated access has become more pervasive and many more research collaborations leverage federated authentication (at least for those users with that have institutional credentials) to enable access to their services. The use of social IDs and ORCID in particular has become much more common; these are now accepted identity providers (at least for those research collaboration where lower identity assurance is not an issue) to support users that cannot rely on a national federation.

Research collaborations have also made an effort to connect their services (and their local IdPs) to a national federation via which they become available in eduGAIN.

Whilst in past years the lack of attributes released by the IdPs was a major frustration, this aspect was hardly mentioned at the last FIM4R meeting. This does not mean the problem is solved. The main difference is that many research collaborations have found a workaround to handle the lack of attributes, by operating proxies, in line with the AARC blueprint architecture.  This approach allows a research collaboration to accept users that login via their national federation/eduGAIN, social providers, ORCID, guest identity providers and that use authentication technologies different than SAML. It also allows research collaborations to add a persistent identifier for users and to complement the missing attributes. The proxy is connected to a national federation as a service provider, and exposed to eduGAIN. Architectural patterns, policy and security aspects for the proxy are specified by different documents produced by the AARC project.

Identity federations keep fighting the ‘attribute’ battle. REFEDS is championing the Entity Category as the scalable approach to ensure that service providers can automatically receive the attributes specified in that category. The REFEDS Research and Scholarship Entity Category (R&S EC) enables all services that operate within the research and education remit to receive a guaranteed set of attributes ensuring that attributes are released in a safe and legally compliant manner. The uptake of entity categories among the Identity Providers is growing but not as fast as it was hoped. See the latest REFEDS blog on this topic.

Progress has been made to enable federated access for non-web resources, which was another requirement identified by the FIM4R paper.  Although there is not one solution that fits all purposes, there are at least a few consolidated options:

  • There are many services that still require the use of digital certificates – production token translation services, such as CILogon and  RCAUTH generate a digital certificate on the fly upon users logging in via their national federation.
  • Enabling federated access for HTTP APIs that are accessible via the command-line can be achieved either by using SAML ECP, when the IdPs support it, or by using OpenID Connect. Adoption of SAML ECP  by the IdPs is on the rise since Shibboleth started supporting it by default. OIDC on the other hand, seems to be the future for accessing this kind of service. The AARC Architecture provides a blueprint for utilising OIDC with the existing SAML-based federations, while there is ongoing work to support OIDC as a native protocol by the Identity Federations.
  • For SSH access, users can resort to either certificate-based access or implement a two-stage approach, in which a user accesses a web-based portal using her federated account and then generates/uploads SSH key(s).
  • Moonshot  is another solution for enabling federated access for non-web resources, but it does require support on the IdP side, which is not widely available.

More information about enabling federated access to non-web resources can be found in the “Guidelines on non-browser access” that has been published by AARC.

There has been a great deal of work to support differentiated levels of assurance.  The AARC project has produced a Minimal LoA recommendation for low-risk research use-cases (2015) and Differentiated LoA recommendations applicable to research use cases (2017). In 2016 REFEDS created an assurance Working Group to take AARC recommendations as input and extend them to a specification. This work is currently ongoing and progressing very well under the lead of Mikael Linden (CSC).

Another challenge highlighted in the FIM4R paper was the lack of a framework to handle security incidents in identity federations. This led to the creation of Sirtfi, the framework to create a Security Incident Response Trust Framework for Federated Identity. The specifications are managed via the Sirtfi REFEDS Working Group, led by Hannah Short (CERN); AARC sponsors effort for some of the participants.

Still more work to do but it is nice to see that some progress has been made. The FIM4R group will provide a much more inclusive and detailed analysis on all requirements, this was just my personal pick.

What’s new on the requirements side?

A preliminary list of requirements was compiled during the meeting. New requirements are about the use of proxies in research infrastructures and how to connect the proxies to national federations; delegation and step-up authentication are now more clearly identified as requirements; tools to enable testing and compliance with protocols, with eduGAIN, Sirtfi and so on were also identified. Attribute release is still there, but the requirements are more scoped to ask federations to release eduPersonUniqueID.

The full list is being collected in a google doc.

What’s next?

A first draft of the list of updated requirements is expected in December, whilst a revised version of the FIM4R document is expected in March 2018.

It will be interesting to see the impact of FIM4Rv2.0;  in the meanwhile it’s great to see the group being very active again.