Internet2 is investigating a security incident involving a compromise to a confluence server that affected https://spaces.at.internet2.edu on April 10, 2019, which was successfully mitigated on April 12, 2019. If you did not receive an email from us, it’s unlikely that any of the content you submitted to the Internet2 Spaces Wiki needs to be re-entered. We apologize for any inconvenience this may have caused. Should you have any questions or require further assistance, please email collaboration-support@internet2.edu.
Page tree
Skip to end of metadata
Go to start of metadata

Problem Statement

Operating a broadly compatible SAML-based service or identity provider can be challenging. The standards and profiles that are currently available leave a lot of room for interpretation and customization. While this allows for flexibility, it also results in issues that make interoperating in a federation significantly more complex than necessary.

There is interest in developing an updated version of the SAML2int profile which will define clearer standards for interoperability; however, that effort has not actually begun. This would help in general, but the Higher Education and Research community has more specific needs than the general SAML community. Ten plus years of experience with Federation in the higher-ed space has led to rough consensus around a set of practices that go well beyond the current saml2int profile. To work toward better interoperability in higher-ed, extensions are needed to the SAML2int profile specific to the Higher Education and Research environment.

This working group will identify additional areas where SAML2int is not specific enough for higher-ed and propose applicable extensions. Many of these extensions, though intended to address the needs of higher-ed, may benefit a broader community and thus maybe presented as candidates for adoption into SAML2int.

Notes

  1. The Profile developed by this effort will likely follow a path to international review and acceptance once this Working Group finishes its work.

  2. The discussions may identify Practices that Federation Operators should follow. The effort should develop a list of these, which would serve as input to a different effort.

Membership

Membership in the Working Group is open to all interested parties. In particular, the group should encourage international participation. Members join the Working Group by subscribing to the mailing list, participating in the phone calls, and otherwise actively engaging in the work of the group.

Stakeholders

The challenges in this area are somewhat different for IDP operators and SP operators. To propose a comprehensive profile extension, this working group will need to represent the current hurdles faced by both of these groups. Proposed solutions for IDPs will be specific to InCommon, layered on top of the federation-ignostic SAML2int profile. Proposed solutions for SPs will be broader and not specific to InCommon.

Work Products

Work Products

  1. October 2016
    Produce a list of needed extensions to SAML2int for IdPs and SPs

  2. December 2016
    Clarify and standardize terminology of all extensions

  3. February 2017
    Categorize extensions for SAML2int, R&E deployment profile, or out of scope
    Present SAML2int candidate extensions to Kantara federation interoperability WG

  4. June 2017
    Determine profile requirements around areas of challenge (i.e. XML encryption, identifiers)

  5. August 2017
    Complete Writing extensions as normative requirements

  6. September 2017
    Present Deployment Profile and R&E deployment profile to TAC

 

Related Resources

  1. InCommon FedInterop WG (Round 1) Wiki
  2. InCommon FedInterop WG (Round 2) Final Report
  3. FedInterop WG Interop Issues List
  4. SAML V2.0 Implementation Profile for Federation Interoperability - Kantara Draft
  5. The saml2int Deployment Profile.
  6. A list of proposed Changes to saml2int.
  7. A Draft IdP Deployment Checklist.
  8. Net+ Guidance for Services
  9. CIC Cloud Services Cookbook
  10. Good Federation Citizenship - IAM Online
  11. The Federation Lab SAML Test Suite (git)
  • No labels