Introduction
The Federation Readiness Check Working Group is concerned with bringing a “good practice” approach to research and education (R&E) identity federation. In short, how can an InCommon participant tell that their IdP or SP works properly?
A significant roadblock for new R&E community members is validating their identity provider (IdP) or service provider (SP) deployments. Current good federation practice involves an overwhelming variety of expectations, standards, entity categories, frameworks, profiles, and more. There exists no single, comprehensive resource for operational guidance and integration testing. What documentation or test resources exist are difficult to find even for experienced IAM professionals, are typically restricted to federation members, and are focused almost exclusively on IdPs. While the decentralized nature of R&E federation allows it to scale far beyond current commercial offerings, that same decentralization makes enacting meaningful change to IdP, SP, or federation operations seemingly impossible. A scorecard would be a powerful tool for change.
Challenges
What does "works properly" mean? Who decides? People have different ideas about what "testing" means.
What's measurable? What can be checked by computer?
What's out of scope (for now)?
Charter
The Federation Readiness Check Working Group will:
- Survey existing testing audiences and their testing needs.
- Explore current good federation practice beyond the minimums set by Baseline Expectations.
- Draft ratings guides for SPs and IdPs (in that order) with an emphasis on remote, automatic assessment.
Membership
Membership in the Federation Readiness Check Working Group is open to all interested parties. Solicitation will take place on lists such as the InCommon Participants list and the REFEDS list, explicitly seeking international participation. Some stakeholders may be explicitly solicited by the Co-Chairs or other Working Group members for participation, e.g., providers who do not ordinarily participate on the above lists. Members join the Working Group by subscribing to the mailing list and Slack channel, participating on the calls, and otherwise actively engaging in the work of the group.
Work Products
- An qualitative audience survey
- Summary report of the Working Group proceedings, including any notables not included in the recommendations.
References
The nice thing about standards is that you have so many to choose from. Recognizing this, the following references are necessarily incomplete.
Standards and Practices
Baseline Expectations for Trust in Federation Version 2
EDUCAUSE Information Security Guide: Effective Practices and Solutions for Higher Education
IGTF Scalable Negotiator for a Community Trust Framework in Federated Infrastructures
REFEDS Multi Factor Authentication Profile
REFEDS Research and Scholarship Entity Category
REFEDS Security Incident Response Framework
REFEDS Single Factor Authentication Profile
SAML V2.0 Metadata Deployment Profile for errorURL
SAML V2.0 Deployment Profile for Federation Interoperability Version 2.0
SAML V2.0 Subject Identifier Attributes Profile
Extant Tooling
SSL Server Test by Qualys
eduGAIN Connectivity Check Service (ECCS), source code
eduGAIN Attribute Release Check (EARC)
Security Compliance Check Tool
Fiddler by Telerik
Federation as a Service (FaaS)
Higher Education Community Vendor Assessment Tool (HECVAT)
Test Federations
These federations run test federations of their own and may be willing to share their tooling and experience with InCommon:
- Australian Access Federation (AAF)
- Canadian Access Federation (CAF)
- Swedish Academic Identity Federation (SWAMID)
Public Endpoint Entities Registry (PEER) is not really a test federation but rather a source of potentially useful tooling. REFEDS’ REEP-PEER Service publishes a metadata aggregate, but the website appears to be unmaintained. See also REEP Policy in the REFEDS wiki.