Versions Compared

Old Version 3

changes.mady.by.user Nathan Dors (washington.edu)

Saved on

compared with

New Version 4

changes.mady.by.user Nathan Dors (washington.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Info
titlePage status - informational

March 12, 2019 – This document includes the working group charter for the period ending in 2018. In 2019, the working group refocused on more specific deliverables.

Summary

A recent survey confirmed that there is already substantial use of the OIDC/OAuth2 protocols by campuses. However, using these protocols is substantially “less mature” in the higher education environment than the SAML protocols that have been used for the last fifteen years. This working group will bring together current users to develop and propose standard deployment practices in order to improve the likelihood of interoperation “just working”.

Problem Statement

The last several years have seen broad adoption of two different cross-domain authentication frameworks and their associated identity spaces. Higher education worldwide, a growing number of business systems (especially cloud-based), and groups particularly concerned with security have adopted the SAML protocol and profiles and associated infrastructure (e.g., metadata describing participants). More recently, personal web use and a growing number of apps that are of interest to the higher ed community are using the OIDC/OAuth2 protocol and frameworks. Today, using these protocols requires two different identity spaces (identifiers, credentials). The growing use of OAuth2 to protect API endpoints by higher ed has increased the interest in bridging these spaces, and providing a single software package supporting multiple protocols. This is expected to provide better security, improved usability, and better interoperability in a multi-protocol world.

...

The previous group recommended a number of next steps. This Charter is derived from their recommendations. This Charter specifies a number of Work Products. They are related (they all have to do with OIDC/OAuth2), but in most cases they are not dependent on each other. It is hoped, therefore, that work can progress in parallel on several of these items, rather than addressing the items in a sequential manner within the “working Group as a whole”.

Charter

  1. Review recommendations from the previous WG and determine what is In Scope (and out of scope) for this WG. This should pay particular attention to what was determined to be campus-specific (TIER/CACTI WG?) vs. Federation-specific.

  2. Create channels for sharing information within and from the existing Higher Ed OIDC/OAuth2 deployers and interested parties. The international Higher Ed community should be asked to participate. This could include email lists, wiki pages, and regular webinars.

  3. Track and document the lessons learned; develop recommended practices for deployment, configuration, and use. Document the software architectures campuses are currently using to provide OIDC/OAuth2 services.

  4. Report on the ways campuses are using OIDC and OAuth2. This includes identifying those aspects of the protocol definitions that campuses are not using.

  5. Work with the organizations that are currently implementing these use cases to identify areas where organizations would be helped by increased standardization (e.g., use of OIDC claims, development of deployment profiles, etc.).

  6. Work within existing efforts or create new efforts to develop the required standards. New efforts might be created within existing standards bodies (e.g., I2 T&I, REFEDS, Kantara, http://openid.net/ , etc.)

    1. Develop or adopt a higher education deployment profile for OIDC/Oauth (e.g., profile similar in concept to the one for healthcare: http://openid.net/wg/heart/)

    2. Ensure the development of a Higher Ed attribute schema for OAuth2 claims (i.e., map eduPerson schema to OIDC/OAuth compatible format, likely in JSON Web Token forms), possibly by participating in the current European effort: Mapping SAML Attributes to OIDC Claims.

    3. Track (and possibly participate in) the GEANT OpenID Connect Federation task chaired by Maarten Kremers. This effort includes Roland Hedberg's efforts to develop an OAuth federation framework.

  7. Develop and share information about best practices with native mobile application authentication using SAML and OIDC/OAuth2.

  8. Identify use cases that require multilateral federation support, and bring them forward to the TAC and Internet2 T&I.

Work Products

  1. Document above Charter items on Working Group Wiki in an organized manner:

    1. Define the scope of this effort.

    2. Channels for sharing information (e.g. email lists, wiki pages, and regular webinars)

    3. Track and document use cases and lessons learned; Develop and share best practices. Describe how campuses are using these protocols (and which ways of using them that campuses are not using).

    4. List areas where organizations would be helped by increased standardization

    5. Identify areas requiring more standardization, and facilitate the development of those standards, as required (Work within existing efforts or create new efforts to develop the required standards)

    6. Identify use cases that require multilateral federation support

  2. Work within existing efforts or create new efforts to develop the required standards.

  3. The group should submit a draft status report to the TAC by TechX 2017 (Oct. 15, 2017). This DRAFT should include an initial list of issues and concerns that Higher Ed Federations will have to address in order to provide their members with a manageable framework for using Federated OIDC/OAuth2.