...
Service Providers (SPs) often find find that the population they want to serve includes individuals who are not represented by campus-based or other institutional Identity Providers (IdPs). In other cases, the individual's organizational IdP can not (or will not) release attributes necessary for the operation of the SP. Ideally in those cases such individuals could be directed The two most commonly encountered accommodations for users in this situation both suffer from serious inadequacies. First, SPs can opt to issue credentials and run an authentication service for those users lacking an adequate federated solution. The drawback is that this forces the SP owners to take on the unwelcome role of issuers and managers of user credentials. It is not their core mission and it can easily become a substantial support burden. The second fallback is to accept external IdPs such as Google. This gets the SP owners out of the credential management business, but brings other issues. To take Google as an example, Google’s IdP-like service comes with several caveats: Their business model is premised on monetizing user and usage data; As a non-SAML solution, they don’t support the Enhanced Client or Proxy (ECP) Profile, a critical requirements for some key research services; They also reserve the right to throttle usage if it gets above what they consider an acceptable level of use. A different approach is clearly needed. Ideally individuals lacking a suitable IdP could be invited to register with a participating IdP that offered no-cost, easy self-registration processes.
This working group was chartered to determine the characteristics of a fully adequate solution to this challenge and to make recommendations on the steps that would be involved in implementing that solution. The envisioned answer is an "IdP of last resort" that serves users otherwise unable to access specific services. Historically, ProtectNetwork played this role, but their business model shifted over the years to the point that the cost of ProtectNetwork’s services has become financially prohibitive for many SPs. Past usage of ProtectNetwork did, however, clearly demonstrate the appeal of an IdP of last resort: A few years ago, something on the order of 40% of logins to the Internet2 wiki were accomplished with ProtectNetwork credentials.
While the problem potentially applies to any federated service, the working group was explicitly directed to focus on identifying and responding to the needs of service providers in the research and scholarship (R&S) space, including but not restricted to cases that leverage the international R&S entity category. The The present working group report spells out the requirements that an IdP service needs to meet to qualify as a full solution to the R&S challenge. The report closes by recommending concrete courses of action that InCommon could take to foster the emergence of a service meeting all the documented requirements.
In addition to the present report, the working group also drafted individual evaluations of a small number of candidates for an IdP of last resort service. These evaluations will be shared with InCommon after it is determined if there is interest in moving forward.
Scope and Limits of the Proposed Service
...