Document Title: Final Report of the InCommon Deployment Profile Working Group
Repository ID: TI.119.1
Persistent URL: http://doi.org/10.26869/TI.119.1
Keith Wessel (editor/chair) - The University of Illinois https://orcid.org/0000-0002-8047-3187
Scott Cantor - The Ohio State University
Alan Buxey - MyUniDays, LTD. https://orcid.org/0000-0001-8217-8379
Judith Bush - OCLC https://orcid.org/0000-0001-6240-4121
Andrew Morgan - Oregon State University https://orcid.org/0000-0003-0677-6988
Eric Goodman - University of California, Office of The President https://orcid.org/0000-0002-5118-3009
Alex Stuart - JISC https://orcid.org/0000-0003-4034-3748
Nicholas Roy - InCommon https://orcid.org/0000-0001-6515-4316
David Bantz - University of Alaska http://orcid.org/0000-0003-0028-9548
Christopher Phillips - CANARIE https://orcid.org/0000-0001-5567-4916
Publication Date: February 14, 2019
Sponsor: InCommon TAC
© 2019 Internet2
This work is licensed under a Creative Commons Attribution 4.0 International License.
The InCommon Deployment Profile working group was chartered by the InCommon Technical Advisory Committee (TAC) in the fall of 2016. The group was charged with creating a deployment profile that could be layered on top of the SAML 2.0 Deployment Profile, SAML2int, which was planned to receive a much-needed update. The working group would make the needs of the research and education (R&E) community known so that some could be incorporated into SAML2int; the remaining requirements would go into an R&E-specific deployment profile.
This work was a follow-on initiative recommended by the Federation Interoperability working group which created a profile for SAML software developers. The Federation Interoperability recommended a second profile for deployers of SAML-based services and identity providers.
The motivation for this second profile can be found in the Deployment Profile's charter:
Operating a broadly compatible SAML-based service or identity provider can be challenging. The standards and profiles that are currently available leave a lot of room for interpretation and customization. While this allows for flexibility, it also results in issues that make interoperating in a federation a lot harder than it should be. While deployment standards exist today, they fall short of solving the whole problem.
The charter formed the basis for the working group's initial conversations about how to address a standard for deployment. Updating the existing SAML2int profile was the obvious choice for the focus of our work
The working group began by evaluating the issues list from the Federation Interoperability working group; many of the requirements for developers imply configuration on the part of deployers. In addition, many of the issues from the previous working group's list were considered out of scope for their work but relevant for deployers. The group categorized and clarified the issues and added others from personal experience and community input. The result was a list of recommendations for SAML2int, R&E specific issues, federation operator issues, and those not belonging in a profile at all.
The group then tackled a number of tough issues for which requirements were needed but unclear: federated logout, identifiers, XML encryption, and logos. After several lengthy discussions, the group reached and documented consensus on these areas and formed them into requirements. At this point, the group produced a second profile specifically dealing with identifiers. The OASIS SAML V2.0 Subject Identifier Attributes Profile reflects the work done in this area. It attempts to clear up confusion and issues with the numerous federated identifiers available to deployers today.
As the work progressed, the working group realized that, if SAML2int was going to be updated in a timely fashion, they would need to be the ones to do it. The group was depending on SAML2int updates to be completed before an R&E specific profile could be created. Thus, the group produced an updated version of SAML2int for community review and adoption.
The R&E community provided feedback during a consultation period in May of 2018. All of the changes and questions submitted by the community were taken into consideration by the working group during the summer of 2018, and many resulted in changes to the updated version of SAML2int. The following September, the group held two community review calls to discuss responses to the feedback. A small number of additional revisions were made as a result of the community review calls and sessions at the 2018 Internet2 Technology Exchange conference. The completed work is being presented to Kantara to supersede the current SAML2int after approval by the InCommon TAC.
The working group produced the following items during the course of its work:
The group calls out the following items that were accomplished in the course of its work:
Several items in the profile will require some coordinated effort by federations for broad adoption, similar to work done to aid large changes in the past such as the move to Shibboleth IdP version 3. InCommon's governance may wish to make some of these requirements part of Baseline Expectations in the future. Items of interest include:
The working group identified a couple of areas where the implementation profile and deployment profile don't completely align. These are worth bringing attention to, but in the opinion of the group, are acceptable differences.
Several items were identified that would create excellent profile requirements but are inappropriate for one reason or another for SAML2int. Some of these are specific to the needs of the R&E community and belong in an R&E deployment profile layered on top of SAML2int. Others are related to development of federated applications rather than the SAML layer. A small number of items were also identified that would fit well into a profile for federation operator best practices. These items are documented here for consideration by future InCommon efforts.
Federated applications profile:
Federation operator profile:
The group originally added an item to the revised SAML2int that they later felt was advice, not a profile requirement. The item stated that a service provider that requests forced reauthentication should verify that forced reauthentication was performed. While this is a very wise thing to do, it's not firm enough to be required by a profile. Further, it suggests other items that SPs should do. Other items include: verify requested authentication context was satisfied, synchronize server clocks using NTP, and check for attributes in a SAML response rather than granting access based solely on the presence of a successful response. There are certainly others, and these lend themselves to an advanced topics write-up for SP on-boarding. The group recommends that InCommon explore other topics to be addressed in such a write-up and add it to the work of the SP on-boarding working group.
First and most obvious, the working group recommends that the TAC support the revised SAML2int being presented to Kantara's Federation Interoperability Working Group (WG-FI) for review and ratification. Once ratified, we recommend that REFEDS works to integrate the requirements of the revised profile into federation-specific requirements. Even though this group considers our InCommon work complete, most working group members will attend the Kantara working group to represent the work and respond to any community feedback.
As noted above, there are requirements that were left out of this profile that don't apply globally but benefit an R&E specific application. The working group recommends that the TAC charter an effort to create an R&E-specific profile to be layered on top of SAML2int using the above requirements as a starting point.
Many of the requirements in the revised profile need to be widely adopted to be useful. The working group recommends that such items be considered for addition to the InCommon Baseline Expectations. Such candidates might include adoption of new identifiers, upgrading to new encryption algorithms, timely metadata consumption, proper error handling, and compliant logout processes.
The working group recommends that InCommon establish automated tests for requirements where possible. Obviously, many of the requirements can't be tested, but there's benefit to testing and notifying contacts for lack of compliance with those requirements that can be tested.
The SAML 2.0 standard has had a number of errata filed since its creation along with a number of suggestions placed in the SSTC-Jira backlog. The working group recommends that InCommon directs the OASIS SSTC to compile these changes and additions into the creation of SAML 2.1.
The now-final OASIS Subject Identifiers specification creates new identifier Attributes analagous to OIDC's "sub" claim that replace eduPersonPrincipalName and eduPersonTargetedID and all uses of SAML Name Identifiers. As both of these legacy attributes are part of the Research and Scholarship attribute bundle, the working group recommends study of how to evolve the successful R&S entity category towards a future state that encourages adoption of best practices.
Finally, the working group recommends some well-planned marketing and incentives to help InCommon participants achieve compliance. This could involve adding items to Baseline Expectations as noted above, but it also could include a badge or signaling in metadata. As with SIRTFI, metadata signaling could be self-asserted. InCommon might also want to consider a Baseline+ certification; participants who don't meet the extra requirements won't be removed from the federation, but those who do will receive additional benefits. Adherence to many items in this profile might fall into that category.