One of the primary barriers that providers of Research Services encounter is that the Identity Providers available to many of their users do not, and in many cases will not, release the minimal set of attributes that they need for many of their use cases. It is precisely in those cases that an IdP of Last Resort becomes a possible solution--but only if the IdP of Last Resort DOES release that minimal set of attributes. An IdP marked with the R&S (Research and Scholarship) entity category has agreed to release a standard set of attributes to any service provider that also carries the R&S tag. The R&S tag is assigned to an SP by the InCommon (and other) federations only if the service it provides fits the Research and Scholarship definition.
Basically, this requirement guarantees that a research SP can count on the fact that an IdPoLR will provide them with the attributes they need without the need for ANY prior bilateral arrangements between them.
Service providers need a single consistent primary identifier to key off all information about a person. If this key changes, or the same key is subsequently assigned to a different user, then the original person’s settings, history, and related data are lost to them. Requirements R2 and R3, taken together, guarantee that a suitable identifier will be available to the SP.
a. This is a requirement for InCommon Bronze Identity Assurance profile, as well as the related Silver Profile and multi-factor authentication, if supported.
To support a higher level of assurance of identity for higher risk or higher value services, an SP needs a way to signal to the IdP that it needs a particular level of authentication. The Security Assertion Markup Language (SAML) protocol defines a way to signal the need for a specific authentication context. Requirement R4 obliges the IdP of Last Resort to support this part of the SAML protocol. When the US Government begins requiring Assurance profile support for credentials, the Identity Provider will be able to provide them.
Without support for the Enhanced Client or Proxy (ECP) profile of the SAML specification, IdPs are only capable of supporting browser-based applications. However, many research applications and services are only accessible via command line tools. The ECP profile defines a way that SAML can be used in such scenarios, thus meeting a common requirement in research environments.
Research SP operators have noticed that in many cases, when a new user first visits the SP, and is sent off to register at an IdP, the user experiences an unexplained failure, and may simply be left waiting for a response that never comes. If the IdP of Last Resort can at least signal back to the SP that, for example, the user has to perform other steps before their registration is complete, then the SP can at least provide the new user with a meaningful explanation of what has happened.
This is basic WebSSO good behavior. If the IdP session times out while a user is at one SP, and the user then invokes a second application, they will be forced to re-authenticate with the same IdP, thus violating the user's expectation of how single sign-on should work.
One of the more difficult challenges facing users of an IdP of Last Resort service is sustainability over time. By including requirement R8, this issue is put in the foreground at the very beginning of the process so that both the SPs and the IdPs have an understanding of the importance of sustainability.
If the IdP of Last Resort meets requirements R9 and R10, it will go a long way toward achieving out-of-the-box interoperability with well-configured SPs. Setup can be much more painful and time-consuming if there are interoperability issues.
We know that support for higher levels of assurance will be required for certain research SPs. By requiring support for Bronze, the lowest category of assurance, the IdP of Last Resort will at least be well positioned to support higher levels of assurance when the need arises.
A researcher should not have to accept the monetization of their personal data by any party as a condition of getting access to needed research services.
The research community is global by its very nature, so the IdP of Last Resort should be an option for SPs regardless of their location. Otherwise, we will not solve the original problem.
If there are charges associated with a researcher's use of the IdP of Last Resort, some percentage of them will simply refuse to use it, thus thwarting the SPs goal of making their service available to all its potential users. Further, many projects funded by national agencies such as the National Science Foundation cannot operate in a mode where users must pay a fee to access the project's resources.
Requirements R15 speaks to the need for the IdP of Last Resort to provide reliable and trustworthy service.
Some people have expressed concern that the existence of an IdP of Last Resort will be seen by some campuses as an alternative to a campus-provided IdP that serves the institution's research mission. D1 would provide information that could be used to identify the level of demand for a campus-level solution.
Now that there are SAML implementations that support user consent to attribute release, this will become a best practice. D2 is meant to encourage the deployment of user consent functionality.
There are research services and resources that will only be accessible to users who can provide a higher level of identity assurance. Users can only do that through IdPs that are capable of selectively guaranteeing the required level of assurance.
Research organizations' budget for support services is never overly-generous, so it is desirable for infrastructure costs, like identity and access management, to be kept to a minimum.
ASCII-only is not a good choice if the goal is to welcome and support a global research community.
Multi-factor authentication can be an important component in raising the SPs assurance that their users are who they claim to be. As high-value resources are put online, the need for higher assurance will increase.