Introduction
The birth of national identity federations in the research and education sector
- The first identity federations were built by NRENs primarily to organise access to shared resources, in most cases to organise access by university affiliates to national library resources, in other cases to shared e-learning resources between collaborating universities within national boundaries. This happened in the first decade of our present millennium.
- It was clear from the outset that these identity federations will need to be interconnected soon:
- The federation operators were trying to settle on common standards, or to establish such standards where needed.
- Well-established structures were used - and extended - to host such coordination work: the predecessor organisation of GÉANT: Terena and friends
The industry response
- The de-facto standards for linking commercial products to IAM services were directory protocols, of which LDAP was the most dominant one. This works reasonably well in a single organisation context, but not when crossing organisational borders, let a lone crossing federations.
- The emerging OASIS standard SAML was not yet adopted yet, but looked very promising for solving the federation and interfederation problem. The international NREN community became the biggest early adopter of SAML and driver for subsequent further development of the standard.
- Market adoption of SAML grew, because it supported "extranet use cases" where companies started to link with partner companies on a bilateral basis. SAML became an additional option in many commercial products to link with IAM systems.
- But the usage scenario of the global research and education sector remained unique.
- The community was therefore let alone with the effort to push the development of the interfederation tooling required to support its usage scenario, with Shibboleth and SimpleSAMLphp being the most important work horses. Not that we wanted to, but we had to.
The establishment of interfederation services and governance structures
The lack of industry uptake required the NREN community to take several aspects of common services and governance into its own hands:
- driving the further development of the underlying protocols: engaging in the relevant industry standards bodies
- driving the further development of the tooling: setting up consortia, e.g. the Shibboleth Consortium and fundraising options for Shibboleth as well as SimpleSAMLphp
- standardisation and profiling work for the data being exchanged
- setting up metadata exchange clearing houses
- transparency and quality assurance frameworks
What is changing now and what is the impact?
The eIDAS v2 regulatory framework and associated services might develop into a game changer in several aspects:
- eIDs: They are already available in some member states, but will become so in all member states and also become much more accessible, also in cross-border scenarios
- This makes onboarding processes in our community much easier
- but the overall impact is rather limited
- The eID ecosystem: consisting of wallets, credentials and attestations and a supporting trust framework service provider can link into
- The promises of the eID ecosystem are covering a fair part of what our identity interfederations deliver to us already, but some promises go beyond:
- less dependencies on intermediaries, better data protection, improved self-sovereignty, and most importantly: cross-sectorial use
- the cross-sectorial use may become a real game changer: we are well prepared and organised to take governance decisions as a community for the community, but that will no longer be possible in the same way. Change is ahead.
- The promises of the eID ecosystem are covering a fair part of what our identity interfederations deliver to us already, but some promises go beyond:
Opportunities
- Cost and efficiency:
- Cross-sectorial scope: