The Future of Digital Identity and RA21
Federated identity services have been around for close to twenty years. The research and academic space served as a development and proving ground for standards like SAML and technologies like Shibboleth and CAS, and the commercial space ran with those ideas with standards like OAuth and OpenID Connect (OIDC). The success of companies like Google, Facebook, Twitter, and more helped move this whole idea of federated, digital identity deep into the fabric of the Internet. With the positive characteristic of limiting the number of accounts and passwords that a user has to track comes the negative possibilities around potentially invading an individual’s privacy by tracking their actions across a variety of services.
With commercial services such as Google and Facebook, the user is generally the product, and all information is considered ‘fair game’. When information about the user is the product, then privacy is essentially a lost cause. When the purpose is purely to support authorization to a service or set of materials, however, privacy has a far better chance of being preserved.
In the scholarly research and education community, however, the story is somewhat more positive. For federated identity to work in this environment, there must be a fabric of trust, based on agreed upon policies and procedures between the institution offering identity services, and the organization consuming that information. Service providers may have bilateral contracts with identity provider institutions, but one of the reasons federations exist is that bilateral contracts do not scale. To join a federation, service providers generally must agree to a set of practices that includes things like having publicly available privacy policies and an understanding of appropriate use of user information.
For example, from the US-based InCommon federation’s proposed Baseline Expectations:
Baseline Expectations of Service Providers
1. Controls are in place to reasonably secure information and maintain user privacy
2. Information received from IdPs is not shared with third parties without permission and is stored only when necessary for SP’s purpose
3. Generally-accepted security practices are applied to the SP
4. Federation metadata is accurate, complete, and includes site technical, admin, and security contacts, MDUI information, and privacy policy URL
5. Unless governed by an applicable contract, attributes required to obtain service are appropriate and made known publicly
In addition to defined operating practices, the federation community has a variety of other ways to help encourage trust within and across their federations. For example, there are internationally vetted entity categories that may decorate the metadata of both identity providers and service providers. Research & Scholarship (R&S), as one example, is aimed at tagging Service Providers “that are operated for the purpose of supporting research and scholarship interaction, collaboration or management, at least in part”. Identity providers can restrict attribute release to only those service providers that have qualified for R&S. There are several others, and determining what entities are tagged with that information is publicly available information via the Metadata Explorer Tool supported by GÉANT, the consortium of national research and education networks and federations in Europe (though with information for all known federations around the world).
All this points to a healthy and growing trust fabric in R&E identity federations. But there are still significant challenges, and given the scale involved, those problems are hard to tackle. According to the Metadata Explorer Tool, there are currently 4584 identity providers across the 61 known R&E federations around the world, and 10551 service providers. The challenges range from establishing user consent (assuming consent is the correct mechanism to support information sharing) given different legal and cultural requirements, differentiating and supporting the requirements of the research collaboration community from more commercial interests, and for RA21, presenting a sensible list of identity providers—given the possibility of over 4500 identity providers in the world—to the user while still respecting users’ privacy, the service providers subscription contracts, and the identity providers obligations.
The user, whether they are a student, corporate researcher, or faculty member, is at the center of RA21. The ultimate goal of the project is to produce a set of best practices regarding identity discovery so that the user can access content they have rights to access, regardless of their location. The technology that is being tested in the various pilots is being used to provide different testing grounds for the most privacy preserving and looking at different options for the mechanics of offering a simpler, targeted list of possible identity providers that might be relevant to the user.
When it comes to identity discovery, issues around consent are actually very limited. The user should be able to consent to sharing personal information such as their name or email address – those items are useful for personalization, but not fundamentally necessary to the authorization transaction. The user handles the authentication, but it is up to the institution to validate the assertion that the user is affiliated with that institution. The user cannot “own” that aspect of the data – that belongs to the institution.
Publishers, as the primary content providers in this picture, will have to do most of the heavy lifting when it comes to improving discovery. They will need to be able to send users to a discovery service, and be able to handle authorization decisions based on whatever attributes are appropriate to their service rather than just by checking IP address. As many people have noted, IP addresses work extremely well when a user is on campus, but as soon as the user has shifted to a local coffee shop, their home, or an airport, then they have to jump through multiple clicks for authentication OR stop and get a VPN or proxy set up on their system.
Federated identity services in the R&E context allow the user more freedom to access licensed content and services from anywhere in the world. RA21 focuses on improving the identity discovery experience for the user, and looks forward to consent improvement efforts such as Consent-informed Attribute Release project, federation-wide security response efforts such as SIRTFI, and many other efforts around the world that bite off their own piece of this elephant to improve federated identity.