Federations: next challenges

Last week’s REFEDs and VAMP meetings in Utrecht invited identity federations to move on to the next series of technical and policy challenges. Current federations within research and education were mostly designed to provide access to large commercial publishers and other services procured by universities and colleges for their individual members. Services and arrangements are often structured nationally, whether because of procurements, licensing or simply language. In these cases the home university or college both authenticates the user and grants them permission to use the service (so contributes to both authentication and authorisation). Each home organisation will have a relatively small number of agreements with service providers, each agreement benefitting a large number of users and lasting for a number of years. For both the service provider and the home organisation it is worth spending time and effort on technical, social and legal issues to get this large-scale, long-term relationship right. Federations have therefore tended to form around organisations and service providers in national groupings.

The VAMP meeting highlighted another use case where identity federation could be very useful: international research collaborations. These vary from large global experimental collaborations – such as CERN or LIGO – to informal groups or researchers wishing to continue discussions after a conference. Neither of these actually want to do their own identity management: LIGO’s excellent analysis of risks and benefits points out that doing less system administration means they can do more and better science. However research collaborations differ from publishers in a number of significant ways:

  • The use of a particular service is likely to be initiated by individual users, rather than their home organisations. Users may wish to collaborate in “strong groups” – which have their own funds, legal status, etc. – or “weak groups” that are much more informal;
  • Authentication and attributes may not originate from home organisations. Some members of the group may not have a Home Organisation so will need to authenticate either at a “home for the homeless” or through a social network provider; some authorisation decisions may rely on attributes that home organisations cannot provide, for example identifying which “Andrew Cormack” (yes, there are several of us in Internet-land!) is to be accepted as a member of the group. Systems and organisations that provide only authentication or only attributes need to be incorporated into the federation infrastructures;
  • Collaborations are more likely to be international, so have to work across the existing framework of national federations. Some will have stronger requirements than existing federations provide (e.g. on authentication credentials, or process audits): others may not need so much, or be unable to satisfy the requirements for membership;
  • There are likely to be far more collaborations than publishers and their members are likely to be sparsely distributed across organisations. Enabling access to each particular collaboration will therefore benefit only a minority of the organisation’s members, so it needs to be much simpler. Standards for “types” of collaboration service may make configuration easier: Internet2 are already working to define a “research and scholarship” category, but there may be others.

These differences raise the question of how much of the existing federations’ technical and social/legal infrastructure can be re-used. Two extremes would either be to require every collaboration service to join every national federation where it may have members (as commercial publishers sometimes do) or to create a new federation per collaboration and require organisations to join all those in which their members want to participate. Neither of these seems ideal, though for the first few participants either might appear simpler than approaches that will scale better in the medium and long terms. Participants will need to accept that although one quick-fix may make their lives easier, ten different quick-fixes will be a lot more painful than adopting a general approach in the first place.

For scalability we need to re-use existing components, either by providing gateways to translate between them (in both technical and legal terms, as appropriate) or by accepting that other people’s approaches are “close enough” (a well-established European legal approach called “harmonisation”), and only invent new mechanisms where there are genuinely new requirements. The challenge for federations and collaborators will be to identify the sweet spots where a system or agreement can offer enough commonality to be useful, but not demand so much that it excludes some people or organisations who need to participate. For this reason I was nervous to hear a desire that federation should work “like a social network” – anything that comprehensive seems bound to exclude some people (who may be in other equally good, and equally exclusive, social networks of their own).

With large federations already having tens or hundreds of members, and millions of users, it seems highly unlikely that we will all be able to switch to a new approach in a big bang. Instead we need to accept that a hybrid approach will be needed for some time, while identifying the small steps that will move us closer to a global federated identity system that can support research collaborations of all types and scales. Such a system must be international: groups such as REFEDs and VAMP will be important to share national ideas, requirements and experiences and develop them into an increasingly internationalised framework.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *