Background
Fifteen to twenty years ago, the research and education (R&E) community was one of the first to avail itself of federated identity, where services provided by one institution utilize other institutions’ identity providers to support collaboration and shared services among universities and their partners. The Security Assertion and Markup Language (SAML) was chosen as the protocol for R&E federations, because of its ability to support R&E’s use cases well.
Since that time, the OpenID Connect (OIDC) protocol, and more recently, Verifiable Credentials (VCs), have emerged as alternatives to SAML. Across the entire Internet community, OIDC is now often the preferred choice for utilizing federated identity, and use of VCs is expected to achieve similar popularity in the future.
In this paper, I will discuss a potential high-level architecture for a multi-platform R&E federation that shares a common, policy framework infrastructure to foster trust (i.e., willingness of identity providers and services providers to exchange identity information) across all of its component platforms. In this context, I define a platform as a deployment of a protocol such as SAML or OIDC. Interoperation and common policy within a platform are assumed. Interoperation and common policy between platforms, however, are not assumed, even when they are based on the same protocol. For example, a service provider that expects an OIDC token from Google’s platform will not trust an OIDC token from Facebook’s platform, and agreeing to Google’s policy terms means nothing to Facebook.
Read more