Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Blogs

Deployment Profile Changes Aim at Better Interoperability - We Need Your Help!

Apr 24, 2018, by Keith Wessel
Tags: Frontpage News, InCommon, InCommon Federation, Recent Posts, SAML-Based Authentication, Trust & Identity, Working Group

The InCommon Deployment Profile working group needs your help. We've created a major revision to the SAML 2.0 deployment profile, commonly referred to as SAML2int. Between now and May 7th, we're collecting community feedback and comments on our revisions at https://spaces.internet2.edu/x/WIPmBQ.

So why does this matter to you? Operating a broadly compatible SAML-based service or identity provider can be challenging. The standards and profiles that are currently available leave a lot of room for interpretation and customization. While this allows for flexibility, it also results in issues that make interoperating in a federation a lot harder than it should be. While deployment standards exist today, they fall short of solving the whole problem.

In the fall of 2016, InCommon chartered the Deployment Profile working group to address this challenge. As the work progressed, the working group decided that the first step was a major update to the existing SAML 2.0 Deployment Profile. The existing SAML2int didn't touch on a number of tough issues facing federation today. Other issues were addressed but in a way that contradicted today's recommended practices.

Most higher ed institutions and research and education services have had to deal with these issues on a regular basis. For example, the profile addresses the issue of unique user identifiers. The set of federated attributes available today offers several options for unique identifiers, each with its own set of distinct characteristics: opaqueness, non-reassignability, human readability, global uniqueness, etc. Because of a variety of issues with how these identifiers are implemented and the confusion that results, it's very common to deal with identifier challenges for federated services. The working group took a step back and solved the problem by creating two new user identifiers which supercede existing attributes. The new identifers simplify the attribute set and solve many of the problems surrounding identifiers today. Compliance with the revised profile requires adoption of these new identifier attributes.

What we need now is a broad community review of our work. We believe that the requirements we've written address the community's needs and are somewhat futureproof as far as SAML goes. To have a profile that serves the community and lowers federated barriers, though, we need to hear from the community.

You can help. Circulate this link to those who work with federated services. Ask them to review the revised SAML2int and provide their feedback before the consultation period closes on May 7th. Help us make federation easier for everyone!