Agenda and presentations
- Quick follow up from the meeting in Bergen: how do we continue from that? Marina, Hildegunn, Licia
- EOSC EU NODE AAI: what does this mean for the IdPs? Anything we can do? - Christos
- Shib consortium updates and some thoughts on the next steps for the SwamID federation - Pal
- Upcoming events:
- TechEx24
- TIIME workshop in MAR 31 - APR 3, 2025 | Reading, UK - for info
- TNC25 Call for papers
Main highllights and Actions
Follow up from Bergen
There were a few topics discussed in Bergen where we could benefit from a closer collaboration:
• Assurance has been identified as a feature that all Nordic federations value - Zacharias noted that assurance for example might be something we can work on even at a distance before meeting in January, if people agree. Bo noted that
• how to use NORDUnet could represent the Nordic T&I interests in international activities
• Wallets are another area of interest, and I understand we could start with this in 2025 when things are more mature
• eduGAIN baseline: work is currently ongoing to define the baseline based on the edUGAIN Futures WG recommendations - it would be good to share information on the progresses
It was noted that the meeting in Bergen offered a good opportunity to get to know each other. And it was agreed to follow up with another f2F meeting, better spread over 2 half days. Licia to send a doodle with dates.
EOSC EU NODE updates
Licia summarises that work on going in the EU node:
- it's a managed service delivery to provide some minimum set of services (which have been pre-paid via the procurement) for all users in EU to do collaborative work. The services are deployed in the EU NODE environemnt. The EU Node was launched on the 22nd of October.
- The EOSC EU Node is owned by the EC, so they are also the data controller
- NORDUnet is in Lot 2+3 (compute + sync ‘n share + jupyter notebooks + data transfer + web-based file transfer), GEANT in Lot 1 where they deliver the EOSC AAI. The same AAI is used to connect Lot2/Lot3 services. The EOSC AAI builds on GEANT Core AAI platform that provides the building blocks to deploy AARC-BPA complaint AAIs.
- Only EU users affiliated with an academic organisation (staff/employ/faculty) can login and create a project; non-EU users can be invited to join an existing project.
- any user coming from EU27 countries and Horizon Europe countries and is affiliated with institution as staff member or employee will get by default (just logging in) 100 credits, which can be spent on number of services they have access to
- To spin a VM users need to receive the attribute faculty from their IdPs - many IdPs do NOT release this.
- The EU NODE makes for interesting use-case as it makes heavy use of affiliation released via the identity providers, but also challenging, as up to recently not had strong use case for faculty affiliation
- Lot of profs coming back and wondering why not recognised as faculty but rather as staff
- Large portion of fed IdPs actually started supporting releasing faculty, which is fastest rollout Christos ever saw happening
Related to the EOSC EU and worth noting:
Hildegunn noted that Feide releases faculty as that is one of the mandatory attributes. She noted that as all institutions need to open up for services in the customer portal it is often difficult to find the right services via eduGAIN. At the time of the meeting, the EU NODE may not be visible for users in Norway as they were not able to find it. Christos noted that in this case they would not be able to find the EU NODE in the list because it is connected the a proxy AAI. The service to release attributes to is MyAccessID.
Christos also noted that the legal bases for MyAccessID is controller-to-controller. Work is in the pipeline to make MyAccessID more transparent to provide more information on what users will have access via MyAccessID. It is important to dissociate contractual aspects from the identity management flows; however it is important to talk about these things so everybody understand how things work.
Shib consortium updates and some thoughts on the next steps for the SwamID federation
SUNET and CSC use Shibboleth as the ID Federation software. Pål noted that Shib SP software will change. Currently based on old language, will not stay as it is. Shib consortium need to handle libraries by itself and this is not viable by itself. The new software will be based on profile of identity providers and of course it will need to support OIDC. Pål added that:
- henry and other guys did OIDC plugin for Shib. Next part is OIDC federation, so Shib will become OIDC federation-aware. That’s next part that will change things
- Swamid is looking to create OIDC-over-Swamid
- will do within IDEM, will also do it within EduGAIN
- also need to do academic identity wallet
- EC wallet will not be enough - need to reach out to services AND users in other countries outside EU
Pål noted that SAML has a limited life ahead, will not change anymore, will be as it is, and that all federation operators need to look at alternatives sooner rather than later. OASIS does not have any active work in SAML anymore. We all need to move along. Hildegunn said that still more than 40% of the traffic is SAML traffic. Christos said that all the new SPs are not using SAML anymore, it's all OIDC and OAuth2.
What will the future bring? Pål feels that indeed we should move on and there are some interesting things happening right now:
- wallets, coming, not only in Europe but all over world
- next big thing is passkeys, or security keys
- going very fast, both in FIDO2 alliance
- NIST
- See also how IOS is using sync passkey
- new passkey spec on its way out will support syncable passkeys
- Nico-Paul Bester said that in Norway there is a pilot to implement passkeys; a good use case is small children, e.g. face recognition, fingerprints and where more people use the same device.
Marina added that:
- openID federation - pilot - tooling to run pilot ongoing in GN5 project: they would like to run a workshop to explain the whole thing to the federation operators - whole concept how OpenID federation is imagined for eduGAIN and to invite to pilot
- There was an infoshare on wallets - 100 people and only geant community targeted.
- Next project phase (2025), led by Stefan Listrøm SUNET, there is a task on wallet. People can participate in that work
- There was a survey on national wallet activities - noone of the Nordics responded - it would be great to have some nordics to respond
Zacharias encouraged people to look at https://refeds.org/a/2984 - "Is There a Future for REFEDS and R&E Federations?"- One interesting sentence:
"What is clear is that we need to have a conversation about this—sooner rather than later. The landscape of identity is changing rapidly, and if we don’t adapt, we risk being left behind."
And features that are highly requested by federations is to start using SeamlessAccess:
The service showcase of the updates:
https://use.thiss.io/
- Accessibility (WCAG 2.1 & EU directive)
- Filtering (choosing a subset of the metadata in discovery service, the rest being communicated to the user it won't give access so don't start the login flow)
- Storage access API (remember IdP choice across service providers, even with browsers changing their policy on third party cookies/storage)
- Warning about returnurl not being set
Upcoming events