Updates from the Internet Identity Workshop and OpenID Foundation Meeting
By Nicole Roy - InCommon Director of Technology and Strategy
Editor’s Note: The Internet Identity Workshop was held Nov. 15–17 at the Computer History Museum in Mountain View, Calif. Nicole Roy (center) is pictured here with colleagues Paul Caskey (right) and Debbie Bucci (left).
The Identity and Access Management landscape is rapidly evolving with the adoption of OpenID Connect Federation by the Italian government, investments in self-sovereign identity technologies like digital wallets, zero-knowledge proofs, and verifiable credentials being used to back applications like the new International Organization for Standardization (ISO) mobile driver’s license – now available for use in some states within the Apple Wallet on your phone.
Federated single-sign-on is a major driver for the continued deployment of SAML (security assertion markup language)-based federations in the research and education sector. This well-proven technology stack enables researchers and academics to interoperate across a global platform, which offers access to critical applications. These applications rely on SAML assertions to enable login across institutional boundaries.
In the OpenID space, emerging standards, such as OpenID Connect Federation, Global Assured Identity Network (GAIN), Self-Issued OpenID Connect Provider (SIOP), Internet Engineering Task Force Security Event (IETF secevent), are not strictly an OpenID-based standard but supports parallel information security use cases. OpenID Connect for Verifiable Credentials and Verifiable Presentations are rapidly becoming targets for an increasingly diverse set of proxy, wallet, identity provider, and relying party implementations.
As the adoption of technologies like Fast IDentity Online (FIDO) (aka “webauthn” or “passkeys”) authentication increases, we will need to deploy solutions that can bridge the gap between the existing trust fabrics and these new technologies. Meanwhile, upcoming changes to web browsers threaten to break standards, including front-channel logout and persistence mechanisms within SAML discovery services. Research and education community engagement with the browser vendors on efforts such as “Federated Credential Management” (FedCM) is required.
The horizon for a renewed engagement with other sectors of the identity and access management ecosystem starts today and will last an indeterminate amount of time. We, as a community, must be prepared to develop profiles and standards which meet the unique needs of our user communities. We must continue to provide services that enable single sign-on, provisioning, access management, and registration in a privacy-preserving manner. Jurisdictions such as the European Union have adopted strict requirements, which will require increased attention to privacy within our trust fabrics.
Beyond the current horizon, new requirements for agility in the cryptographic algorithm space will drive the need to support algorithm rollover (e.g., the conversion from use of RSA keys to elliptic curves or emerging quantum-cryptanalysis-resistant algorithms). These changes will also require modifications to deployed identity and access management (IAM) infrastructures within research and education federations and software: The Shibboleth identity provider, SimpleSAMLphp, and others. Proxies that can offer token, protocol, and cryptographic algorithm translation will likely play an increasingly important role in the emerging landscape.
InCommon Advisory Groups, such as the InCommon Technical Advisory Committee, Community Trust and Assurance Board, eduroam Advisory Committee, and the Community Architecture Committee for Trust and Identity, will need to foster discussions with other groups, which are the homes for these emerging standards and profiles. Our community must demonstrate its unique use cases, work on interoperability, and document requirements, which will drive the needed changes in our software and infrastructures.