Join InCommon

04
Dec.
2020

Federation

Final Report on Identity Provider as a Service Open for Consultation

online training image

Share

Array

December 4, 2020

The InCommon Identity Provider as a Service Working Group has submitted its final report, which is now open for comment as part of the consultation process. You can visit the consultation wiki page to review and comment on the report through January 24, 2021.

The InCommon Technical Advisory Committee chartered the working group to recommend ways to make federation participation more accessible through the use of cloud-based Identity Provider as a Service (IdPaaS) solutions.

The working group surveyed the community to understand an organization’s need for such a service. Analyzing the responses led to the conclusion that most organizations fit in one of four categories, based on how extensively they would rely on a cloud solution. Progressing from the simplest to most complex, these integration models include:

  • A service providing a bridge between the campus single sign-on (SSO) infrastructure and the federation (Federation Adapter model)
  • A service that would provide a solution for both intracampus and federated SSO, but would connect to an existing credential store (Full SAML SSO model)
  • A solution that would provide both SSO and a hosted credential store (Identity Provider plus Credential Store model)
  • A complete cloud-based IAM solution (determined not in scope for this working group) (IAM as a Service model)

The group developed three key recommendations for InCommon to pursue in supporting the three in-scope models:

  • Develop a “Federation-Ready Identity Provider” program that would recognize services that support all requirements and standards needed for customers to fully participate in the federation.
  • Determine ways to 1) help potential IdPaaS customers to understand the four integration models and which best aligns with their goals, and (2) identify and compare relevant federation-ready products.
  • Place particular focus on promoting the “Federation Adaptor” integration model, which allows institutions to maintain their existing single sign-on (SSO) products in conjunction with a lightweight product that bridges between campus SSO and the federation.

The working group report provides additional specific recommendations, outlines suggested technical requirements for an IdPaaS service, and includes user stories for each of the four integration models.

“Many individuals contributed to this working group, and we are particularly indebted to the co-chairs, Mary McKee of Duke University, and E.J. Monte of Duquesne University,” said Janemarie Duh (Lafayette College), chair of the InCommon Technical Advisory Committee. “This work will have significant benefits for organizations interested in an efficient and resource-friendly way to benefit from federation participation.”