Estimated reading time: 11 minutes
By Amber Rasche
Recent Microsoft Announcement Signals a Win for Multilateral Federation in the Research and Education Community
Ask Mary McKee, senior director of engineering at Cirrus Identity, about the role of vendor-neutral standards and solutions for identity and access management (IAM) in research and education (R&E), and her response might surprise you.
“Maybe it’s not as much about vendor-neutrality as it is about acknowledging ‘here’s what it takes for us all to work together, regardless of the unique paths our institutions follow to arrive at common standards and best practices.’ There are multiple right ways to do that and multiple wrong ways to do that.”
Mary has been with Cirrus Identity – a valued InCommon Catalyst known as a “Swiss army knife of identity management for education” – for just under a year, but her experience in the R&E IAM community goes way back. Her 21 years with Duke University took Mary from a computer science undergraduate to her first career role as a software developer to IAM lead to deputy chief information security officer. On that journey, she became deeply involved in the InCommon community. She served as a member of the InCommon Technical Advisory Committee (TAC) from 2019-2021 and actively contributed to events like InCommon Base CAMP and Advance CAMP.
More on Microsoft and Multilateral Federation
Join us for IAM Online in January 2024!
Mary McKee will moderate a community discussion on “Multilateral Federation Guidance from Microsoft and Its Potential Impact on the R&E Community” at 1 p.m. ET Jan. 17.
Because of those experiences, Mary recognized the critical role of multilateral federation through InCommon and eduGAIN in cultivating an inclusive R&E community and breaking down barriers to trusted collaboration. She and peers across the community advocated for industry leaders to do the same.
When Microsoft published documentation and guidance on multilateral federation for Azure AD (now Microsoft Entra ID) campuses this spring, she saw it as a win. In this Q&A, we asked Mary to share more about the significance of this milestone, how the community worked together to make it happen, and the possibility it will pave the way for more progress among industry identity solutions.
Take us back to 2019 and the ah-ha moment you had while presenting on IAM strategies and solutions at the Internet2 Technology Exchange. How did that open your eyes to the challenges smaller and under-resourced institutions face in an already complex and challenging IAM space?
Mary McKee: Yeah! TechEX 2019 was pivotal for me. I was with Duke University at the time, which was in a great place with its IAM program following a significant paring down of infrastructure. My colleague, Shilen Patel, and I co-presented two CAMP sessions that year about how open-source technologies made it possible to offer more robust services with less overhead than we had been able to with a vendor-provided solution.
Our goal for those sessions was to empower people, so I was struck by how many follow-up questions suggested that we’d missed that target. Several attendees asked: How many people are on your IAM team to do all of this? Oof.
“From my perspective, those discussions underscored how the common framing of IAM strategy as centering on a choice between either self-managing infrastructure or outsourcing to a large commercial solution presents a false dichotomy.”
At a time when many of our peers were looking to reduce overhead through outsourcing, Shilen and I wanted to show how Duke gained significant efficiencies in the opposite direction. In retrospect, I realize that perspective is of questionable relevance when the table stakes for either approach are too high for so many teams – and for so many reasons.
So what’s the alternative?
I wouldn’t argue for a specific formula, but I’d start with the most generalizable truths of IAM strategy. Nobody wants to run more infrastructure than they need. Economies of scale are emerging as major infrastructure providers, like Microsoft, start bundling IAM functionality with existing campus agreements. Iterative improvement is less disruptive and allows for better long-term business alignment than big-bang cutovers that you can only hope work as designed.
This was a big motivator for my move to the Cirrus Identity team. Cirrus Identity’s solutions and approach are very similar to what we landed on at Duke, but at a price point that makes that kind of strategic realignment accessible regardless of how much a campus chooses to run versus outsource – or how that balance changes over time.
This spring, Microsoft published documentation and guidance on multilateral federation for Azure AD / Entra ID campuses – including information about solutions like Shibboleth and the Cirrus Bridge. Tell us more about what Microsoft did and why it’s a big deal.
Mary McKee: Microsoft’s recent guidance is very transparent about the fact that Azure AD / Entra ID does not natively support multilateral federation, advising three ways for their customers to integrate with InCommon and other eduGAIN resources. To summarize, customers can enable multilateral federation by adding the Cirrus Bridge app to their Entra ID deployment, or by running Shibboleth in parallel – either as a SAML proxy or Microsoft ADFS integration.
Microsoft publishing this guidance was a huge deal for our community for two reasons.
The first reason is that it addresses the elephant in the room. Organizations already working with Microsoft to implement their cloud strategy are understandably evaluating the benefits of leveraging Azure AD / Entra ID to consolidate and replace existing campus login solutions. The potential for efficiency here is an enticing proposition, but research and education organizations should understand the impact of losing access to federated resources and how they can avoid that.
This is a solvable problem once we can establish it as a problem, but that is often difficult when terms like “federation” are so overloaded and mean different things in different contexts. When Microsoft acknowledged that Azure AD / Entra ID doesn’t have all the necessary features to fully integrate with multilateral R&E federations, they made it easier for our community to shortcut discussions about protocols and practices and instead focus on impact and finding the right bridging solutions.
The other significance of this guidance is that Microsoft is recognizing and affirming that multilateral federation is important. Many of us have contributed over the years to open-source workarounds, and we’ve all had to account for the risk that product changes could abruptly break our solutions. I find it particularly reassuring that in this guidance, Microsoft has acknowledged the significant role that ADFS plays in how our community enables access to resources. Validating this use case in official documentation gives me much more confidence that our community can address potentially disruptive product changes proactively and effectively.
It sounds like a long and winding road to get to this point – with an outcome worth celebrating! What were some of the initial motivators for the community to address the importance of multilateral federation with industry identity providers? Who was involved?
Mary McKee: I think it’s important to note that a lot of us have been worried about this problem for a long time, so my view on milestones is just one slice of it.
Concerns about federation readiness of popular hosted identity providers was a big topic when I was on the InCommon TAC, leading to our chartering of an Identity Provider as a Service Working Group that I volunteered to co-chair alongside E.J. Monti from Duquesne University. I remember it being hard to find a time for the group to convene because interest spanned so many time zones around the world – clearly, this was on many folks’ radar. Over the next year or two, we synthesized community feedback and identified four core design patterns to characterize community needs.
The 2020 final report of the Identity Provider as a Service Working Group urged InCommon to pay special attention to the most straightforward of the patterns, which we referred to as a “federation adapter” solution. This pattern describes a lightweight add-on to an identity provider that doesn’t support multilateral federation so that it can interoperate with SAML federations like InCommon without exposure to passwords or other sensitive data.
While we were finalizing this report, Cirrus Identity was working with Microsoft to illustrate community needs from another angle. Over 30 R&E institutions had already deployed the Cirrus Bridge as a federation adapter, a majority of which were Microsoft customers. Conversations started to dovetail between community advisory processes and market demand evident in the uptick of Bridge deployments, which have nearly tripled in the time since.
How do Cirrus Identity’s contributions to this effort speak to the power of InCommon Catalysts to advocate for industry changes to meet the needs of the R&E community?
Mary McKee: According to Cirrus CEO Dedra Chamberlin, conversations between Cirrus Identity, Microsoft, and InCommon around federation adapters date back as far as 2015. As those conversations progressed, the Cirrus team frequently helped develop resources to demystify common questions from the community, like why Azure AD could not be directly registered with InCommon.
Most recently, Microsoft published the Introduction to Multilateral Federation article after many conversations with Cirrus and other community contributors. Being an InCommon Catalyst really helped position us as a credible resource for multilateral federation, but we couldn’t have gotten to the solution part of this discussion without the efforts of countless community members who have been working for years to put these concerns on the radar with their industry partners.
Through those community efforts, what challenges and wins did you encounter along the way and what lessons did you learn?
Mary McKee: Let me start with my experience as a former university employee, identity provider service operator, and InCommon TAC member. In those roles, I was very concerned about how our community could get traction on this problem before it became existential.
“Our federation is only as strong as its participant base, and that base is threatened when we entrust our infrastructure to providers who don’t understand the unique needs of the research and education community.”
We all know that IT leaders are facing hard choices about where to allocate limited resources. As technologists, I worry that we often bury the lede by discussing protocols and federation patterns rather than emphasizing the stakes when support for multilateral federation is on the chopping block. The impact to mission when an R&E organization loses access to scores of community resources that can only be accessed through multilateral federation by design is so significant, and so often lost when we focus on the technology involved rather than the work it makes possible.
I’ve found it much easier to work with Microsoft from the perspective of another solution provider rather than a single customer deployment. We share a common interest in keeping solutions generalizable. Probably the biggest challenge here is maintaining that, for our community’s needs, efforts to make bilateral federation less onerous cannot make multilateral federation less necessary.
Finally, Cirrus recognizes that opportunities to speak to the needs of the community imply a responsibility to foster inclusive conclusions, particularly with respect to institutions that do want to run their own SAML identity providers. It’s funny to be in conversations with Microsoft about how to advise people on alternatives to buying our product, but our business thrives when our community does, so we have to look at that bigger picture.
What are your predictions for what happens next with multilateral federation among industry identity providers in the IAM space? Will Microsoft’s move pave the way for more progress?
Mary McKee: I expect that the drivers behind organizations looking to outsource IAM infrastructure to cloud providers will continue, but trends in providers will shift.
As organizations seek to identify sustainable approaches to IAM, many are finding that the overhead of IAM platforms (whether open source or commercial) is disproportionately tied to the complexities of integration with organizational infrastructure. It makes sense that we’re seeing a lot of IAM solution investment by vendors who offer infrastructure as a service, as they have a distinct advantage here.
In a strange but welcome coincidence, I think the biggest threat to IAM plays by companies like Microsoft is the same false dichotomy I mentioned earlier as affecting our community. If organizations are limited to a choice between self-managing IAM services or accepting the limitations of a single provider, providers offering much more than IAM will have to compete with companies that do IAM exclusively on the basis of features. Microsoft’s transparency about a limitation of their product and options already available to bridge the gap hint at an approach to IAM that is more measured and flexible than what we’ve typically seen over the past few years.
“I’m most hopeful about this path because it brings our community the most agency. While it’s nice to have options for how to handle IAM needs that aren’t unique to our community, it’s even better if those options don’t require us to give up the driver’s seat on those needs that are uniquely R&E.”
More on Microsoft and Multilateral Federation
Join us for IAM Online in January 2024! Cirrus Identity’s Mary McKee will moderate a community discussion, “Multilateral Federation Guidance from Microsoft and Its Potential Impact on the R&E Community,” at 1 p.m. ET Wednesday, Jan. 17, 2024, as part of the IAM Online monthly webinar series. She will be joined by Corey Lee of Microsoft, David Warden and Jack Truckenmiller of SUNY Geneseo, and Stephen L. Tycer and Selena Hriz from the University of Arkansas.
New to IAM Online? Register now.