This interview is part of a series highlighting the objectives, roles and mission of GÉANT Community Programme’s special interest groups and task forces.
We interview Heather Flanagan, the Principal and Owner of Spherical Cow Consulting and a member of REFEDS, the Research and Education FEDerations group. As a forward-thinker, Heather’s passions and areas of expertise lie within Digital Identity, Identity Standards Development and Multi-Stakeholder Collaborations. A leader in her industry, Heather has driven multiple organisations to new heights, including the Internet Engineering Task Force as the Principle Editor and the Internet Research Task Force as the RFC Series Editor. Heather maintains that the Internet is led by people, powered by words, and inspired by technology, leading her to make the online world approachable.
Heather, you are a long-standing member of REFEDS and also lead your own consultancy firm, Spherical Cow Consulting. How did you get into the world of Identity Federations and Digital Identity? What’s your story?
You know, I was supposed to be a librarian when I grew up! My undergraduate degree saw me majoring in history, and my master’s degree is in library science. But as soon as I graduated, I started working in tech. I’ve been involved in the Research & Education (R&E) community for over twenty years, working at two large universities and then becoming a freelancer that has kept ties to R&E strong.
I don’t think you can work in tech and not have some responsibility that involves digital identity. Even if you aren’t directly administering systems, you’re still logging into them, managing your accounts, or possibly even the permissions associated with other accounts. The most basic security task is ensuring only the correct people can access a system or service. Of course, working in R&E, identifying the “correct people” is hard! R&E lives by collaboration and interdisciplinary research. Research groups bring together individuals from many institutions, and no one knows better whether those researchers are still affiliated with those institutions than the institutions themselves. This is why identity federations exist and why working in this field is so rewarding. I may not be a Nobel-prize-winning scientist, but I know that some of the work I’ve been a part of in the REFEDS community has made it so those scientists succeed.
REFEDS is a platform for Identity Federations in the research and education community across the world to gather and talk about best practices and common challenges. How does your role in REFEDS influence the rest of your projects?
All my projects feed off a question I ask myself every day: Given my skills and expertise, how can I make the Internet better? I’m certainly not going to be writing code to do that. I’m not going to design a new standard or technology. But what I can do is build and bridge communities. While working with REFEDS, I listen to the challenges federation operators and NRENs have, such as a persistent lack of funding and insufficient adoption of best practices. I also listen to what they strive for, like easier interoperability and a better user experience for everyone. I do my best to represent those challenges and goals in other communities as well. I’m the chair of the W3C’s Federated Identity Community Group, which brings browser developers, standards architects, and service providers worldwide to improve browser privacy models while still allowing for federated authentication. I make sure that the R&E use case is strongly present at that table. I’ve also been on Internet2’s InCommon Technology Advisory Committee (TAC) for the last five years, three of which as Vice-Chair. I ensure that InCommon TAC keeps the activity happening beyond their local efforts in mind. What any one federation does has implications for other federations: that’s part of the nature of following a federated model. Making the borders of these communities much more fluid so that challenges and solutions are shared is probably the most important thing I do.
REFEDS is slightly different than the other Special Interest Groups and Task Forces of the GÉANT Community Programme. Can you tell us a bit more about how it works?
REFEDS started in 2005 and has always had a globally oriented mission, funded entirely by our sponsors and led by our community. We are enormously grateful to GÉANT for hosting REFEDS, but we are not funded by EU project money.
“Our mission is to provide an open collaboration hub for stakeholders in the Research and Education identity federation ecosystem to learn, educate, and build standards and best common practices for federations internationally.”
When we say community-led, we really mean that. Every year, our work items come from the community via a work planning process. Anyone who participates in REFEDS can suggest a work item; if others support the topic, we do our best to make it happen. Work items tend to touch on topics that can be addressed in a short- to medium-time frame and result in knowledge or best practice guidance. We avoid anything that will result in long-term operational support, as we’re not funded to hand mission-critical services.
In 2022 we developed a strategic plan to help guide us into the future. It’s worth a look if you’re interested in understanding REFEDS’ mission and goals for the future: https://refeds.org/strategic-plan
What are the main topics and trends that the specialised working groups have been focusing on?
Our working groups have tended towards building communities of practice and best practice guidance on topics that make supporting and using federated identity easier. This work has included things like creating “The Value Proposition for Identity Federations” white paper (written in 2017 but still relevant today), focusing on identity assurance to help organizations trust the information received from others, establishing a standardized mechanism for finding appropriate security contacts at other institutions in a federation in case of a data breach, and establishing a common baseline for how federations and their members are expected to operate.
We are kicking off the work planning cycle for 2023 right now; I suspect we may start to see new groups that focus on some of the work coming out of things like the Trust and Identity Incubator work within GÉANT. Some of the questions I’ve encouraged the community to consider are:
- Are there areas where new policy or best practice guidance would help federations?
- Are there special interest groups that could form to help answer technical questions?
- What new technologies should federations be preparing for? What will that preparation look like?
What are some of the concrete results that have been achieved by REFEDS and that have been useful for the R&E Community?
There have been several, and while I know you said concrete results, I want to highlight the most important thing REFEDS has done, which is to build a community for people in the esoteric field of federation operation. One of our community members has often said, “trust is local.” All the technology in the world does not go as far as knowing that person at the other end of the wire and knowing you can reach out and say, “I need help. Can you explain this?” This type of engagement is exemplified in our Federation Operators Group, which requires two people to vouch for the fact that a person is a part of a federation and can be trusted with the sometimes-sensitive issues that operators come across during the course of their duties before they are added to the list.
As for more tangible things, though, REFEDS has published several entity categories to simplify things like attribute release and identity provider discovery services. (An Entity Category groups federation entities that share common criteria, like a desire for a specific set of attributes.) We’ve also published various profiles, allowing an entity to signal a pre-defined set of behaviour, like how they handle multi-factor authentication or service errors.
And last but not least, REFEDS manages several attribute schemas which are used by academic institutions around the world. These include eduPerson, the Schema for Academia (SCHAC), and voPerson.
A list of all the formal outputs that have been reviewed and approved by a consultation with the REFEDS community and the REFEDS Steering Committee is available on our website: https://refeds.org/specifications.
Not all NRENs and Institutions have the same level of maturity when it comes to identity management. How is REFEDS including less mature federations in the conversation?
The community consists of federations at all levels, and we must always take that into account! Participating in REFEDS does not cost anyone anything; individuals do not pay dues, and physical attendance at our semi-annual REFEDS meetings is not required. All the materials we create, from the specifications and best practice guidance to the notes from each working group call, are freely available on our website and wiki. We even have regular informal community chats online that encourage discussion for any topics of interest; these are recorded so that everyone can view and learn from others, even when they are so many time zones away.
And speaking of time zones, most of our more active participants live between UTC -8 and UTC +2 (or, the US West Coast all the way to South Africa). We have a strong relationship with the Asia-Pacific Advanced Network’s Task Force for Identity and Access Management (TF-IAM) for those in federations on the other side of the planet. We periodically have meetings in that region and encourage federation operators from the Asia-Pacific to participate on our Slack channel and mailing lists.
There is always more to do to encourage the diversity we know is important. Every year, we publish a REFEDS survey to make sure people can see the big picture of what’s happening in the world of federation. It reminds everyone that federation is global; there is more to it than what’s happening in any one region. It’s also another way that federation operators for any federation in the world can indicate where they need the most help.
Stay updated on REFEDS activities, achievements and future meetings on REFEDS website.
More on the GÉANT Community Programme, its mission and tasks can be found here.