Expanding the CILogon IdP List
Post date: Aug 29, 2016 6:15:13 PM
One of the goals of the CILogon 2.0 project is to improve CILogon's support for international research collaborations by supporting international IdPs. Following a TAGPMA policy review in July, CILogon is now ready to begin accepting international IdPs that support the REFEDS Research and Scholarship (R&S) category and the REFEDS Security Incident Response Trust Framework for Federated Identity (Sirtfi). The R&S and Sirtfi prerequisites are in place to satisfy IGTF traceability and uniqueness requirements. Initially this will enable CILogon to support the CERN, Nikhef, and Uppsala Universitet IdPs, which are early adopters of Sirtfi, with more to follow soon. InCommon is also beginning a Sirtfi Proof of Concept effort.
These InCommon IdPs have declared support for the Research and Scholarship category and/or have used the "Add Your IdP" button at https://cilogon.org/testidp/. This represents a subset of the over 400 IdPs operated by InCommon participants. We originally restricted CILogon's IdP list to this subset in an effort to avoid errors such as missing user attributes (i.e., the user's name and email address). However, restricting the IdP list failed to eliminate the errors for a variety of reasons, including differing attribute management policies/procedures across different user categories (faculty, staff, students, alumni, affiliates, etc.). It also made it more difficult for users from other IdPs to log on to CILogon, since they wouldn't find their IdP on the list and would be unsure about using the "Add Your IdP" button.
Therefore, acting on advice from InCommon and REFEDS participants, we've decided to begin listing all InCommon IdPs at cilogon.org, to make it easier for users to attempt to log on with their home IdP. In case of missing user attributes or other problems, we've updated the CILogon error page to provide a link for users to report the problem directly to their IdP operators:
In many cases, the IdP operators can resolve the problem working directly with the user without requiring CILogon operators in the middle. However, firstname.lastname@example.org is also copied on each message, and we're always glad to help. For CILogon to scale up to hundreds of IdPs, it's important for us to enable self-service troubleshooting by users and IdP operators. The https://cilogon.org/testidp/ page provides additional troubleshooting information.
Any comments or questions? Please contact us at email@example.com.