[Note: Conferences are supposed to make you think and change your mind, so I may well have decided by Friday that this is all wrong. Your comments, either on the blog or face-to-face, may well make a difference…]
When we designed the original UK Federation Policy, one of my guiding principles was for the federation agreement to do just enough to be useful but not too much so that organisations would find it hard to join. So, unlike some other federations, we didn’t mandate particular attributes or approaches. In the case of attributes we suggested a very small minimum set that we thought most Identity Providers would be able to support and that would meet the needs of most Service Providers. Those SPs who needed more were welcome to discuss this individually with IdPs or, if there was a common requirement we hadn’t spotted, with the federation (surprisingly, as far as I know, no one has ever taken the federation operator up on that offer!). Although there is a certain amount of variation among different NREN federations, most seem to have pitched their agreements at about the same level. However in the past couple of days I’ve heard presentations both suggesting that federations are too hard to join (i.e. the standard agreement demands too much) *and* that they don’t provide enough standardisation (i.e. the standard doesn’t demand enough). They can’t both be right, or can they?
I’m now starting wonder whether the answer depends on the application you have in mind. If it’s a relatively long-term, large-scale system, then it’d be nice to sign a single federation agreement and have everything “just work” because that agreement both contains and requires everything that SPs and IdPs need to inter-work with each other; there would be no need for individual agreements between them (at large scale a single heavy-weight agreement with a federation is more efficient than a mesh of light-weight ones between every SP and IdP). If, on the other hand, you’re looking for a quick, small-scale collaboration involving a few users spread across different IdPs and federations, then it may be that a light-weight federation agreement, sufficient for ad hoc use, is best.
Whatever agreement is needed on exchange of information about users, there seems to be a common requirement for the federated Identity and Service Provider computers to be able to reliably identify one another and establish trusted communications. That’s done by registration and exchange of metadata, so we do seem to need a common standard for that technical process. But maybe on top of that we need a range of different agreements covering behaviour, from detailed compulsory agreements for large-scale applications (eResearch seems to fall into this category) to much lighter recommendations for small-scale applications (such as collaboration services, perhaps)? This does mean that identity providers, at least, will probably have to sign up to multiple agreements suitable for the types of applications their users need to access, in addition to the agreement for the underlying metadata exchange. But since it’ll be to the benefit of their users to do, I hope that wouldn’t be a problem. I would hope it would be possible to find groups of applications with similar requirements, so the number of such agreements wouldn’t be too large. But I’m starting to suspect it does need to be more than just one.