Federated Identity and the Browser

A federated identity is one that is “located” in one organization (the “home organization”), but can also be used by many other organizations that offer various online services to the “home organization.” The home organization has the closest relationship with the user that the identity describes, so it knows if the user is still affiliated with it (and so should have access to services) or not. Federated identity is often used in an academic environment to support access to services like scholarly e-journals, research data, and more. As it turns out, however, federated identity looks a lot—from a purely technical perspective—like what cross-domain advertising services look like. 

NISO’s webinar on how browser changes affect federated identity, held on May 26, 2020, featured George Fletcher, Identity Standards Architect for Verizon Media and OpenID Foundation board member, in a discussion of how in trying to protect against ad-tracking services, the web browser industry is setting up to break some of the functionality of federated identity. The webinar focused on the technical details of changes in SameSite policies, implications for version 2 of Intelligent Tracking Protection, embedded browser VPN technology, and more. These topics are of particular interest to the SeamlessAccess service, and the webinar was structured to inform both members of the SeamlessAccess Technical Steering Committee and members of the broader community who wanted to hear more about the direction browser vendors are going, and how that will impact federated identity services.

The browser vendors—Apple, Mozilla, and Google being at the forefront of the discussion—have a very legitimate desire to protect the privacy of users on the web. The changes they are testing focus on that goal, sometimes to the exclusion of an acceptable user experience or legitimate needs such as supporting the appropriate use of identity to authenticate to a set of services on the web. That said, Google and Apple are both testing different proposals on how to support federated identity with proposals such as “isloggedin” from Apple (see https://github.com/WebKit/webkit/blob/master/Source/WebCore/page/NavigatorIsLoggedIn.cpp) and “webid” from Google (see https://github.com/samuelgoto/WebID). 

There is no one place where discussions on this topic are taking place. Some discussions around the privacy components are happening within the W3C Privacy Community Interest Group, while discussions around identity are happening within the OpenID Foundation. This is still a very experimental space that is worth watching, though perhaps the most useful  place to watch right now is the GitHub repositories where the browser vendors are posting their code.