TIIME Unconference 2026 – Summary

Peter Gietz, DAASI International – with a little help from AI (english only)

Where the Community Meets: Setting the Stage for IAM in Research and Education

The TIIME Unconference again brought together IAM experts from national research and education networks (NRENs), federations, universities, and infrastructure providers to discuss the current state and strategic direction of federated identity in the research and education (R&E) sector.

As usual, the first two days were reserved for side meetings. On Monday there were two whole-day meetings of FIM4R (Federated Identity Management for Research) and of European eduID providers.

In the FIM4R workshop, the current issues were discussed, especially that no new research infrastructures are bringing forward their specific requirements as well as that the group has no answers yet for smaller research collaborations like European University alliances. It was decided to address the later communities in future work. The workshop also had updates on EOSC AAI, CI logon, NFDI (the German National Initiative on Research Data), and FIM4L (Federated Identity Management for Libraries). The main part then was working on input for a next (v3) version of new requirements, where again small research collaborations were addressed.

The concept of eduID, a permanent ID that does not change when changing affiliations, and thus also provides for lifelong learning, is increasingly becoming important in a number of European countries and elsewhere. In a workshop format, the progress of several respective initiatives was reported, with representatives of The Netherlands, Germany, Sweden, Switzerland, and others. I myself represented BonafID, an eduID system made for African countries. An eduID community is thus on its way.

On Tuesday we had the all-day AARC TREE Symposium, where the results of the just completed EU project were reported and discussed. A very impact-rich result is a new version of the AARC Blueprint Architecture that now also facilitates an identity first (moving away from organisation first) approach.

What the Unconference Sessions Revealed

The actual unconference took place on days 3 and 4, starting with a very inspiring keynote on “European Digital Identity Wallets – what to expect?” from Esther Makaay, a thought leader and expert in Digital Identity. She gave a broad update on the current status and also addressed current issues, like different standards and slow adoption of the EUDI wallets.

Across eight unconference sessions with multiple parallel breakouts, participants addressed some of the most pressing challenges in federated IAM – from persistent user identities and verifiable credentials to post-quantum cryptography and the long-term sustainability of trust frameworks.

A central theme running through many sessions was the so-called „travelling scientist“ problem: when a researcher moves from one institution to another, their digital identity, access rights, and affiliated records do not follow. Multiple national federations are independently developing „eduID for life“ schemes to anchor identity to a person rather than an institution. Solutions like MyAccessID address this through a central proxy with cross-country account linking and passport-level verification for high-assurance environments such as EuroHPC. However, the deeper tension is between the desire for a globally persistent identifier and GDPR’s privacy-by-design requirements. Participants broadly agreed that what is actually needed is not a single global identifier but long-term stable, domain-specific identifiers combined with robust account linking and recovery mechanisms — problems that remain technically and operationally unsolved.

The emerging wallet ecosystem and verifiable credentials (VCs) were discussed extensively. SURF presented detailed design principles for educational identity VCs: credentials must follow minimal disclosure by design, must not contain persistent identifiers in their claim values (as this eliminates privacy protections entirely), and must support selective disclosure via mechanisms like the Digital Credential Query Language (DCQL). A key operational challenge is that wallets cannot update credentials autonomously — any change requires re-issuance from the original issuer — making claim lifetime management critical, especially for frequently changing entitlements. The session on Zero Knowledge Proofs examined the two main candidate approaches: BBS ZKP, which is efficient but not yet post-quantum safe and lacks a deployable holder binding solution, and Google’s Longfellow (ZK-SNARKs over ISO mdoc), which uses existing ECDSA cryptography but is large and slow. Neither approach is ready for broad production deployment, and the pragmatic consensus was to accept that whatever is built now will need to be redesigned within a few years.

Identity assurance and trust frameworks received significant attention. The REFEDS Research and Education Assurance Framework (RAF) is gaining traction — all 41 NIH-funded controlled-access data repositories now require RAF-compliant assurance, affecting approximately 3,800 institutions globally. However, only around 20% of eduGAIN-connected IdPs are certified against any REFEDS baseline, highlighting a persistent gap between the standards the community produces and their actual adoption. The session on REFEDS‘ future discussed the need for dedicated resources, a more formal standards process, and better maintenance of existing specifications. A parallel discussion on the EOSC AAI architecture showed a faster-moving part of the same community: nine of thirteen first-wave EOSC nodes have implemented the required OpenID Connect-based AAI stack, with full federation production readiness targeted for late 2026. MyAccessID currently serves as the central trust hub, with OpenID Federation planned as the eventual replacement.

Several sessions addressed structural challenges in federation adoption. The business case session identified a persistent gap between the people who benefit from federation (researchers, librarians) and the decision-makers who fund it, exacerbated by poor documentation and a near-total absence of marketing. The comparison with Microsoft was instructive: Microsoft’s success in academic environments is not due to technical superiority but to sample code, training materials, YouTube tutorials, and active community engagement — resources the R&E IAM community largely lacks. A dedicated session on whether NRENs should invest in Microsoft integration (particularly Entra ID) exposed the geopolitical dimension of this question: the once-theoretical risk of US cloud service disruption is now taken seriously enough to shift political support toward digital sovereignty initiatives in several European countries.

The proposed FIM4E (Federated Identity Management for Education) initiative — modelled on the successful FIM4R programme for research — addressed the growing need to extend AARC’s Blueprint Architecture to student mobility and university alliance use cases. Key differences from research IAM include dramatically larger user populations (thousands of students versus small research groups), reliance on learning management systems not designed for federated identity, administrative processes managed by institutional staff who are not IAM experts, and a fundamentally different vocabulary that creates barriers between the technical IAM community and education administrators. The session argued that a FIM4E working group must first embed itself in university alliances and EU education bodies to understand their requirements before proposing technical solutions.

On the cryptographic horizon, the post-quantum transition was discussed in practical terms. With 2030 deadlines set by both US and Dutch authorities, the community must plan migrations now. New algorithms like ML-DSA are available but significantly slower than RSA and introduce open questions around side-channel vulnerabilities. SAML’s reliance on XML DSig is a particular problem: extending an end-of-life standard to support post-quantum algorithms is a significant investment for diminishing returns, making migration to OIDC — which already has better post-quantum support — the more strategic path. Passkeys and FIDO2 authenticator key rollover for post-quantum scenarios have not yet been addressed by standards bodies.

Across all sessions, the conference painted a picture of a community managing a complex, multi-dimensional transition. The technical infrastructure — federation protocols, trust frameworks, attribute profiles, and identity assurance schemes — is broadly sound but needs modernisation. The harder challenges are organisational: building awareness among decision-makers, sustaining the volunteer-driven standards work of bodies like REFEDS, extending federation to new communities in education and government, and investing in the documentation and tooling that turns good specifications into widely deployed infrastructure. The consistent note struck was one of pragmatic realism: the technologies of the future (wallets, OpenID Federation, post-quantum cryptography) are coming into view, but the work of reliably connecting researchers and students to the resources they need through trustworthy federated identity continues to depend on unglamorous but essential work in governance, operations, and community-building.

A Glimpse into the Future: OpenID Federation Takes the Stage

Finally, on Friday, we had an OpenID Federation workshop. This was a very good time to do so, since the final draft had been published so that the soon afterwards published OpenID Federation RFC could be announced. After a thorough introduction into the spec, there were presentations on adoption in software (such as in Shibboleth and SimpleSAMLphp) and early pilots, especially the eduGAIN Open ID Federation Pilot, were reported on and discussed. Other presentations dealt with OIDFed discovery, OIDFed and Wallets, Cross-domain trust among AARC proxies, and libraries to support Relying Parties (Service provider) in Golang, PHP, Python etc. One slot was devoted to policy implications of OIDFed.

In summary, it can be said that the TIIME week in Amsterdam was very worthwhile, since all current aspects of identity and trust were addressed and discussed by the experts in the field. I assume everyone could learn a lot, I for one, was very inspired and travelled back home with the feeling that everyone interested in the topic who didn’t attend really missed something. The OIDFed workshop had sort of historical value, since it was the start for modelling a new trust federation for the community based on a just finalized standard, which will influence the next decade of research federations.