REV 1.0
Microsoft has published a new Azure AD document outlining the challenges, baseline design and solutions for multilateral federation that highlights the Cirrus Identity SAML Bridge as the first solution. Multilateral federation facilitates collaboration across multiple organizations around the world and it is a critical component to Identity and Access Management architecture in higher education and research. When an institution joins an eduGAIN national federation, they gain access to over 5,000 applications. Azure AD does not support multilateral federation, but there are solutions available to fill the gap.
Situation
Many service providers (SPs) rely on externalized, attribute based access control (ABAC) to manage what end users can do. In research and academia, it is very common for an individual to have multiple relationships with an institution at the same time – any combination of student, employee, and alumni. A common way to reflect this for access control is to use the eduPerson ( https://refeds.org/eduperson) attribute called eduPersonScopedAffiliation.