| Table of Contents |
|---|
Description
- Develop user-centric identity federation: user-managed access.
- Engage with federations on the principle of user-managed access, not only technically, but also reflecting the principle that the user is the resource owner and should therefore be in control of their own “data”.
- Develop pilots based on eduKEEP- and eduID-like approaches, currently at TRL 6–8 in various national developments, to enhance to scale for international interoperability.
Status
Deliverables and Milestones
Official:
Information
https://www.geant.org/Innovation/Research_programmes/Pages/eduKEEP.aspx
Deliverables
Best GREY Deliverable D9.3: Best Practice for User Centric Federated Identity, Due M18 - 31 October 2017
GREY Milestone M9.8: User Centric Federated Identity Business Case, Due M30 - 31 October 2018
Internal:
Internal deliverables for period M1 to M18 (Deliverable D9.3):
...
Make an overview of all user-centric identities and/or national long-term academic identities. Compare their use cases and solutions concepts.
Brief list of consideration on the overview:
- how we find the countries that do have user-centric identities initiatives?
- REFEDS could be a place where to ask
- what should be reported for the use-cases and the solutions?
- questions about "how" the related issues are going to be faced
- how important is the "why" there are user-centric identities initiatives?
- distinguish among:
- R&E Federation identity centralization initiatives (like the Swiss one);
- Account linking towards eGOV identity
- one of the way we can read the user-centric identies approach:
- from Identity providers to Attribute providers
- important issues: the quality (of assurance) of the attributes
- from Identity providers to Attribute providers
Document: User-Centric identities overview (Google-Doc)
Survey: User-Centric Identity Management Survey (Google-Doc)
...
| View file | ||||
|---|---|---|---|---|
|
Summary
The current practice for identity federation in research and education is to manage identity with an organisation-centric approach, where users are assigned an identity as part of their enrolment process in organisations. This identity attached to the organisation can then be used to access services in a federation or inter-federation. This deliverable looks at identity in a wider context and outlines how to combine user-managed or user-centric identities with organisational identity. In this scenario organisations are no longer the sole providers of identity in a research and education context, but the advantages of classic identity federation are preserved, especially in terms of vetting, trusted sources of attributes, and privacy.
This change in architectural approach aims to address challenges for lifelong R&E identity and stemming from an increased mobility of users between institutions that have been observed over more than 10 years of R&E identity federation operations in production. Focusing on those use cases where a user-managed rather than organisation-managed R&E identity is an improvement over current practices, assessments are provided of the demand for this sort of approach and the readiness level of federations to adopt it, and example architectures and best practices outlined for delivering user-managed, lifelong R&E federated identity and the related policy and governance.
A user-managed R&E identity model can especially improve the current user experience and user management practices over the organisation-centric approach for use cases related to mobility between institutions, multiple affiliation and lifelong learning. Account linking enables the user to have access to all relevant affiliations at a given time, and the existence of an educational identity independent of individual organisations enables lifelong learning, while providing a closer trust relationship with the sector than fully commercial or social identity providers.
Currently two NRENs, SWITCH (Switzerland) and SUNET (Sweden), are taking the lead and already implementing this new approach, although based on different architectures. GARR (Italy) is planning to roll out its own version of this model, incorporating national eGOV-ID identities. These three architectures are compared and analysed in the document.
Finally, a set of practices are identified to guide potential adopters who are considering moving from an organisation-centric approach to user-centric R&E identity management. Policy, governance, data protection, technology, security and interoperability principles are covered.
The work presented in this deliverable, including practical examples of NRENs that are adopting this approach and the additional knowledge gathered, aims to encourage more federations to consider the shift from purely organisational identities to lifelong individual R&E identities which enable users to manage their relevant affiliations more flexibly.
People
Meeting Notes
Documents
- EduKEEP Documents on Google Drive (Access on request)
- EduKEEP Presentation at Internet2 TechExchange 2015 (abstract, presentation)
- EduKEEP Summary of work (pdf)
Reference Materials
Swiss edu-ID
- High level architecture, June 2014: full paper (30 pg), summary (2 pg.)
- General presentation 2015
- General presentation 2014
- Report of the Swiss edu-ID working group “Governance Model”
- Report of the Swiss edu-ID working group “Business Model
Attachments
| Attachments |
|---|