...
- Enables trustworthy exchange of identity information between federations without many bilateral agreements
- Reduces the costs of developing and operating services
- Improves the security and end-user experience of services
- Enables service providers to greatly expand their user base
- Enables identity providers to increase the number of services available to their users
Limitations
eduGAIN is a world-wide infrastructure that has been operational since 2011. As such it also has a few issues that you should be aware of:
- Please note that eduGAIN currently provides only web-based authentication
...
- on a large scale, but not non-web authentication. This means that for federated login via eduGAIN, almost always a web browser is involved
...
- during the login of a user.
- Despite the large number of participating countries and organisations, there are still some countries and organisations missing because they don’t offer federated login for their users or because they only offer federated login in their national federation but not (yet) in eduGAIN.
- With so many involved countries and organisations, coordination and setting standards for all participants is challenging. Also for example because countries typically have different data protection laws and other regulations. This, as well as deployment issues in some countries sometimes results in insufficient release of user attributes from participating Identity Providers.
...
- Since 2018 there are the REFEDS Single-Factor profile and REFEDS Multi-Factor profile standadizing authentication security and the REFEDS Assurance Framework covering identity vetting aspects. All these profiles help trusting the security and identity information received from Identity Providers. However, these profiles are not yet widely deployed, therefore only few federations and organisations support them. Still, even if an organisation does not support a particular profile, relying on their data is sufficient for most non-sensitive applications because national federations and organisations in general make use of the same user data that is used for enabling access via eduGAIN. So, it is also in their self-interest to keep user data up-to-date and properly verified. Think of a university that certainly is interested to properly identify their staff members and students before they join the university and get a user account. The same university also is interested to disable an account if a staff member leaves or student finishes his studies after some years.
Joining eduGAIN
The publication in eduGAIN, for a Service Provider allows reaching a large audience of higher education users (students, researchers, staff of higher education institutions) without the technical and administrative difficulties of maintaining and protecting repositories of user credentials. This is because authentication is always handled directly at and by the user’s home Identity Provider, while the Service Provider only has to deal with user Authorization. In Identity and Access Management, authentication is the process of confirming a user’s identity, usually by verifying the knowledge of a set of credentials (username, password). Authorization is the process of determining the access rights an authenticated user is eligible for. In eduGAIN terms, this would mean that a user accesses the Service Provider with an assertion of his identity and the Service Provider trusts that assertion because it comes from a trusted relying party, but it is always the Service Provider that decides to which parts of the service this authenticated user should have access.
...