eduGAIN is a world-wide infrastructure that has been operational since 2011. As such it also has a few issues that you should be aware of:
- Please note that eduGAIN currently provides only web-based authentication on a large scale, but not non-web authentication. This means that for federated login via eduGAIN, almost always a web browser is involved during the login of a user. SAML and eduGAIN also allows non-web based authentication in form of the SAML ECP profile. This profile is however not widely supported by Identity Providers and has also some other limitations that make it less usable.
- Despite the large number of participating countries and organisations, there are still some countries and organisations missing because they don’t offer federated login for their users or because they only offer federated login in their national federation but not (yet) in eduGAIN.
- With so many involved countries and organisations, coordination and setting standards for all participants is challenging. Also for example because countries typically have different data protection laws and other regulations. This, as well as deployment issues in some countries sometimes results in insufficient release of user attributes from participating Identity Providers.
- Since 2018 there are the REFEDS Single-Factor profile and REFEDS Multi-Factor profile standadizing authentication security and the REFEDS Assurance Framework covering identity vetting aspects. All these profiles help trusting the security and identity information received from Identity Providers. However, these profiles are not yet widely deployed, therefore only few federations and organisations support them. Still, even if an organisation does not support a particular profile, relying on their data is sufficient for most non-sensitive applications because national federations and organisations in general make use of the same user data that is used for enabling access via eduGAIN. So, it is also in their self-interest to keep user data up-to-date and properly verified. Think of a university that certainly is interested to properly identify their staff members and students before they join the university and get a user account. The same university also is interested to disable an account if a staff member leaves or student finishes his studies after some years.