Long live eduGAIN!

At TNC17 on 31 May, we heard challenging words from SURFnet CTO Erik Huizer, who took us on a roller-coaster ride from eduGAIN’s careful early steps, through a potentially dystopian future to emerge once again into the sunlight, stronger and better than ever.

The points in Erik’s lightning talk reflect the growing pains of developing and scaling a successful service. eduGAIN entered production in April 2011, several years after production identity federations were well established on a national level. It is perhaps not surprising therefore, that in the early days a number of compromises needed to be made to get early engagement by federations without a prohibitively high barrier to entry.

As eduGAIN was finding it’s feet, research communities began to understand the potential use and impact of federated identity, but identified requirements and needs for which eduGAIN was not originally considered. However, with the publication of the FIM4R paper in 2012, GÉANT and federations took this challenge to heart and began to work on pilots with research communities, first in 2013 in GN3plus and later in AARC and now in the second AARC project. The culmination of this work to date includes SIRTFI (Security Incident Response Trust Framework for Federated Identity) and the AARC architecture, which orchestrates the different components needed for end-to-end AAI, of which eduGAIN is a fundamental component.

There is still work to do. As a result of spectacular growth since the early, cautious days, there are now more than 1,500 services and 2,400 IdPs available. The way in which these can be identified and understood varies between countries depending on how the national federation redistributes metadata and manages their federation. For many kinds of service and users, this does not pose a difficulty. However, for one crucial set of users – global research communities – and increasingly for federations themselves, the lack of ‘eduGAIN’ related information and detailed diagnostics and statistical tools began to become an issue.

Today, if you visit the eduGAIN technical website, the first batch of tools to improve transparency of eduGAIN are available, supported by a major redesign of the back-end databases to support this. Some highlights include

• is Federated Check – find out if an organisation is federated
• eduGAIN Connectivity Check Service – check the quality of IdPs configurations
• eduGAIN Entities Database – check adoption of SIRTFI, CoCo and R&S
• eduGAIN Access Check – allows an SP to create test accounts in multiple federations to test integration

The newest member of the tools family is eduGAIN Attribute Release Check which is currently in trial, and evaluates an IdP’s attribute release policies, and an enhanced support pilot is underway. The first steps towards moving eduGAIN to be a mature platform for global federated authentication have been completed, and we’re well underway to dashboards and bells and whistles for those who need it, enhancing but also preserving the federation role as the direct contact for IdPs and SPs.

As eduGAIN grows, the burden of participation on NRENs becomes more pronounced. As the annual REFEDS survey highlights, strategic investment by NRENS in identity management remains low compared to the scope and reach of the services delivered. While some NRENS invest significantly and have strategic emphasis similar to their network service portfolio others have barely adequate resourcing and experience difficulties in finding well qualified staff. It will be necessary for us as federations to work together and support each other, but it will also be necessary for NREN management to see the strategic importance of federated identity services and invest in the long term.

Without this investment, we will be poorly placed to support our campuses when they need to adapt to new developments, whether this is research service requirements, new technologies such as OIDC or the impending change in data protection legislation, the GDPR. The burden of implementation falls most strongly on the campus, and without our support, the conservative tendency not to share attributes will only be exacerbated. Erik’s worst-case scenario could become a reality.

The potential is there too, for his bright future and this is the future we’re working to bring along. InAcademia leans on eduGAIN for attributes, but eduGAIN may also lean on a successful InAcademia for sustainability and to ease the workload on federations for supporting use cases that do not require the same level of trust as full eduGAIN participation. User centric identity and the evolution of eIDAS national deployments both offer opportunities for campuses to step aside from some of the costly management of personal data and focus on attributes that are within their control. The goodwill and commitment of the identity federations, and their expert contributions to REFEDS and GÉANT mean we are well placed indeed to pose a toast to eduGAIN in 2027.

Long live eduGAIN!