In Focus Trust and identity

Building Trust for Research and Education: Four years of Trust & Identity Services in GN4-3

Group picture GN4-3 trust and Identity all hands
Participants at the GN4-3 T&I all hands meeting

In addition to reliable and fast network connectivity, students and researchers expect to have access to a variety of additional user-friendly (yet privacy-protecting) services that are needed for their day-to-day work. They also expect to be able to access them using the same credentials provided to them by their own university, or Home Organisation, in a federated manner. 

The Trust and Identity (T&I) Work Package in the GÉANT Project, led by Licia Florio (GÉANT), Marina Adomeit (Sunet) and Maarten Kremers (SURF), is responsible for delivering and enhancing services and the underlying infrastructures to enable federated access to resources in the Research and Education community in Europe and beyond. 

As the current four-year project (GN4-3) ends in December, the T&I work package held its final (and only face-2-face) all hands meeting at SURF in Utrecht. During this meeting, 45 trust and identity professionals celebrated the success of the past four years, discussed challenges and looked ahead to the GN5-1 project.

eduGAIN

The eduGAIN interfederation service connects identity federations around the world, simplifying access to content, services and resources for the global research and education community. The service includes the delivery of the core global infrastructure (Metadata Aggregator) and a set of supporting services.

During the last four years eduGAIN, led by Davide Vaghetti (GARR), grew from 59 to 81 federations worldwide, connecting over 5100 Identity Providers and 3600 Service Providers – an increase of over 50% in participating entities. 

The eduGAIN Team focused on reinforcing the operational aspects of eduGAIN, by organising a new signing key for the eduGAIN feed, being one of core trust components of the service, creating a dedicated eduGAIN helpdesk, formalising the eduGAIN secretariat and establishing a security team, which started operating in 2020.    

With the aim of streamlining eduGAIN tools, a new reporting tool for federation operators was deployed as well as a tool for statistics.  

eduroam

eduroam provides a secure, worldwide roaming access service for the international Research and Education community. It includes delivery of core eduroam infrastructure and a set of supporting services.

In four years’ time eduroam continued growing in its install base. eduroam is now available in over 106 countries at over 9500 institutions (15% growth) at over 36300 service locations (25% growth).

Obviously there was a steep drop in the number of authentications during the pandemic and the respective lockdowns, but in 2022 we see a recovery to the numbers seen before the pandemic.

Besides offering a stable service, the eduroam team, led by Miroslav Milinovic (CARNET/SRCE) ✝ and Paul Dekkers (SURF), provided amongst others the launch of the managed Identity provider for eduroam, a pilot for a managed service provider, as well as new versions of the eduroam configuration tool for easy end user installation of eduroam. An important development was the geteduroam project, enabling easy and secure onboarding for eduroam on various platforms while integrating with the Configuration Assistant Tool (CAT) and eduGAIN.

Via this blog, the T&I team would like to remember our dear friend Miroslav Milinovic who over the years was one of the eduroam pillars. A big thank goes to Paul Dekkers who in a difficult moment stepped in and took up the leadership of the service in addition to continuing leading the operations.

InAcademia

InAcademia provides commercial and retail services with a quick, reliable and secure way to verify academic affiliation in a privacy-friendly way to determine in real-time if a user is eligible for discounts or academic-only offers, provided the user is registered with a participating eduGAIN Identity Provider. The service can also be used by academic services that  need only a simple validation of academic status, without the need to operate a service provider in eduGAIN.

With InAcademia being a pilot service at the start of 2019 (the start of the GN4-3), the service grew into maturity and became a production service in February 2020. 

InAcademia, led by Michelle Williams (GÉANT), has the capability to provide affiliation verification for up to 13 million students in 11 countries across Europe, with uptake and adoption continuing to grow, and provides a service to two of the largest international student discount platforms. 

eduTEAMS

eduTEAMS enables members of the research and education community to create and manage virtual teams and securely access and share common resources and services using federated identities from eduGAIN and trusted Identity Providers. eduTEAMS is the GÉANT implementation of the AARC Blueprint architecture.

Since 2019 eduTEAMS evolved into a versatile platform to deliver AAI services based on the AARC Blueprint Architecture. Initially focusing on research collaborations, eduTEAMS was adopted by 12 Research Infrastructures (RIs) including 3 out 5 EOSC clusters, representing 10s of RIs. Today, eduTEAMS is being used in the context of the European Open Science Cloud and European Research Infrastructures, National Infrastructures, NRENs, High Performance Computing and the Erasmus Student Mobility programme. 

Notable implementations are MyAcademicID for supporting the digitisation of student mobility processes within the Erasmus+ area; EOSC-Life AAI to support the EOSC Life community; Fenix AAI to support the users for the six major European HPC centres that are part of Fenix Infrastructure; Puhuri AAI to support access to the LUMI EuroHPC system and MyAccessIDg. eduTEAMS is also working with SURF to deliver SRAM, a service to manage access to research resources, intended for research collaborations led by Dutch organisations.

eduTEAMS is led by Christos Kanellopoulos (GÉANT) and in the GN5-1 project it will become the GEANT Core AAI Platform.

And further

Besides operating and developing the T&I service, the work package contributed to wider development of Trust & Identity by means of the T&I Incubator and the Enabling Communities task.

Trust and Identity All Hands GN4-3
Participants at the GN4-3 T&I all hands meeting

The T&I Incubator, led by Niels van Dijk (SURF), develops, fosters and matures in cycles new ideas in the Trust and Identity space in Research and Education. The incubator started as a trial to enable more agile innovation within the framework of a European funded project; the team worked to define a process and to solicit ideas from the NRENs community. The incubator will continue in the GN5-1 project.

During the course of the project, the incubator collected numerous proposals from the community for new topics. Out of these, 30 topics were selected and further investigated. This included pilots and proof of concepts with new concepts like Self Sovereign Identity, Pixy Dusting and novel ways to distribute metadata. Other activities included contributions to projects like Shibboleth, SimpleSAMLphp and SaToSA. The incubator also created additions to the existing service portfolio, and one of these, eduGAIN Reporting, is currently being moved into production within the eduGAIN team. Finally, a variety of reports and best practices were delivered. In many cases the incubator has worked closely with the community and with NRENs directly. 

One of the areas where collaboration with the NRENs has been very eminent is in the Trust and Identity Mentorship (TIM) programme, which was started in the incubator in the first year of the project. The TIM programme, a collaboration between the Incubator and GÉANT Learning And Development (GLAD), enabled seven students, with support of an NREN mentor, to work in the incubator on innovative topics for their thesis projects. 

The results of work, including the work of the TIM students, can be found at the Incubator Dashboard.

The Enabling Communities task, led by Maarten Kremers (SURF)),  engages with the research communities, identity federations and other relevant communities for the T&I Work Package as a whole. The aim of this task is to provide a bidirectional channel with key stakeholders to understand their requirements and use them to drive the evolution of the T&I services and validate new features.

Enabling Communities coordinated the T&I business development within the T&I service. The T&I business development work acts hereby as a linking pin between the services and outreach & engagement done in other work packages within the GN4-3 project.

The Enabling Communities task further enables research communities and collaboration communities via harmonisation of AAI and trust and identity mechanisms, in particular through multilateral forums (like WISE, REFEDS, IGTF, FIM4R) where both NRENs, research communities, and service providers jointly set baseline expectation and agree on interoperability, hence hereby building trust. During the four years of the current project the task supported many trust building activities, like refining and updating work from the AARC projects, supporting the assurance work and the SIRTFI work in REFEDS, securing Attribute Authorities via the IGTF and working on refining the AARC Policy Development KIT and the guiding SCI framework in WISE.

The Enabling Communities task also facilitated the AEGIS group, bringing together representatives from research and e-infrastructures, operators of AAI services.

In conclusion

Last but not least, we would like to thank all people involved for their contributions, which made this result possible! 

About the author

Maarten Kremers

Maarten joined SURF in 2007 and is in his current role responsible as a project manager and technical product manager for the innovation and development of SURF Trust and Identity services. His current focus is on user-centric identity management (EduID) and International T&I Engagement (European Student Identifier, European Universities).

He is leading T&I tasks within the last 4 consecutive European GEANT project. Lastly as the leader of the next generation T&I Technology task, responsible for amongst others development of OIDC technology for R&E, user centric identity management and work around identity and authentication assurance, the latter in collaboration with the AARC projects.

Maarten is currently leading within the GN4-3 Project the T&I Enabling Communities task, for outreach towards communities and business development of the T&I services as well the acting Work package leader T&I.

Maarten is since 2016 member of the steering committee of REFEDS, the community of the R&E identity federation, currently serving his third term. He holds an MSc degree in Information Management from Tilburg University.

Skip to content