20 years of Federated Identity Management: where are we now and how did we get here?

By Klaas Wierenga, Christos Kanellopoulos and Cathrin Stöver, GÉANT

It is repeatedly stated in meetings within the European Open Science Cloud (EOSC) environment, that one of the main elements is the identity management infrastructure. The GÉANT community has been significantly contributing already based on over 20 years of experience in building the trust and identity structures required by scientists and researchers to carry out collaborative, international, cross-border and cross-disciplinary work.

What the achievements in our community over the last 20 years show is that all developments and advances in identity management are taking place in the “field of tension” (German “Spannungsfeld”, Dutch “spanninsgveld”) of the scalability of trust. How can trust be extended from one institution to the next, to the international level, across disciplines, allowing access to remote and shared instrumentation? How much of this must be managed by trusted entities and how close must these entities be to the collaborator? Where can trusted decision making take place? Who authorises access to valuable resources? Is there a standard model for all? Or will there by necessity always be tailor-made solutions?

The development of Federated Identity Management (FIM) in the European and global research and education community is a fascinating study of consecutive growth and complexity, followed by a necessary step of simplification – “let’s introduce a layer of abstraction”.

We see here the GÉANT community at its finest: Engineering solutions to allow for one of our most basic human needs: Trust.

Early 2000s – national federations

The federated trust model established by the European and global NREN community has existed since the early 2000s and it consists of trust and identity federations based generally on national identity federations.

An identity federation (or just federation) is a collection of organisations that agree to interoperate under a certain rule set. This rule set typically consists of legal frameworks, policies, and technical profiles and standards. It provides the necessary trust and security to exchange identity information to access services within the federation. As of today, most EU countries operate one or more identity federations for their higher education and research community. Most academic identity federations are operated within the borders of one single country. Their members are mostly education (e.g. universities) and research organisations (research facilities) within that country, the services they operate, as well as national and global service providers. Most of them were established by the local NREN.

• Such federations are called national federations and they enable trusted national collaboration. But what about international scientific collaboration?

From national federations to interfederation: eduGAIN

The eduGAIN interfederation (a federation of federations) initiative started as a research activity in the GN2 project (2004-2009). The eduGAIN service activity commenced in the successor GN3 project (2009-2013). Both GN2 and GN3 received generous support from the EU. On 1 April 2011, eduGAIN became an operational service.

As an interfederation service, eduGAIN interconnects identity federations around the world, simplifying access to content, services and resources for the global research and education community – thus exporting the trust model from the national to the international level and allowing for seamless and trusted collaboration across borders.

Today, eduGAIN:

• comprises over 80 participant federations connecting more than 8,000 Identity and Service Providers.
• helps nearly 27,000,000 students, researchers and educators access online services while minimising the number of accounts users have to manage – reducing costs, complexity and security risks.
• allows greater access at reduced cost – with eduGAIN participants from over 4,500 identity providers, service managers can simplify their account management and control processes.
• enables institutions to easily and scalably support access to services globally – allowing control over user management.​

eduGAIN enables international scientific collaboration within the eduGAIN community of NRENs around the world. But what about very specific scientific collaborations, where identity management is required to enable – for example – access to distributed instruments or databases? And how can we deal with scientific collaborators from outside the eduGAIN interfederation?

The AARC Blueprint Architecture and FIM4R

 The Authentication and Authorisation for Research and Collaboration (AARC) initiative was funded by the EC and first launched in May 2015 to address the increased need for federated access and for authentication and authorisation mechanisms by research and e-infrastructures. The AARC Blueprint Architecture (BPA) defines a set of architectural building blocks that can be used to implement federated access management solutions for international research collaborations. The Blueprint Architecture allows software architects and technical decision makers to mix and match tried and tested components and build customised solutions for their requirements.

• AARC builds on top of eduGAIN and provides a layer that is fully adaptable to the requirements of research and educational collaboration and allows for scaling trust across borders, across scientific disciplines and sectors.
• The increasingly complex identity management needs of such large research communities seem like a perfect minefield. AARC has therefore taken a modular approach and developed extensive guidelines.
• And it has become clear that identity management expertise is consistently needed.
  • The legacy of AARC work continues in the AARC Engagement Group for Infrastructures (AEGIS). AEGIS brings together representatives from research and e-infrastructures, operators of AAI services and the AARC team to bridge communication gaps and explore synergies.
  • Federated Identity Management for Research (FIM4R) is a collection of research communities and infrastructures with a shared interest in enabling Federated Identity Management for their research infrastructures.
• AARC has revolutionized the approach to identity management and today all activities are based on the AARC Blueprint Architecture.
• With the AARC Blueprint architecture being developed, we return as ever so often again to the question of scalability: Federated Identity Management is only as scalable as it is offers simplicity from the complexity. A step is needed that brings the user back into the drivers’ seat: how to simplify the management of virtual teams?

eduTEAMs

 eduTEAMS was developed by GÉANT to enable members of the research and education community to create and manage their own virtual teams and securely access and share common resources and services using federated identities from eduGAIN and trusted Identity Providers. With that, eduTEAMs gives the power back to the users– it allows for self-management of virtual teams and the decision who gets to be in the team and with what level of access is left entirely to the self-defining team.

eduTEAMS is already used to deliver the AAIs for large scale infrastructures,  such as the  FENIX AAI, PUHURI, LifeSciences AAI, UmbrellaID AAI and MyAccessID in the scientific space, and InAcademia and MyAcademicID in the educational space.

But unfortunately it is not always easy. Already AEGIS has identified the ongoing need to help user groups. It is a simple fact that a typical scientific user group does not automatically have a specialist on trust and identity in their fold. At GÉANT and the NRENs, we have realised that we need to support the set-up of almost each individual group – which is  not scalable.

At the same time, we observe that the solutions implemented for the different ‘verticals’ have a lot in common.

• Which is the moment when the need for another layer appears. At the end of GN4-3 GÉANT introduced a new layer in the FIM model: GÉANT Core AAI.

GÉANT Core AAI – a new layer to improve scalability

Today, the GÉANT Core AAI platform allows to deal with those user group requirements that are shared among all ‘verticals’: group management, third party IDs, and protocol translation. It brings back a level of scalability necessary to operate a growing service such as FIM.

In 2023, the GÉANT community and NRENs across the globe look back to a history of success and learning about Federated Identity Management over the last 20 years. The absolute beauty here is that we have dealt in the environment of (human) trust infrastructure for over 20 years. This is the time it took to built it but, more importantly, we have proven that we can extend it and maintain it.

Trust is here. Trust is GÉANT. Trust is federations and NRENs.

Trust has never been broken and we have the expertise to ensure it keeps fully intact. There are still those around that do not believe that Trust will scale, but we believe we have understood the scalability of Trust and the simple fact that the trust based FIM infrastructure serves millions of users with BILLIONS of requests each month speaks for itself.

Moreover, the trust environment we make available is integrated with (educational and research) business processes. It is capable of responding to emerging new requirements – as we have shown over the past 20 years with consistent and consecutive adaptations and improvements.

In short: GÉANT’s Core AAI platform allows for seamless integration across domains, scaling where scalability is needed – while at the same time preserving the autonomy of communities to select their own (AARC BPA compliant) AAI, ensuring that the specific needs are met and the trust based decision-making stays within the community.

Trust and scalability. We got you.

This article is featured on CONNECT 44, the latest issue of the GÉANT CONNECT Magazine!

Read or download the full magazine here