eduGAIN piloting use of OpenID Federation

eduGAIN is investigating how OpenID Federation can be used for eduGAIN alongside the SAML infrastructure.

eduGAIN is currently built on SAML, a technology that has served the research and education community well for many years. Now, SAML is considered a legacy technology, and development has ceased. At the same time, OpenID Connect 1.0 and OAuth 2.0 are the current industry standards, but they lack a scalable way to establish trust.

The OpenID Federation specification defines an architecture for establishing trust at Internet scale for OpenID Connect 1.0, OAuth 2.0, and ideally for any web-based authentication and authorisation protocol. It is used for the national eID in Italy and has been tested for the EUDI wallet.

As part of the GN5-2 project, the eduGAIN service is currently running a pilot to test how OpenID Federation can be used as the future trust technology for eduGAIN, alongside the existing SAML infrastructure. The pilot started in July 2025 and will run for 12 months.

Six principles will guide the work

The pilot has established a set of principles for OpenID Federation in eduGAIN:

• The eduGAIN federation has one defined mechanism to establish trust among all the participants.
• eduGAIN is a federation of federations, and organisations cannot join eduGAIN directly.
• eduGAIN is a federation of federations and it builds on the layer of local trust already provided by the federation.
• Federations may admit Intermediate Authorities as subordinates and let them register their own entities provided that they can support the federation requirements.
• All the eduGAIN entities must be discoverable and their trust resolvable to the eduGAIN Trust Anchor.
• End entities that have eduGAIN as Trust Anchor must be validated against the eduGAIN OpenID Federation Profile. Additional validation is required to support other profiles, specifications and trust frameworks.

Based on these principles, the pilot will, through DevOps work and use cases, aim to test all important aspects of OpenID Federation.

Federations are welcome to join the pilot

Federations that want to join the pilot should have an overall comprehension of the OpenID Federation specification. Furthermore, they need to have a working knowledge of OpenID Connect Providers and Relying Parties, as well as a working knowledge of the current eduGAIN SAML technological profile.

Current participants in the pilot are:

• AAF, Australia
• UK Federation, UK
• Swamid, Sweden
• RCTSaai, Portugal
• CAF, Canada
• ArnesAAI, Slovenia
• DFN-AAI, Germany
• HAKA, Finland
• hu, Hungary
• IDEM, Italy

Alongside the pilot, the eduGAIN service is also initiating the Technical Profiles Working Group, which will have the following goals:

• To review the existing eduGAIN SAML Profile and describe the goal behind each statement in terms of trust and technical compliance.
• To map these intentions to an OIDC Profile.
• To define a new technical profile or profiles for eduGAIN, with either a master with branches per technology or individual profiles per technology.

After the pilot is concluded, the results will be analysed before decisions are made on creating a production eduGAIN OpenID Federation based on the findings from the pilot and the eduGAIN Technical Profiles Working Group.

Both the pilot and the Working Group are open for all eduGAIN members. Interested parties should contact support@edugain.org. If you have questions, please contact Davide Vaghetti at  davide.vaghetti@garr.it.

• For more information on eduGAIN: eduGAIN – enabling worldwide access
• For more information on the pilot, see the eduGAIN wiki eduGAIN – Open ID Federation Pilot – eduGAIN – GÉANT federated confluence
• For more information on the Working Group, see the eduGAIN wiki: eduGAIN Technical Profile Working Group

This article is featured on CONNECT50, the latest issue of the GÉANT CONNECT Magazine!

Read the full online magazine here