An open discussion list for topics related to the eduGAIN interfederation service.

[Davide Vaghetti <davide.vaghetti AT garr.it>]

Hello Lukas,

It's nice to hear you and (unsurprisingly) with an interesting use case. 
I think you are right saying that eduGAIN does not have any specific 
policy requirement about open IdPs and self-asserted identities.

More generally speaking, we lack two things: on the one hand a common 
assurance framework adopted and recognized by all the eduGAIN 
participants, on the other a policy decision about the minimum (or 
baseline which is fancier) requirements for eduGAIN enabled identities.

A common assurance framework exists, it's the REFEDS Assurance Framework 
[1] and with RAF I think it would possible to clearly define 
self-asserted identities for this specific use case. Nonetheless, AFAIK 
RAF is far from being adopted by all the eduGAIN participants.

Please note that an assurance requirement for eduGAIN is also currently 
being discussed in the eduGAIN Futures Working Group [2]

That said, I think in principle SWITCH could create a RAF profile to 
signal that the eduID private identities (no university affiliation) are 
self-asserted.

Bests,
Davide

[1] https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0
[2] 
https://wiki.geant.org/display/eduGAIN/eduGAIN+Futures+Working+Group+Charter

On 16/05/22 08:48, Lukas Hämmerle wrote:
> Hello all
>
> What is eduGAIN's current official policy and best-practice in terms of 
> guest and open Identity Providers where just anyone can create an account?
>
> I as far as I see, there is nothing directly mentioned in the 
> constitution and declaration regarding this point. One relevant document 
> in this matter is the registration practice statement that each 
> federation writes (and changes) on its own.
>
> The "Registration practice statement" of a federation declares which 
> types of organisations are accepted in a federation. Assuming that a 
> university or a federation operator itself would operate a guest IdP 
> that allows just any user with a valid e-mail address to register an 
> account, would this be ok? Or are there any limits on which attributes 
> and values this IdP should/should not release?
>
> I know that there exist at least one guest IdP in eduGAIN (that releases 
> just a limited set of attributes) and that probably more exist. Still, 
> I'm interested in some current official response and view on this topic.
>
> The background of this question has to do with SWITCH edu-ID where we 
> currently publish the university IdPs in eduGAIN but don't allow private 
> identities (without university affiliation) to access eduGAIN services. 
> There are library use cases where people (without university 
> affiliation) need access to publisher resources (accessible via 
> eduGAIN). Therefore, we are exploring the options how to allow access to 
> these users.
>
>
> Best Regards
> Lukas


--
Davide Vaghetti
Consortium GARR
Tel: +390502213158
Mobile: +393357779542
Skype: daserzw