An open discussion list for topics related to the eduGAIN interfederation service.

[Pål Axelsson <pax AT sunet.se>]

Hi,

RAF does not have any notion about self-asserted identity. It has only the
level of identity proofing, uniqueness of identifier and update speed of
affiliation.

With that said, a non-organisational identity provider should not release
any home organisation and affiliation values for the users. This is how
the Swedish non-organisational IdP eduID.se do it today. eduID.se will
start to release RAF values before the summer.

Pål


-----Original Message-----
From: edugain-discuss-request AT lists.geant.org
<edugain-discuss-request AT lists.geant.org> On Behalf Of Maarten Kremers
Sent: Monday, May 16, 2022 9:19 AM
To: Lukas Hämmerle <lukas.haemmerle AT switch.ch>
Cc: edugain-discuss AT lists.geant.org
Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?

Hi Lukas,

My 2 cents: I don’t think there is any official policy (albeit some
implicit assumptions).
The REFEDS Assurance framework would be of help in my view by signalling
that an account is self asserted. This of course requires further uptake
of RAF.
Nevertheless it would be good to also have more explicit view on what we
as eduGAIN expect, this could be one of the actions of the eduGAIN futures
work.

Best regards,
 Maarten

> On 16 May 2022, at 08:48, Lukas Hämmerle <lukas.haemmerle AT switch.ch>
wrote:
>
> Hello all
>
> What is eduGAIN's current official policy and best-practice in terms of
guest and open Identity Providers where just anyone can create an account?
>
> I as far as I see, there is nothing directly mentioned in the
constitution and declaration regarding this point. One relevant document
in this matter is the registration practice statement that each federation
writes (and changes) on its own.
>
> The "Registration practice statement" of a federation declares which
types of organisations are accepted in a federation. Assuming that a
university or a federation operator itself would operate a guest IdP that
allows just any user with a valid e-mail address to register an account,
would this be ok? Or are there any limits on which attributes and values
this IdP should/should not release?
>
> I know that there exist at least one guest IdP in eduGAIN (that releases
just a limited set of attributes) and that probably more exist. Still, I'm
interested in some current official response and view on this topic.
>
> The background of this question has to do with SWITCH edu-ID where we
currently publish the university IdPs in eduGAIN but don't allow private
identities (without university affiliation) to access eduGAIN services.
There are library use cases where people (without university affiliation)
need access to publisher resources (accessible via eduGAIN). Therefore, we
are exploring the options how to allow access to these users.
>
>
> Best Regards
> Lukas
>
> --
> SWITCH
> Lukas Hämmerle, Trust & Identity
> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> +41 44 268 15 64  lukas.haemmerle AT switch.ch  http://www.switch.ch

—
Maarten Kremers
Technical Product Manager Trust & Identity
GÉANT Project Task Leader Trust & Identity Enabling Communities

SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon -
Tue - Wed - Fri
SURF is the collaborative organisation for ICT in Dutch education and
research