An open discussion list for topics related to the eduGAIN interfederation service.

[Maarten Kremers <maarten.kremers AT surf.nl>]

Hi Pål, all,

On 16 May 2022, at 11:31, Pål Axelsson <pax AT sunet.se> wrote:
> 
> Hi,
> 
> RAF does not have any notion about self-asserted identity. It has only the
> level of identity proofing, uniqueness of identifier and update speed of
> affiliation.

I don’t agree, paragraph 2.2. of RAF (Identity Proofing) signalling ‘low’ is 
self asserted (as also mentioned in the example), where as medium (or high) 
is a vetted identity. IMHO that makes the difference in the identity proofing 
signal. 

Cheers, 
Maarten 

> 
> With that said, a non-organisational identity provider should not release
> any home organisation and affiliation values for the users. This is how
> the Swedish non-organisational IdP eduID.se do it today. eduID.se will
> start to release RAF values before the summer.

I do agree with that, a vetted identity as such doesn’t say anything about 
any possible affiliations. However having said that, for eduID.nl (not in 
eduGAIN) we do release eduid.nl as schacHomeOrg 

On a sidenote, we do use the AuthnContextClassRef in our eduid.nl at the 
moment for step-up on assurance levels (to indicate whether an eduID has been 
stepped up by means linking your eduid.nl account to a dutch institutional 
account, hence getting a higher level of proofing on the identity. 
(https://wiki.surfnet.nl/pages/viewpage.action?pageId=35783850#:~:text=in%20eduID%20Profile-,https%3A//eduid.nl/trust/linked%2Dinstitution,-Require%20the%20user)
 

Additional information can be retrieved by querying an API 
(https://wiki.surfnet.nl/display/surfconextdev/eduID+API#:~:text=https%3A//login.eduid.nl/myconext/api/eduid/links)

Cheers,
 Maarten

> 
> Pål
> 
> 
> -----Original Message-----
> From: edugain-discuss-request AT lists.geant.org
> <edugain-discuss-request AT lists.geant.org> On Behalf Of Maarten Kremers
> Sent: Monday, May 16, 2022 9:19 AM
> To: Lukas Hämmerle <lukas.haemmerle AT switch.ch>
> Cc: edugain-discuss AT lists.geant.org
> Subject: Re: [eduGAIN-discuss] Guest and open IdPs in eduGAIN?
> 
> Hi Lukas,
> 
> My 2 cents: I don’t think there is any official policy (albeit some
> implicit assumptions).
> The REFEDS Assurance framework would be of help in my view by signalling
> that an account is self asserted. This of course requires further uptake
> of RAF.
> Nevertheless it would be good to also have more explicit view on what we
> as eduGAIN expect, this could be one of the actions of the eduGAIN futures
> work.
> 
> Best regards,
> Maarten
> 
>> On 16 May 2022, at 08:48, Lukas Hämmerle <lukas.haemmerle AT switch.ch>
> wrote:
>> 
>> Hello all
>> 
>> What is eduGAIN's current official policy and best-practice in terms of
> guest and open Identity Providers where just anyone can create an account?
>> 
>> I as far as I see, there is nothing directly mentioned in the
> constitution and declaration regarding this point. One relevant document
> in this matter is the registration practice statement that each federation
> writes (and changes) on its own.
>> 
>> The "Registration practice statement" of a federation declares which
> types of organisations are accepted in a federation. Assuming that a
> university or a federation operator itself would operate a guest IdP that
> allows just any user with a valid e-mail address to register an account,
> would this be ok? Or are there any limits on which attributes and values
> this IdP should/should not release?
>> 
>> I know that there exist at least one guest IdP in eduGAIN (that releases
> just a limited set of attributes) and that probably more exist. Still, I'm
> interested in some current official response and view on this topic.
>> 
>> The background of this question has to do with SWITCH edu-ID where we
> currently publish the university IdPs in eduGAIN but don't allow private
> identities (without university affiliation) to access eduGAIN services.
> There are library use cases where people (without university affiliation)
> need access to publisher resources (accessible via eduGAIN). Therefore, we
> are exploring the options how to allow access to these users.
>> 
>> 
>> Best Regards
>> Lukas
>> 
>> --
>> SWITCH
>> Lukas Hämmerle, Trust & Identity
>> Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
>> +41 44 268 15 64  lukas.haemmerle AT switch.ch  http://www.switch.ch
> 
> —
> Maarten Kremers
> Technical Product Manager Trust & Identity
> GÉANT Project Task Leader Trust & Identity Enabling Communities
> 
> SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon -
> Tue - Wed - Fri
> SURF is the collaborative organisation for ICT in Dutch education and
> research

—
Maarten Kremers
Technical Product Manager Trust & Identity
GÉANT Project Task Leader Trust & Identity Enabling Communities

SURF | E maarten.kremers AT surf.nl | T +31 30 88 787 3000 | Available: Mon - 
Tue - Wed - Fri
SURF is the collaborative organisation for ICT in Dutch education and research