Networks·Services·Peoplewww.geant.org

MaartenKremers

Internet2TechEx 2017,SanFrancisco,CA

GN4-2Project- NextGenerationTrust&IdentityTechnologyDevelopmentTrust&Identity:What’snext?!

16th October2017

TaskLeaderTrust&IdentityTechnologyDevelopment,GN4Project

TechnicalProductManager&ProjectmanagerT&I,SURFnet

Networks·Services·Peoplewww.geant.org

Trust&IdentityOperations• eduGAIN• eduPKI• eduroam

Trust&IdentityDevelopment• eduGAINDevelopment– FederationandCampus• eduGAINDevelopment– e-ResearchandServiceProviders• Trust&IdentityTechnologyDevelopment• eduroamServiceDevelopment

2

TheGN4-2ProjectandT&I

Networks·Services·Peoplewww.geant.org 3

GN4-2- Trust&IdentityTechnologyDevelopment

OpenIDConnectFederations

REFEDSAuthenticationprofiles&Step-UpService

eduKEEP – TowardsaUserDrivenIdentityFederation

eIDAS &eduGAIN

Networks·Services·Peoplewww.geant.org 4

OpenIDConnectFederations

Networks·Services·Peoplewww.geant.org 5

eduKEEP – TheChallenge

Overcometheorganisation-centricidentitymodelshortcomings

Identitiesaretightlycoupledwithroleandaffiliation

Poorsupportfordynamicandlooserelationships

Identitiesbootstrapping

Multipleconcurrentaffiliations

Networks·Services·Peoplewww.geant.org 6

eduKEEP – TheApproach

User-driven,persistent,privacypreserving,institutionalbackedidentity(UPPII)

Theuseridentityiscreatedoutside theorganisation

Theorganisationvalidates theuseridentity

Theorganisationlink theuseridentitytoroleandaffiliation

Theorganisationbootstrap alocaluseraccountleveragingtheexternalidentity

and/or

Networks·Services·Peoplewww.geant.org 7

eduKEEP – ThePossibilities

Registration/Alumni/lifelonglearners

Researchers

Teachers

ThirdPartiesServices

OneidentitytorulethemallToregister,joinanotheruniversity,becomeanalumni

Oneidentityinconcurrentprojectswithmultipleaffiliationsandforallpublicationwork

(withhelpofORCIDandfriends)

Oneidentityforinteractingwiththeirlearnersacrossmultipleuniversities

Supportslonger-termclient-relationship.Offeringsandconditionscanbebased

onrolesavailableatgiventime

Networks·Services·Peoplewww.geant.org 8

eduKEEP – CurrenteduID initiatives

SWITCHEduID(Switserland)

SUNETEduID(Sweden)

GARReGOV IDs,IdP/Proxy&

Aas (Italy)

Centraluser-centricIdPtobootstrapidentitiesatHomeOrganisations

ConsideringtouseanIdp/SPProxytolinkeGOV IDstoHomeOrganisationsAttributeAuthorities

Centraluser-centricIdP,enrichingidentitieswithattributesfromHomeOrganisations

Networks·Services·Peoplewww.geant.org 9

eduKEEP – Comparison

Feature SWITCHedu-ID SUNETeduIDGARRIdP/SP

Proxy

A- TargetaudienceR&ECommunity R&ECommunity R&ECommunity

B- Anewidentifierisprovided YES YES YES

B1- IdentitysuitableforAuthN YES YES NO

B2- Long-termidentity YES YES YES*

B3- Persistentidentifier YES YES YES*

B4- GloballyUniqueIdentifier YES** YES** YES*

C- IdPactingonbehalfofHomeOrganisationIdPs YES NO YES

*externaldependency**confirmedidentities

Networks·Services·Peoplewww.geant.org 10

eduKEEP – Comparison

Feature SWITCHedu-ID SUNETeduIDGARRIdP/SP

Proxy

D- AccountLinking YES YES YES

D1- LinkedAccountAuthN NO NO YES

E- Self-assertedIdentity YES YES YES*

E1- IdentityAssuranceElevation YES YES YES

E2- VO-basedvetting NO NO YES

F- AttributeAggregationatIdP YES NO YES

G- AttributeReleasePolicy- DelegateManagementtoHomeOrganisations

YES NO YES*

*externaldependency**confirmedidentities

Networks·Services·Peoplewww.geant.org

BestPractices•TheincrementalapproachofSWITCHeduID•TheAssuranceLevelelevationmodelofSUNETeduID•Solidpolicyandsecurity

LongLivedIdentitiesandeduIDs areonthewayforward•BYOID•1stclasscitizenship•Thepathtobefurtherdetermined

11

eduKEEP – Observations

Networks·Services·Peoplewww.geant.org 12

EduKEEP – TowardsaUserDrivenIdentityFederation

eduID SWITCHeduID SUNET

GARR

ArchitecturePolicy

Features

October2017:BestCurrentPractices

Document

2018:BestCurrentPractices

Pilot

Networks·Services·Peoplewww.geant.org

DevelopprofilesforAuthenticationsupportinREFEDS

DevelopStep-upservice

13

REFEDSAuthenticationprofiles&Step-UpService

Networks·Services·Peoplewww.geant.org

REFEDSAssuranceFramework(RAF)

Authenticationvector•BaseLevelAuthenticationProfile

•SingleFactor(Good-Entropy)Profile

•MFAProfile

14

REFEDSProfilesforAuthentication

Networks·Services·Peoplewww.geant.org

BaseLevelAuthenticationProfile

• Baseprofile• Noexplicitauthenticationrequirements

• draftdone,REFEDSconsultationpending

SingleFactor(Good-Entropy)Profile

• Requirementsforsinglefactors

• BCPforpasswordscenarios

• Inprogress

MFAProfile

• RequirementsforMFA

• Done

15

REFEDSProfilesforAuthentication

Networks·Services·Peoplewww.geant.org

Primaryaudience:ResearchCollaborations

BothIdentityandAuthenticationStep-UPCollaborationwithAARC•Usecases•User/communityrequirements•Architecture

Potentialpilots(Autumns2018)

Inprogress:•Analyzingdifferentapproaches

NextSteps•Timeline• Testingscalability

16

Step-UpService

DeliverStep-UpService

Networks·Services·Peoplewww.geant.org

electronicIDentification,AuthenticationandtrustServices

(UpcomingEUregulation)

LeveragetheuseofeGOV IDsforhigherLoA intheR&Efederations

Technicalinteroperabilitywithbuildproxy,technicalpilotsdone

Interoperabilitycomparisonbetweentheframeworks

17

eIDAS

Networks·Services·Peoplewww.geant.org

ScenariosNationalgatewayper

nationalR&Efederationandthenationalnode

ServicewithaglobalscopethatactsasagatewaytheeduGAINinter-federationand

eduGAIN

eduGAIN SGadoptedthe

’global’approach

Thisapproachwillbetakenasbaselinein

conversationswiththeeIDAS representatives

18

eIDAS &eduGAIN

Networks·Services·Peoplewww.geant.org 19

Moreinformation

https://wiki.geant.org/display/gn42jra3/Task+3%3A+Next+Generation+Trust+and+Identity+Technology+

Development+-+TrustTech

Networks·Services·Peoplewww.geant.org

Thankyou

Networks·Services·Peoplewww.geant.org

20

maarten.kremers@surfnet.nl