European Journal of Higher Education IT 2015-2

Most national research and education networks (NRENs) have set up authentication and authorization infrastructures (AAIs), also known as federations, to ensure that ICT services can be used across higher education institutions’ (HEIs‘) borders. For example, the German federation DFN-AAI allows students from various universities to enroll in eLearning courses provided by other German universities (Hommel, 2009). Most European federations are technically based on the SAML standard and implemented using open source software like Shibboleth or simpleSAMLphp. However, users can only access third party services whose service providers (SPs) are members of the same federation as their home organization, which is also referred to as their identity provider (IDP). Therefor, given national federations, international groups of users, e.g., researchers in a multi-national EC-funded project, cannot access each others’ ICT services, such as a project-wide Wiki collaboration web server, without additional efforts simply because crossing federation borders is not possible technically.
In the past, many HEI members with a demand for international identity & access management (I&AM) have often worked around this problem in one of two less elegant ways: They either created local user accounts for their external project partners at each service, which does not scale well, or they created community-specific new federations, which were not defined by geographical but by any other arbitrary criteria, such as membership in a scientific community or project. However, neither of these solutions are user- and administration-friendly, but instead increase the overall management complexity and are considered burdensome overhead. To overcome the limits imposed by national federations, the pan-European research and education network Géant meanwhile initiated eduGAIN (see (Géant, 2014)), which is an umbrella inter-federation (i.e., a federation-of-federations) that enables Inter-AAI user authentication and authorization (AuthNZ). More than 20 federations world-wide already have joined eduGAIN, making it one of the most important eScience-enabling software infrastructures as of today.
eduGAIN, however, comes at the price of increased contractual complexity, and, on the technical side, has only standardized the common denominator of its federation members regarding which information about users IDPs make available to SPs. In practice, this means that there is no guarantee that users from an IDP in federation A can successfully use a service provided by an SP in federation B, even if both of them are in eduGAIN, in the same way as if the IDP and the SP were in the same (national) federation. Thus, while eduGAIN is certainly a success and enables the use of many services across federations’ borders, its adoption turned out to process slower than initially hoped for and the created inter-federation by itself is not completely sufficient for more complex services that need more detailed user information from IDPs.
Géant has therefore initiated a project complementary to eduGAIN: Géant-TrustBroker (GNTB) will enable the on-demand creation of virtual federations and put the end users in control of connecting arbitrary SPs to their own IDP even when they are not in the same federation or eduGAIN. GNTB optionally supports the fully automated setup of technical SP-IDP relationships so that users can immediately start using new services provided by federation-external SPs instead of having to wait until the SP and IDP administrators have set up the AAI software configuration manually. Manual intervention is only necessary when organizational trust-building measures, such as signing a formal contract between SP and IDP, are necessary, e.g., for commercial services that require high liability.
In this article, we present the concepts of GNTB from the perspective of a HEI that operates an IDP for its users, assuming that the IDP already is a member of at least one federation, typically the national NREN’s AAI. We first discuss the motivation for GNTB from both the end users’ and the HEIs’ perspectives and show how GNTB can be used stand-alone or in conjunction with eduGAIN. We then give an overview over the functionality and technical workflows that GNTB implements, again with a focus on the IDP side. GNTB is currently being developed in Géant’s GN3plus project and will be available for pilot use in 2015; we therefore conclude this article with a summary of what has been achieved so far and an outlook to our ongoing work.