EduKEEP: Towards a User-Centric Identity Management Model
Time 10/07/15 01:30PM-01:55PM
Room Room 26-A
eduGAIN interconnects identity federations around the world, simplifying access to content, services and resources for the global research and education community. eduGAIN enables the trustworthy exchange of information related to identity, authentication and authorisation (AAI) by coordinating elements of the federations’ technical infrastructure and providing a policy framework that controls this information exchange.
The requirements towards identity federations interconnected in eduGAIN are kept to an absolute minimum. The inner workings of those identity federations are for this reason kept outside of the scope of the eduGAIN policy framework as much as possible.
However, those inner workings strongly influence the goal of eduGAIN: to simplify access to content, services and resources for the global research and education community. Most, if not all, identity federations participating in eduGAIN manage users in an organization-centric fashion, which has several implications, like users changing organizations get issued new identities, even though they are linked to the very same person. An other case is that if no suitable primary affiliation exists (students leaving university or research collaboration with industry partners), there is no straight-forward way to get issued a valid identity at all.
In both cases, access to resources is lost, regardless of whether access rights were based on affiliation or on an individual basis.
Moving from an organization-centric identity management model to a user-centric model would do the trick, based on long-lived identity provider where the user is in control. Existing identity providers will become attribute providers serving information about the relationship with the individual. The long-lived identity provider will release basic information, combined with the additional attributes from the attribute providers.
In this approach when users change organisations, they will keep their identity but the changed attributes signal the move. Loosing the primary affiliation results in losing attributes, but not the identity itself. In both cases, it is up to the services’ attribute check, whether access rights should still be granted or not and the service gets all required attributes for making an informed decision.
The trust and identity joint research activity of the European GÉANT Project (GN4-1) is designing an architecture model for this approach, as well as an overview of needed deployment actions and proposed next steps.
Speaker Maarten Kremers Surfnet BV
Primary track Trust and Identity
Secondary tracks CAMP 201