2017 Technology Exchange

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Next Generation Trust & Identity: What’s next?!

Time 10/16/17 02:30PM-03:20PM

Room Bayview B

Session Abstract

Part of the eduGAIN roadmap is integrating developments that go beyond and/or significantly disrupt the current models, technologies or approaches to trust and identity that are in operation in the eduGAIN platform.

Identified developments in this field are amongst others OpenID Connect Identity Federations, User Driven Identity Federations, new possibilities for building step-up services and leveraging other identity federations like government eID initiatives.

The Next-Generation Trust & Identity Technology task (JRA3-T3) of the European GN4-2 project is realizing these next-generation developments, which runs from from May 2016 until December 2018.

In this presentation, we will give an overview of the results, use cases and outcomes with focus on:

A) OpenID Connect Identity Federations

OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol, which acts in a similar way like SAML2 as a protocol for identification and authentication. Current identity federations in the academic area are, with almost no exception, SAML2 based. There is however a strong and rising interest for using OpenID Connect as a protocol for identification and authentication. OpenID Connect is adopted by the large players in the industry and furthermore, the REFEDS Survey 2016 showed a great interest from federations for supporting OpenID Connect.

There is, however, no support for building federations in the basic standards of OpenID Connect, for identity federations as we know them currently in the academic area. Roland Hedberg et al., have written a specification for creating an identity federation using OpenID Connect, hereby taking into account some lessons learned from the identity federations as we know them know.

This task is taking the next step by further implementing and developing the specification, with as goal to create running implementations with the tools needed to run it as a federation and the creation of a technology profile for eduGAIN.

B) User Driven Identity Federations - eduKEEP

The increase in mobility of students, teachers and researchers comes an increase in complexity. The rise in distributed and cloud services means that users expect easy seamless access to all their services but the current identity structures don’t recognize or support this new paradigm of work, research and education. 

Identities are still created and managed in institutional silos which weren’t developed with the concepts of mobility or parallelism in min, which creates cost and complexity for both users and organizations.

We don’t change our name or tax ID when we change jobs – tax systems manage to cope with multiple careers (and sometimes even manage multiple simultaneous careers) so why do we have to change our Identity just because we have moved university? 

The aim is the task is to develop strategies and architectures to support the more flexible world of Research and Education in which we live. Just as federated identity broke down the barriers cause by silos of information, systems and data, the User Driven Federation (eduKEEP) want to create systems that break down silos of identity allowing personal mobility throughout R&E. 


Speaker Maarten Kremers Surfnet BV

Speaker Henri Mikkonen NORDUnet (Nordic Infrastructure for Research and Education)

Presentation Media

media item thumbnail GEANT 4-2 JRA3 T3 "TrustTech": OpenID Connect Identity Federations

Speaker Henri Mikkonen NORDUnet (Nordic Infrastructure for Research and Education)

Primary track Trust and Identity

gold Sponsors

bronze Sponsors