2018 Technology Exchange

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Identity and Authentication Assurance in the International Academic Arena

Time 10/16/18 11:20AM-12:10PM

Room Pacifica Ballroom 4/5

Session Abstract

Many research services have real risk due to their need to handle sensitive research data or protect costly and delicate research equipment. When federation is used to access such resources, it is critical to know with sufficient confidence that the presented login credential actually represents the authorized user. Assurance information provided by an Identity Provider, which describes the reliability of identity and authentication associated with each federated login, is used for this purpose. There are various assurance frameworks in place, such as ITU-T X.1254, NIST SP 800-63-3, Kantara IAF SAC, eIDAS LoA, and IGTF. Several research and education federations also have their own assurance frameworks, InCommon Bronze and Silver [1] being the most well-known ones.

However, so far no widely used cross-national assurance framework has emerged. In 2016, REFEDS established an assurance working group [2] who is soon to release a second draft of a lightweight Assurance Framework together with an associated Single Factor Authentication Profile for public consultation.

The REFEDS Assurance Framework (RAF) [3] leverages elements of some of the existing frameworks while taking into account specific circumstances and needs of the Research & Education sector based on direct feedback from several research communities as reported in an AARC Deliverable [4]. The framework splits assurance into three independent components: identifier uniqueness, identity proofing, and an attribute-related component. These three components are further mapped to two assurance profiles: the Cappuccino profile for low-risk services and the Espresso profile for high-risk ones. A home organisation self-asserts that a user fulfils a specific set of the components using the eduPersonAssurance attribute.

Under the RAF, authentication is handled using one of two authentication profiles, the REFEDS Single Factor Authentication Profile (REFEDS-SFA) [5] and REFEDS Multi Factor Authentication Profile (REFEDS-MFA) [6]. REFEDS-SFA defines a security baseline for multiple types of authentication factors but also criteria for the replacement of a lost authentication factor. REFEDS-MFA in turn defines how to signal that the authentication has been done using at least two of the four different authentication factor types.

To get practical experience on these specifications a pilot including various SAML Identity Provider and Service Provider exposed to eduGAIN is deployed.

This presentation will cover the REFEDS Assurance Framework and the associated, independently usable authentication profiles REFEDS Single Factor Authentication Profile and REFEDS Multi Factor Authentication Profile. We will also discuss the results of the first pilot implementations in the US and EU and engage attendees on any barriers they see to their own adoption of this key enabler for federated access to sensitive research resources.

[1] InCommon Assurance Program:
[2] REFEDS Assurance Working Group:
[3] AARC Deliverable DNA3.1: Differentiated LoA recommendations for policy and practices of identity and attribute providers, applicable to research use cases:
[4] REFEDS Assurance Framework (DRAFT):
[5] REFEDS Single Factor Authentication Profile (DRAFT):
[6] REFEDS Multi Factor Authentication Profile:


Speaker Pål Axelsson SUNET (Swedish University Computer Network)

Speaker Thomas Barton University of Chicago

Speaker Jule Ziegler GEANT/NTUA

Presentation Media

Primary track Trust & Identity

gold Sponsors

silver Sponsors

bronze Sponsors