Interfederation and eduGAIN

Today, many countries have established a national authentication and authorization infrastructure (AAI) like Switch edu-ID. They are mostly SAML based, which makes them technically interoperable with each other. Interfederation takes place if a user from one federation accesses a service which is registered in another federation. The interfederation service eduGAIN allows Switch edu-ID users to access services operated by universities and research organisations all over the world. Vice versa, services in Switch edu-ID can also be configured to allow federated users from other federations. Interfederation enables research and education activities to scale their services world-wide. Currently, eduGAIN is the only global interfederation service that Switch edu-ID supports as it is by far the largest and nowadays almost the only interfederation service relevant for the world-wide academic community.

Goal of Interfederation

The main goal of interfederation is to extend the user community of AAI users to similar user groups beyond the Switch edu-ID federation. AAI users from other countries can easier - provided access control rules allow this - access services registered in the Switch edu-ID federation. Vice versa, interfederation allows Swiss users to access services operated in other federations. The interfederation service eduGAIN provides a common ground - like technical standards and policies - for the federations to deploy interfederation for their users and services.

How can one benefit from Interfederation?

Opting-in for interfederation support as organisation will allow its users to access more services. Users then can not only access services operated in the Switch edu-ID federation but also services worldwide. University staff members, researchers and students will be able to participate in research projects that use eduGAIN for authenticated access to their collaboration tools.
Opting-in for interfederation as a service allows expanding the range of users who potentially can access this service to a world wide target group. Of course a service still can specifically create access control rules to allow only well-defined users e.g. from particular foreign countries, universities or even hand-picked users.

The above explanations are also explained and summarized in this movie:

What is eduGAIN?

Interfederation is the general term describing the interconnection of services with federated login across the boundaries of an identity federation like Switch edu-ID. eduGAIN is an interfederation service that is developed and operated by the European GÉANT project. It's governed by its currently more than 80 member federations worlwide. It is one of the first and currently the largest interfederation service in operation. Its purpose is to provide a common set of technical standards, harmonisations, rules and policies that allow services and organisations from many countries to exchanged trust-worthy and standardized identity information for academic users accessing federated services.

Although GÉANT is a European research project, eduGAIN accepts federations world-wide. More than 80 federations have joined eduGAIN so far.

Who is participating in eduGAIN?

The eduGAIN interfederation service started in May 2011 and Switch was involved in its creation even before its launch via the GÉANT project. Since then many national identity federations like the Switch edu-ID federation have already joined eduGAIN and are ready to interconnect interested services and organisations to eduGAIN. If a federation joins eduGAIN, typically not all of its organisations and services also join eduGAIN. Each and every organisation and service of that federation than can decide whether it wants to opt-in to support interfederation or not.

How can users of my organisation access Interfederation services?

Every organisation can individually opt-in to participate in interfederation via eduGAIN. When a Switch edu-ID Home Organisation wants to enable interfederation support, it best contacts the Switch edu-ID team to discuss the details. Next, the configuration of the Identity Provider needs to be slightly adapted, which is very easy if an organisation already has fully adopted Switch edu-ID. The procedure is described on the Identity Provider Interfederation page.
So far about 90% of all organisation and their useres in the Switch edu-ID federation are interfederation-enabled.

From a data protection point of view, an organisation should ensure that the Identity Provider is configured following the legal recommendations as described on the page Legal Templates for Switch edu-ID. In particular, it is recommended to deploy a user attribute consent module.

How can a service be interfederation-enabled in eduGAIN?

Every service can individually enable interfederation and thus be part of eduGAIN, provided the organisation responsible for its operation already enabled interfederation support for its users. Currently, only SAML services can opt-in for eduGAIN. To enable a SAML ervice for interfederation and thus allow certain international users to use the service, the configuration of the Service Provider needs some configuration adaptations. The whole procedure is described on the Service Provider Interfederation page.

To start this process, contact eduid@switch.ch and the Switch edu-ID team will support you in getting ready for Interfederation!

Note: Interfederation for a Switch edu-ID Federation Partner Basic is available as paid option to cover the additional support effort required. Details are available on request.

Which institutions are already interfederation enabled?

All organisations with a green dot on the map with all organisations are interfederation-enabled. Their users can access eduGAIN services.

Can users of organisation that enabled support for interfederation access all eduGAIN services?

When interfederation support is enabled for an Identity Provider, this IdP also loads metadata for all Service Providers published in the central eduGAIN metadata file. The Identity Provider should not load metadata directly but instead use a local copy provided by Switch. This locally provided metadata is available on the Switch metadata page. The next paragraph contains information on which entities are filtered out from the eduGAIN metadata file provided by Switch.

Switch edu-ID filtering policy for eduGAIN metadata

The interfederation metadata files served via the Switch metadata page by default contain all entities (Service and Identity Providers) available via eduGAIN. However, the the following entities are filtered out by Switch:

A. Entities registered already in the Switch edu-ID federation

When a service enables interfederation supports it typically loads two metadata files. The one for entities in the Switch edu-ID federation and one containing the interfederation entities. Some services would be in both files. Filtering out all Switch edu-ID entities from the interfederation files aims at preventing problems with duplicate entity descriptions being loaded.

B. Entities endangering the stable operation of the federation

Switch reserves the right to filter out entities from the eduGAIN metadata that contain invalid or malformed data. Such malformed data could affect the stability and stable operation of services in the federation.

C. Entities posing a security or privacy risk to end users and services

Compromised entities that misuse user data can be filtered out without notice. This may also include entities that are not filtered out (yet) by the eduGAIN security team .

D. Entities not in line with Switch edu-ID federation registration practices

The policies according to which eduGAIN member federations register entities vary from federation to federation. Entities registered by other federations sometimes are not be compliant with Switch edu-ID federation policy or not welcome. In these cases it would be unlikely that these entities could be registered directly in the Switch edu-ID federation as Federation Partner. Switch and its university communities have decided to filter out these entities from the eduGAIN interfederation metadata file provided by Switch for the participants in the Switch edu-ID federation:

• Commercial student validation services:
  Affected services will be removed from the Switch edu-ID interfederation metadata file after a prior notification a few months ahead.
  Not affected by this are non-commercial services as well as the InAcademia service, which is operated by GÉANT and whose revenue helps sustaining the operation of eduGAIN.