Tangui Coulouarn, DeiC/GÉANT
In this talk, we will show how the InAcademia Service – a production service managed by GÉANT in collaboration with different NRENs – contributes to making interfederation easier in the field of T&I in research and higher education.
Federated identity and single-sign-on simplify greatly identity management in the R&E sector. In the last ten years, interfederation, through eduGAIN, has made what used to be national isolated ecosystems a global ensemble with over 70 federations and 8000 Identity providers and service providers. However eduGAIN is also a complex environment: Federation policies differ, where some services accepted by certain federations are not accepted by other federations because they don’t not fit with the goals of the federation, and attribute release is sometimes unreliable. Various efforts have been made in the past to overcome this complexity, most notably the introduction of entity categories, which intended to simplify and harmonise attribute release.
How does InAcademia come into the picture? InAcademia is a Service Provider proxy available in eduGAIN. It is a lightweight alternative to full federated identity access for merchants with minimal and pseudonymised attribute release that assists the preservation of user privacy. InAcademia was designed to protect the privacy of users that are asked to prove their academic affiliation when signing up for discounts to retail products and services. It has been in production since 2020 and it Is utilised by commercial retail services outside the normal scope of national federations. Downstream services include Spotify, BackMarket, Autodesk, YouTube and myUNiDAYS. Its benefits to the academic federated identity community are that it blocks retailers’ access to the multlple attributes that are usually available when using federated identity, and it provides an opportunity for federation operators to learn more about how their community of IdPs operate, based on operational data from real-life usage.