Interfederation and eduGAIN
Today, many countries have established a national authentication and authorization infrastructure (AAI) like SWITCHaai. They are mostly SAML based, which makes them technically interoperable with each other. Interfederation takes place if a user from one federation accesses a service which is registered in another federation. Interfederation services like eduGAIN allow SWITCHaai users to access services operated by universities and research organizations all over the world. Vice versa, services in SWITCHaai can now also be configured to allow AAI users from other countries. Interfederation enables research and education activities to scale their services world-wide.
Goal of Interfederation
The main goal of interfederation is to extend the user community of AAI users to similar user groups beyond the SWITCHaai federation. AAI users from other countries can easier - provided access control rules allow this - access AAI services registered in SWITCHaai. Vice versa, this will allow Swiss users to access AAI services registered in other federations from countries. Interfederation services like eduGAIN provide a common ground for the federations - like technical standards and policies - to deploy interfederation for their users and services.
How can I benefit from Interfederation?
Opting-in for interfederation support (and thus also for eduGAIN) will allow the users of an organization to access more services. They can not only access services registered in SWITCHaai but also services operated worldwide. In particular, university staff members, researchers and students will be able to participate in research projects that use interfederation (eduGAIN) for authenticated access to their collaboration tools.
Opting-in a SWITCHaai service to eduGAIN allows creating access control rules not only for Swiss higher education users but interfederation users from all over the world.
The above explanations are also nicely illustrated and summarized in the short movie below.
What is eduGAIN?
Interfederation is the general term describing the interconnection of AAI services across the boundaries of an identity federation like SWITCHaai. eduGAIN is an interfederation service that is developed and operated by the European GÉANT project. It is one of the first and currently the largest interfederation service in operation. Its purpose is to provide a common set of technical standards, rules and policies that allow services and organizations from many countries to provide and use AAI-enabled services.
Although GÉANT is a European research project, eduGAIN accepts federations world-wide. Many non-European federations already joined eduGAIN.
Who is participating in eduGAIN?
The eduGAIN interfederation service started in May 2011. Since then many national AAIs like SWITCHaai have already joined eduGAIN and are ready to interconnect interested services and organizations to eduGAIN. If a federation joins eduGAIN, this does not imply that all of its organizations and services also join eduGAIN. Each and every organization and service of that federation than can decide whether it wants to opt-in to support interfederation or not.
How can users of my organization access Interfederation services?
Every organization can individually opt-in to participate in interfederation via eduGAIN. When a SWITCHaai Home Organization wants to enable interfederation support, it first needs to contact the SWITCHaai team to discuss the details. Next, the configuration of the Identity Provider needs to be adapted. The procedure is described on the Identity Provider Interfederation page.
BTW: The formerly required signing of the 'SWITCHaai Interfederation Access Declaration' is no longer necessary since SWITCHaai, including the interfederation option, are covered by the SWITCH edu-ID Service Description, effective since spring 2018.
From a data protection point of view, a Home organization should ensure that the Identity Provider is configured following the legal recommendations as described on the page Legal Templates for SWITCHaai. In particular, it is recommended to deploy a user attribute consent module.
Start this process now, by contacting firstname.lastname@example.org and the AAI team will support you in getting ready for Interfederation!
How can my AAI service become part of Interfederation?
Every AAI service can individually opt-in to participate in interfederation via eduGAIN, provided the Home Organization already decided to make use of the interfederation option. To enable a SWITCHaai service for interfederation and thus allow international users to use the service, the configuration of the Service Provider needs some configuration adaptations. The whole procedure is described on the Service Provider Interfederation page.
To start this process, contact email@example.com and the AAI team will support you in getting ready for Interfederation!
Note: Interfederation for a SWITCHaai Federation Partner Basic is available as paid option to cover the additional support effort required. Details are available on request.