Digital Identities, SWITCHaai and OpenID

Several people asked how SWITCHaai relates to OpenID and what role OpenID could play together with SWITCHaai. This motivated us to write down our ideas. We take a somewhat broader view in first looking at digital identities and its characteristics before going into more details.

Table of contents

  1. Management Summary
  2. Terminology
  3. Characteristics of Digital Identities
  4. Introduction to SWITCHaai and OpenID
  5. Identities in SWITCHaai
  6. Identities in OpenID
  7. A role for OpenID in SWITCHaai?
  8. How one could issue OpenID Identities in SWITCHaai?
  9. Other protocols and technologies beyond SAML and OpenID?
  10. Conclusions
  11. References

0. Management Summary

To be written.

1. Terminology

Let's first look at some terms and how they relate to each other.

Individual
An individual is a single human being, therefore unique.
Identity, Digital Identity
Every individual can have and usually has its identity asserted by a variety of authorities. Which identity assertion to use when is generally set by the context. Identities can also be asserted digitally, as digital identities, beyond the physical representations.
Examples: Official identity card or passport, a company card, a students card, a membership card of a sports club, digital identity asserted by an AAI Identity Provider.
Role
A role is function in which an individual acts in a particular context. In a job, one can have one or more roles. In private life, one assumes multiple roles.
Example: A woman could be mother, work as a teacher, study literature in further education, play tennis in a club and be chairman of a local interest group.
Privilege, Access Right
A privilege, in the digital world mostly referred to as access right, is granted to one or more individuals. Mostly, privileges are granted to a group of people defined by their roles or by the institutions asserting their identities.
Examples: By showing a valid passport, the holder can enter another country. The membership card of the tennis club provides access to the tennis centre. A student with an AAI enabled account gets access to an e-learning course.

2. Characteristics of Digital Identities

2.1 Professional vs. Private Identities

You have one or more professional roles and multiple private roles. Therefore, you generally have multiple digital identities.

You might prefer to distinguish between your professional life and your personal life. So you have to decide which digital identity fits a given context.

For a Wiki used for your job you want to use a different digital identity than for access to your favourite game platform.

Likewise, most users in higher education already use at least two e-mail addresses: one from the institution, one or more private ones. With mail forwarding in place, all mails might still end up in a single mailbox.

2.2 Assurance of a Digital Identity

Digital identities get issued after a registration process. The assurance a digital identity can provide, varies depending on the details verified during the registration.

The verification of an official photo ID card proves the real identity of an individual much more reliably than a simple e-mail delivery verification.

2.3 Acceptance of a Digital Identity Issuer

Anybody can issue digital identities. What counts is which identity providers get accepted by what services. Each service decides from which third party to accept identity assertions. The service has to trust the issuer. This trust is based on the assurance an issuer can provide.

2.4 Attributes linked to Digital Identities

Depending on the origin of a digital identity, different sets of attributes can describe the individual using this identity.

A digital identity from a university can result in an assertion for an individual to being a student or staff member of that institution.

2.5 Reputation of a Digital Identity

The reputation of a digital identity is closely linked to the reputation of the issuer. Attributes are much more valuable if asserted by a reputed issuer. eBay is one of the systems in which a person can improve its originally very low digital identity reputation based on well rated transactions.

2.6 Duration of Existence

A digital identity may end. Either because the issuer stops its identity service, the user didn't pay the fee or a professional identity is likely to cease on job termination.

Especially if an individual relies on a digital identity for access to multiple services, the identity should last as long as the access to these services is needed.

Assume a user identified to a dozen services using his professional digital identity, which ends together with his job. Some of these services are independent of his job and he wants to continue to use them.

Before his job ends, for each of these services the user has to associate a new digital identity to his existing profile! Only that will allow him to continue to use this service without loosing his settings and track record! However, few services offer this capability today.

2.7 Data Track of a Digital Identity

Using a single digital identity for multiple purposes in a variety of contexts is possible and often convenient. However, it should be carefully decided what to mix, to prevent leaving behind unwanted data tracks. Tracking a users activities across multiple services is made easy if he uses a single identity. That is prevented only by using service specific the digital identities derived from a single identity.

3. Introduction to SWITCHaai and OpenID

3.1 SWITCHaai

SWITCHaai is the Swiss Authentication and Authorization Infrastructure for higher education and research. It started with the pilot service in 2004 and production service in autumn 2005. Today, the federation covers more than 95% of Swiss higher education users and provides them access to more than 250 service providers. The original use case were the e-learning platforms, now a wide variety of services are integrated into the SWITCHaai federation. [1]

The SWITCHaai federation is a legal, trust and interoperability framework. It is deployed using the open source Shibboleth [2] software.

Currently, the SWITCHaai federation is based on Shibboleth 1.3. Migration to the backwards compatible version 2.x just started. Shibboleth 2.x implements the open standard SAML 2.0 [3] from OASIS, while Shibboleth 1.3 is based on the earlier SAML 1.1 specification.

3.2 OpenID

OpenID [4] is like SAML a technical standard. It offers a framework for dealing with user-centric digital identities. OpenID has evolved from its first specification to OpenID 2.0, released in December 2007.

OpenID is still in its adoption phase. What is deployed today is mostly based on OpenID 1.

A white paper compares OpenID and SAML in great detail, also from a security stand point [5]. Its content is not repeated here.

4. Identities in SWITCHaai

In SWITCHaai, students and staff members of the participating Home Organizations use their professional identity issued by their university to authenticate for access to services. The services used are closely related to the subject of study or work.

The assurance of the identity is linked to the study enrolment or to staff employment. During that registration process the identity of the individual gets verified.

The university can reliably assert attributes like affiliation or study branch since it is the authority for this information.

One generally looses the identity after finishing the studies or when moving on to another university or employer.

Service providers in SWITCHaai expect to be able to trust in assertions issued by an identity provider of a federation member. This trust is based on the federation framework.

Mostly, service providers expect a simple assertion whether a person is member of any or of a particular institution in Swiss higher education. Far less, a more specific assertion is required like 'the person studies medicine'.

OpenID

5. Identities in OpenID

With OpenID as deployed today, a user generally gets an identity by self-registration based on e-mail delivery verification. Therefore, an identity provider can authoritatively assert only: 'This individual successfully received an e-mail at the given address at the time the identity was established'. All further information the issuer can assert is unverified and as stated by the user.

OpenID providers could manually verify additional facts on registration, but that is a costly process. Most OpenID identities in use today get issued for free.

Service providers using OpenID today generally do not expect better assurance than one time e-mail delivery verification. That is good enough for the typical services protected by OpenID authentication. These are blogs, wikis, portals or forum applications. They are primarily used for personal interest, not directly linked to the job.

The primary benefit of using OpenID is to recognize a user returning to a service in order to provide him his personalized environment. The user has the advantage of having less user credentials to take care of. The service provider benefits from not having to manage user credentials himself.

The relationship between the service provider and the identity provider is very loose and informal:

  • In case a user causes problems at a service provider, there are no reliable means to follow-up on this with the identity provider. The identity provider has no obligations towards the service provider.
  • The identity provider has no assurance on well behaving of the service providers. This is mainly relevant concerning data protection. What does the service provider with the information it receives from the identity provider? There is no legal or trust framework to rely on when required.

6. A role for OpenID in SWITCHaai?

Derived from the SWITCHaai identity, it would be possible to supply users with an OpenID identity. Since it depends on the user account at the users Home Organization, the OpenID identity exists only as long as the user is affiliated with that Home Organization. That limits its usefulness to services directly linked with the study or job in Swiss higher education.

One could see OpenID 2.0 as a low-end addition to SWITCHaai, a somewhat simpler to deploy solution for blogs, wikis, portals with low needs. On the other hand, a Shibboleth Service Provider is not that difficult to deploy anymore. Often, the most difficult part seems to be to outfit the web server with a server certificate. That stays the same whether you use Shibboleth or OpenID.

SWITCHaai is currently focused on Shibboleth 1.3 and will migrate to SAML 2.0 with the deployment of Shibboleth 2.x. With OpenID, SWITCHaai would become a multi-protocol federation. That would add new complexity and likely confusion.

7. How one could issue OpenID Identities in SWITCHaai?

Shibboleth 2.x is a multi-protocol open source platform [6]. So anyone interested could write an extension for the IdP to support OpenID as an additional protocol. That way, each Home Organization installing that extension on their IdP could issue OpenID identities.

On the other hand, a gateway consisting of an OpenID identity provider with access controlled by SWITCHaai could issue OpenID identities for SWITCHaai users. For demo purposes and for SWITCH employees only, SWITCH deployed such an issuer based on simpleSAMLphp [7].

Without a life-long digital identity to build on, both options are of limited use as discussed above.

8. Other protocols and technologies beyond SAML and OpenID?

Sure! It is a rather new field and many more flowers may sprout over time. One of them is OAuth [8]. On the web page, OAuth is described as: "An open protocol to allow secure API authentication in a simple and standard method from desktop and web applications." OAuth does not require a specific authentication method.

OAuth is very new, the core specification v1.0 was released in December 2007. OAuth claims to have taken the best out of the proprietary protocols like Google AuthSub, AOL OpenAuth, Yahoo BBAuth, Upcoming api, Flickr api, Amazon Web Services api, etc.

Another candidate is CardSpace [9] from Microsoft. Wikipedia [10] describes it as follows: "Windows CardSpace (codenamed InfoCard), is Microsoft's client software for the Identity Metasystem. CardSpace is an instance of a class of identity client software called an Identity Selector.

CardSpace stores references to users' digital identities for them, presenting them to users as visual Information Cards. CardSpace provides a consistent UI that enables people to easily use these identities in applications and web sites where they are accepted."

9. Conclusions

With SWITCHaai, we have a production infrastructure in place for higher education supporting today's primary authentication and authorization needs. Access to study or research related web browser based applications can be easily protected and managed. A service deciding to use SWITCHaai for authentication and controlling access can rely on the authoritative information managed by the institution where the user is registered. Part of that assurance is also that the digital identity ceases to exist once the user leaves the institution.

So for now, SWITCHaai sees no need to extend its service beyond the currently supported SAML technology to OpenID. The relevance of OpenID and other technologies is regularly reviewed and reconsidered in order to keep SWITCHaai aligned to changing user community needs and an evolving technology environment.

10. References

[1] http://www.switch.ch/aai/
[2] http://shibboleth.internet2.edu/
[3] http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security#samlv20
[4] http://openid.net/
[5] http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html
[6] https://wiki.shibboleth.net/confluence/display/DEV/Supported+Protocols
[7] http://rnd.feide.no/simplesamlphp
[8] http://oauth.net/
[9] http://msdn.microsoft.com/CardSpace
[10] http://en.wikipedia.org/wiki/Windows_CardSpace

Feedback?

Feedback on this document or on SWITCHaai in general is very welcome.
Please write to aai@switch.ch.

Date of Last Revision

31. Octobre 2008