AARC and GEANT GN4 projects are studying the Service Provider (SP) communities' (such as research infrastructures/communities, e-infrastructures, communities and research centers) requirements on Level of Assurance (LoA). The survey results will serve the future development of federated authentication and authorization in the set-up where an end user's Home Organisation (e.g. the university or research institute employing the researcher) delivers him/her the authentication credentials and authenticates him/her. The survey results will be published.
...
- Identity vetting: how an end user demonstrates his/her identity at the time when s/he receives the authentication credential from his/her Home Organisation (e.g. by presenting government photo-id face-to-face at a registration desk or self-registration on-line)
- authentication: how an end user proofs his/her identity to his/her Home Organisation's Identity Provider (IdP) server when s/he logs in (e.g. password or multi-factor authentication with a certificate or token)
...
- researchers with a Home Organisation (that operates or potentially operates an IdP)?
- citizen scientists?
- students with a Home Organisation (that operates or potentially operates an IdP)?
- else/what?
If you are a research community
- is affiliation of a researcher (user) with your community typically longer lived than any organizational affiliation or employment, or does community membership stem primarily from organizational affiliation?
- do you consider yourself also as a source of (identity) assurance for your community members?
3.Questions on Identity and Authentication
...
- all user identities (accounts in the Home Organisation) belongs to an individual person (i.e. there are no shared accounts like "libraryuser1". Any robot/automated agent is traceable to a named person)?
- and all users are traceable (i.e. the Home Organization knows who they are and can reach them)?
- and the Home Organisation is willing to collaborate with you if you think their user misbehaves in your service?
- that you (as an SP) can block him/her from your service?
...
- Are password-based authentication good enough for you?
- Should passwords have some kind of quality floor? (What kind of quality floor?)
- Do you need two factor authentication? (What kind of?) Are you willing to share its costs?
3.4.Step-up authentication as a service
...
In larger universities the IdP/IdP IdM gathers users' attributes from several registries (payroll system, CRIS (current research information system), student registry) with varying data quality. Some attributes can even be self-asserted by the user him/herself.
...
- Is it enough for you that a Home Organisation self-asserts that it complies with a certain LoA level?
- Should some external body have some enforcement rights (e.g. Home identity federation can remove “compliant” tag from the Home Organisation if there are doubts that a Home Organisation fails its LoA level)?
Are internal periodic self-assessments needed? Should these be reviewed (or open to review) by e.g. the Home identity federation or federation peers?
- Are internal audits needed where the auditors are from an independent organization unit?
- Are external audits needed? Are you willing to share their costs?
...