Completed activities
Ongoing activities
Pending ideas
Student projects
Active members
Iterations
The GN4-3 WP5 T2 Trust and Identity Incubator (“T&I Incubator”) aims to develop, foster and mature new ideas in the Trust and Identity space in Research and Education. The incubator will investigate new technologies that currently have no place (yet) in the services ecosystem of the GÉANT project. This may include to test and experiment with potential new features for existing GÉANT services. In addition also business case development for potential new services and developments that would improve data protection and privacy aspects in services or software are in scope.
The T&I incubator runs four to eight incubator activities per project year in parallel. These incubators typically take about 6 months and employ an agile methodology to enable rapid development of ideas. Preferably at least two subject matter experts work together with support from the project team. Subject matter experts are recruited from within the team or, preferred, sponsored by their NRENs. In addition, the project team facilitates the incubator track by providing a scrum master and dedicated developers.
Main Incubator Board (MIB) aims to represent a broad view on Trust and Identity related developments in R&E. MIB members are senior subject matter experts from the European NREN trust and identity community. They evaluate new ideas and provide advice to the work package lead. They are also responsible for reviewing activities at the end of each incubator cycle and providing recommendations on how to proceed. The incubator team presents their results regularly to the the MIB's and the wider community. In the middle and at the end of a cycle there are two events public events, so called sprint demos.
Community Tagging
Research communities have a need to express and potentially share certain trust marks on IdPs and SPs. These trust marks may differ from existing trust marks issued by identity federations. This is why this activity implemented a proof of concept based on a given set of community requirements and investigated in potential scenarios and impacts.
Activity page-
Results & Deliverables
The following results were created and delivered:
- Community Tagging GAP analysis
- Proof of concept using Access Check Tool in conjunction with Jagger
- Video: create a federation and new entity catergory
- Video: Access Check
- Video: Jagger after Access Check
-
Ownership & Utilisation
The work has been concluded. Documentation on the prototype is available.
Community-Based Trust
This activity examined how identity vetting and token registration can be scaled for second-factor authentication scenarios where participants are distributed over EU and beyond. As part of this activity a specific flow - based on a community-based approach - was investigated. It takes into account the concept of the Web of Trust. While this mechanism typically does not work well in broad user groups, it is very well suited to distribute trust between small groups where a pre-existing trust fabric is already in place, as we typically have in research communities. What was missing is a means to make this trust network auditable and transparent. In order to make the trust network transparent, this activity identified and developed tools to support this flow.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The outcome is intended to be used in the scope of research communities. In collaboration with the eduTEAMS task the results can be used to provision and improve the Stepup solution of the GÉANT service.
Cryptech HSM
In many of the T&I services in the R&E sector, there is a need to securely store sensitive data like key material. Currently, this is rarely done using Hardware Security Modules (HSM) as they are associated with high costs. The goal of this activity was to evaluate the capability and applicability of affordable devices from the Cryptech project for use cases within the GÉANT project and to set up devices for testing purposes.
Activity page-
Results & Deliverables
The following results were created and delivered:
- Evaluated usage of Diamond Key appliances and capabilities
- Detailed community use-cases for HSM
-
Ownership & Utilisation
The work could not be concluded as Diamondkey seased operations during the evaluation period.
Discovery Pilot
Discovery is used in Federated Identity Management to locate the users home organization. This activity evaluated the pilot discovery service ran in the previous GÉANT project and investigated if/how the implementation technology Seamless Access developed within the RA1 project can be used for an implementation in eduGAIN.
Activity page-
Results & Deliverables
The following results were created and delivered:
- DSX Dsicovery Service Feedback Report
- Preparation of handover to eduGAIN service activity
-
Ownership & Utilisation
The work has been concluded in the Incubator and was handed over to the eduGAIN service task for the purpose of making a production service.
SFA - Distributed Vetting
Several research communities, especially in the life sciences domain, have a need to use second factor authentication to improve the quality of their authentication. One of the challenges identified was how to securely vet the second factor tokens of the participants of a collaboration in a case where the members of the collaboration are very distributed, as is the case in most pan-EU research collaborations. This activity investigated, together with research communities, how the token registration can be scaled for scenarios where participants are distributed over the EU and beyond. The aim of this task was to identify ways this vetting can be done.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
A final report was delivered. The activity will continue for another Incubator cycle.
eduLNK
eduLNK aims to provide software and potentially a servcie for a secure, persistent and privacy
preserving link shortener for research and education.
Link shorteners reduce a lengthy URL on the internet to something short and snappy, and
sometimes easy to remember. As such it is a very well used and liked functionality within our
community. Many ‘free’ link shorteners exist, however, their free nature comes with a number
of challenges, including serving advertisements and data mining the users behaviour and
interests. Next to privacy concerns, many free link shorteners have a limited lifetime for the
links they present. This is especially challenging in cases where the link shortener was used
in, or to reference scientific articles, where the intent is to long term preserve the
relation between the article and the references. Finally due to its proxy like nature, it is
impossible to known where a link will actually lead. This makes link shorteners very
‘interesting’ tools to lure people into selecting links that lead to e.g. malware. eduLNK
aspires to deliver a product from and for the communtiy which can be trusted and used securely
in a privacy preseving way.
-
Results & Deliverables
This activity is work in progress at the time of writing.
-
Ownership & Utilisation
This activity is work in progress at the time of writing.
Instant User Provisioning
Some systems, like non-web services, cannot be federated easily because they need user accounts to be provisioned before they can login. A prototype of an instant deployment tool called FEUDAL was developed by KIT. It facilitates provisioning of user accounts using virtual organisations (VO). Feudal is based on OIDC: It is an OIDC client, and it simply transports the information of the /userinfo endpiont along. Feudal is based on the concept of VOs (or authorisation Groups), i.e. the end services provide the information which VOs it supports. Feudal web fronted will only display services for provisioning to a given user based on his VO membership.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The aim of this project was to create an easy to use, adoptable software solution to provision server users and provide this tool to the community. The solution is ready to be picked up and further developed and used by KIT. They plan to use this software in two "Helmholtz" projects HDF and HIFIS in Germany for the foreseeable future. Besides this, the solution was adjusted to the needs of eduTEAMS. The solution was provided to the eduTEAMS service task to be integrated into the GÉANT service.
Identity Validation Broker
Both research communities as well as institutions have a need for proper proof of the identity
of their users. This ranges from cases where e.g. new students living abroad need to be
identified as part of the boarding into an institution, to scenarios where access to (medical)
data puts regelatory demands on the research community. Identity proofing is however expensive
and scales very poorly, especially in cases where the users are (very) distributed. Multiple
vendors offer digital, web based identity proofing services already, but these service are not
very cheap, procurement of such a service is a lengthy and potentially expensive effort and in
addition, each vendor offers its own, proprietary API. These factors hinder uptake and
deployment of identity proofing within our community and also impedes switching between
vendors.
This activity investigates, based on requirements collected from multiple stakeholders, if and
in which way this situation may be improved.
-
Results & Deliverables
This activity is work in progress at the time of writing.
-
Ownership & Utilisation
This activity is work in progress at the time of writing.
IdP as a Service
The former GN4-2 project developed a solution to offer an IdP as a Service solution (IdPaaS) for hosted IdPs. This activity aimed at investigating the business case of this solution and to create a reference design and implementation for an easy to use software solution to enable NRENS to provide an IdPaaS offering.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The work has been concluded within the Incubator. samlidp.io is available as an open source software for the community and may be used by commercial vendors as well.
Metadata push MDQ
Metadata is at the heart of the trust fabric of current R&E Identity Federations. For the trust to properly propagate, this metadata is first collected from and then distributed by the federation towards the federation members. This activity had investigated a new proposal called "push MDQ", which introduces a new, potentially highly scalable way of distributing metadata.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
All changes made to the pyFF software were uploaded to the official software project to be maintained by the IdentityPython group. Furthermore, all results of the push MDQ analysis and the POC were transferred to the eduGAIN service task for further improvement of the GÉANT service.
ORCID as IdP of last resort
Many research collaborations as well as campus services need a solution to deal with guest identity, as in many cases not all users are members of the academic Identity Federations. As a result, several federation operators as well as research collaborations operate IdPs or proxies to allow users to authenticate through external identity providers like social ones. This has led to serious reinventing of the wheel. This pilot aimed to bring the widely used ORCID service into the GÉANT IDhub as Identity Provider of last resort. Furthermore organisational and legal aspects as well as technical improvements were investigated.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The work has been concluded with the results handed over to be further developed in the IDhub to improve the GÉANT service.
pyFF Optimizations
pyFF is an open source and widely used product which is used to provide Discovery and Metadata
Query services for identity federation. This topic investigates optimizations in pyFF
operations, including but not limited to, performance and memory consumption. When processing
the eduGAIN metadata, pyFF memory usage balloons to the gigabytes, hereby inflicting some
extra cost when running on procured VM's like AWS. The startup/restart process speed, and
service behavior while being started/restarted may also be improved. In particular, the
service should never throw 5xx errors while in a normal startup/shutdown process.
The goal of this project is to optimize pyFF memory consumption and (re-)start behavior.
-
Results & Deliverables
This activity is work in progress at the time of writing.
-
Ownership & Utilisation
This activity is work in progress at the time of writing.
Service Status Reporting
The T&I activities of the GEANT project run a multitude of services ranging for eduroam and eduGAIN to InAcademia, eduTEAMS and various smaller helper services for eduGAIN without a single overview of the state of all these services. The highly distributed nature limits our ability to present in a consistent way the status of these services and it hinders us in explaining issues when something is wrong. This is relevant both for members of the GEANT community as well as other other stakeholders like service owners and funding agencies. This activity wanted to create a comprehensive, high level and user friendly publicly facing service dashboard for T&I services. Since many freely or commercially available services for measuring availability already exist this activity investigated and compared them to choose a suitable solution for the GÉANT project.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The result of the market analysis was provided to the T&I service task.
Shibboleth OIDC Extension
Up to now, R&E federations are predominantly relying on the SAML2 protocol. With upcoming needs from industry and commercial service providers the OpenID Connect (OIDC) protocol is increasingly moving into focus. This activitiy supported the development of an Shibboleth OIDC Extension to the Shibboleth IdP and was paving the way to make the extension a fully sustained product.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The work has been concluded and the results were handed over to the Shibboleth consortium. The Extension is certified by the OIDC Foundation.
Status Reporting & Notification
To make the global eduGAIN interfederation scalable and interoperable, it is paramount
participants adhere to agreed upon standards and community best practices. There are currently
already several tools that examine the quality of federation metadata, the connection status
of their IdPs and the attribute release status of their IdPs. The results of these checks are
public but only few federation operators seem to regularly consult the results. To improve
this, a tool will be created which allows all federation operators to receive a periodic
aggragated information on the state of their federation and its entities.
This activity is about creating such a tool by aggragating information from
various sources and preseting this in an attractive, easy to understand way to put this
information readily into the hands of the federation operators.
-
Results & Deliverables
This activity is work in progress at the time of writing.
-
Ownership & Utilisation
This activity is work in progress at the time of writing.
WebauthN
WebAuthn (Web Authentication), part of the FIDO2 Project, is a web standard published by the W3C that enables strong authentication with public-key cryptography, passwordless authentication, and secure two-factor authentication. The standard defines a JavaScript API which allows token registration and subsequent authentication. This activity implemented this API for the open source software SimpleSAMLphp and SATOSA, which enables them to provide 2FA function to the benefit of the R&E community.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The developed modules were submitted to the upstream repositories to be officially maintained by the simplesamlphp groups and CESNET. The software was provided to the eduTEAMS service task to include it into the GÉANT service.
(De)provisioning connector for Windows
Identity provisioning and deprovisioning are a necessity for building modern authentication and authorization infrastructures. They are straightforward yet technically complicated part of identity and access management. The basic idea is to deliver identity and authorization information to the managed services, which is complicated by a lack of applicable standards in this area. Therefore, most of the Identity and access management solutions rely on a custom solution for provisioning. To overcome this obstacle, this project extends existing IAM capabilities by implementing a connector to easily provision data to services hosted on Windows OS based on SSH.
Activity page-
Results & Deliverables
The following results were created and delivered:
-
Ownership & Utilisation
The aim of this project was to create an easy to use, adoptable software solution to provision server users and provide this tool to the community As part of a case study the solution was implemented for a Czech University (Faculty of informatics MU) which will continue to use the solution afterwards. CESNET will continue to use and maintain the software for the foreseeable future. Besides this, the solution shall be adjusted to the needs of eduTEAMS. The solution will be provided to the eduTEAMS service task to be integrated into the GÉANT service.