The Introduction of eduGAIN and CARSI

The Introduction of eduGAIN and CARSI

Today online services are crucial to research and education. Students, teachers, researchers and institution staff rely on them for collaboration through webmail, e-learning, teaching and conferencing, analyzing and sharing data and for accessing journals and libraries. But how do users access all the services they need? How do universities, museums, schools, research centers other research education institutions benefit from their users coming together with more services? And how do the services reach local or global customers? The answer is eduGAIN inter-federation. This passage will tell you what it is and how it works.

 

  1. What is eduGAIN?

The eduGAIN inter-federation service connects identity federations around the world, simplifying access to content, services and resources for the global research and education community. The eduGAIN comprises over 60 participant federations connecting more than 5,000 identity and service providers.

 

With just one trusted identity provided by user’s institution as part of an identity federation participating in eduGAIN, users can access services from other participating federations. Even better, it works with single sign-on (SSO), so that user needs to login only one time during a browser session.

  1. How does eduGAIN work?

Usually, every online service requires a separate account. Service providers have to manage huge numbers of accounts and details. And users have to juggle multiple username and passwords, which also weakens security.

pic1

But many research and education institution provide their users with a single online identity. This gives access to all the services that are available locally within the institution.

 

To bring together a wider pool of users and services, research and education identity federations were created to build trust between the identity-providing institutions and service providers.

pic2

By participating in a federation, an institution can rapidly and cheaply expand the range of services it offers to its users, making it a more attractive place to work or study. Users need only the one trusted identity from their institution to access participating services. They can instantly start to work and collaborate.

pic3

Participating services also get a larger audience of users. And with the identity providers handling the users’ accounts, there is reduced overhead for accounts and user support, so the cost per user is lowered. All these benefits are taken to an international level when identity federations interlink through the eduGAIN service.

pic4

With inter-federation, institutions can further expand their range of services to include those from other federations. Institutions can also choose only trusted services and control which user data to release to preserve user privacy. With inter-federation, services can access an international audience. And these are users who are trusted by their identity-providing institutions. Service providers need sign up with only one federation, instead of with them all separately. This saves more time, effort and money, and is the most efficient way to reach global users. To help inter-federation happen securely, agreements protect the international transfer of data. This international collaboration between federations allows users and services from around the world to interconnect. And this is made possible through eduGAIN.

pic5

3. How to use eduGAIN?

For Identity Federations

Identity federations can join eduGAIN service as a member. If an identity federation meets the requirements for joining eduGAIN, it can initiate the joining process of the eduGAIN Constitution.

The process to join eduGAIN is as follows:

1To apply for membership, the applicant federation signs the eduGAIN Policy Declaration and presents it to the eduGAIN Operations Team (OT).

2The OT confirms that the applicant federation fulfils the requirements of the eduGAIN Constitution.

3Unless the eduGAIN Steering Group (eSG) has decided that the applicant federation does not need further approvals, the OT prepares and presents a proposal to the eSG to approve or reject the application.

4When an applicant is approved, the OT takes the necessary technical steps to register the federation to eduGAIN.

Besides the points mentioned in that section, a more technical description of what information has to be sent to the eduGAIN operations team in order to join eduGAIN is listed on the eduGAIN Technical website and best practices are described on the eduGAIN wiki.

For Service Providers

Joining eduGAIN means joining an eduGAIN member federation. But which one to join? There is no strict rule, but one reasonable option should be to contact the national federation of the country where your organization is located or where the service is geographically operated.

  • How to offer a service in eduGAINprovides a general overview about the aspects relevant for adding a service to eduGAIN. This is a good preparation for the following guide, which goes more into more detail.
  • How to join eduGAIN as Service Providerincludes more concrete step-by-step instructions on what has to be done to legally and technically add a service to eduGAIN.

If you are interested to see which services are already eduGAIN-enabled, have a look at the eduGAIN Services page.

For Identity Providers

Joining eduGAIN means joining an eduGAIN member federation. You should contact the national federation of the country where your organization is located and check the rules and procedures for joining.

How to set up an Identity Provider for eduGAIN provides guides about various aspects relevant for adding an identity provider to eduGAIN.

Different supporting tools for identity and service providers are available at the eduGAIN technical site under the Tools section.

For Users

For users, eduGAIN couldn’t be simpler. When you want to log into a service, you should click on ‘login’ and then select your institution from the list from all the institutions that have been granted access to the service. Sometimes, services will label this as a “Federated Login”. Once you have selected your institution, you’ll be shown the standard login page from your organization. This means that your username and password are not being shared with the service provider.

You might also be asked by your institution to approve the sharing of your details with the service provider. This page would list the attributes being shared (usually name and email address) so that you can be certain what information about you is being requested.

After this, you’ll be logged in to the service provider.

4.Members Federations

Federations in eduGAIN can access in the following website: https://edugain.org/participants/federations-in-edugain/

pic6

5. About CARSI

Initiated by Peking University in Dec 2008, CARSI (CERNET Authentication and Resource Sharing Infrastructure), is an inter-institutional authentication and resource sharing service aiming at Chinese universities, colleges, schools and research institutes. The corner stone for this cross-domain authentication and authorization infrastructure is the campus-wide identity management systems which are daily online services in most Chinese universities.

Based on US Internet2 Shibboleth which is widely adopted by NRENs (National Research and Education Networks), technically there is no barrier for CARSI to connect SPs (Service Providers) or applications deployed on other NRENs, for example, resources provided by EBSCO, Emerald, etc.

On May 24th, 2019, CARSI passed the voting process smoothly of GEANT inter-federation organization eduGAIN and become a full member. After joining, it will be more convenient for CARSI to share resources with other NRENs on standards. A basic platform is built to help Chinese resources to the world. And the management and operation of CARSI will be more standardized.

pic7

References

[1] Chang, Naicheng, Limei Chen, and Alan Hopkinson. "Planning the Taiwan Access Management Federation Based on Shibboleth." Libri 61.2 (2011): 154-64. Web.

[2] Michael, Schmidt, and Ziegler Jule Anna. "An Identity Provider as a Service Platform for the EduGAIN Research and Education Community." 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) (2019): 739-40. Web.

        [3] "EduGAIN." Wikipedia, The Free Encyclopedia (English). Web.

[4] The GÉANT Tv. "How to Benefit from Interfederating through EduGAIN." (2013). Web.

        [5] "CARSI." https://www.carsi.edu.cn/about_zh.htm.

        [6] "eduGAIN." https://edugain.org/about-edugain/what-is-edugain/.