Improving Identity and Authentication Assurance in Research & Education Federations

  • Jule Anna ZieglerEmail author
  • Michael SchmidtEmail author
  • Mikael Linden
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11738)


In this paper we present a lightweight identity and authentication assurance framework tailored to the needs of the research & education (R&E) sector. A comprehensive requirements analysis has been carried out with its findings being compared with existing assurance frameworks such as NIST 800-63-3, IGTF and Kantara. Due to the special requirements in a federated environment that spans multiple countries, none of the existing frameworks seems to scale in this environment. In this context, conditions such as the independence of organizations, the different organizational cultures and technical capabilities prevent the definition of strict security requirements as they are required in most policies. The REFEDS assurance suite presented here, defines a set of identity and authentication assurance criteria also including two assurance profiles differentiating between low-risk and high-risk research use cases. The presented approach still incorporates relevant criteria from existing frameworks and has been evaluated by means of a public consultation and a technical pilot. The evaluation has shown successful configuration and testing with Shibboleth and SimpleSAMLphp software, but also positive feedback from the R&E community members.


Federated Identity Management Trust framework Identity and authentication assurance 



The research leading to these results has received funding from the Europeans Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 731122 (GN4-2) and 730941 (AARC2). The authors wish to thank the project members of GÉANT, AARC2 as well as the REFEDS community for helpful discussions and feedback to continuously improve the work presented in this paper.


  1. 1.
    eduGAIN Homepage (2018). Accessed 10 Nov 2018
  2. 2.
    Cantor, S., et al.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML). OASIS (2005)Google Scholar
  3. 3.
    Cantor, S.: SAML V2.0 Subject Identifier Attributes (2018)Google Scholar
  4. 4.
    Groep, D.: IGTF Levels of Authentication Assurance (2015)Google Scholar
  5. 5.
    International Standard Organization: ISO/IEC 29115: Entity Authentication Assurance Framework, first edn. (2013) Google Scholar
  6. 6.
    Internet2/MACE: eduperson object class specification (2016). Accessed 10 Nov 2018
  7. 7.
    ITU: X.1254: Entity authentication assurance framework (2012)Google Scholar
  8. 8.
    Linden, M., et al.: Recommendations on Minimal Assurance Level Relevant for Low-risk Research Use Cases (2015). Accessed 10 Nov 2018
  9. 9.
    National Institute of Standards and Technology: Special Publication 800–63-3: Digital Identity Guidelines (2017)Google Scholar
  10. 10.
    REFEDS: REFEDS Public Consultation (2018). Accessed 07 Dec 2018
  11. 11.
    REFEDS: REFEDS Specifications (2018). Accessed 02 Dec 2018
  12. 12.
    REFEDS: REFEDS wiki: RAF pilot final report (2018). Accessed 07 Dec 2018
  13. 13.
    Richer, J., Johansson, L.: RFC 8485: Vectors of Trust. IETF (2018)Google Scholar
  14. 14.
    Wilsher, R.G.: Identity Assurance Framework: Service Assessment Criteria. Kantara Initiative Inc, 5.0 edn. (2016)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Leibniz Supercomputing CentreGarching near MunichGermany
  2. 2.CSC - IT Center for Science Ltd.EspooFinland

Personalised recommendations