Federated Authentication Policies

In discussions with e-Infrastructures we’ve spoken quite a bit about federated authentication, so I thought it was worth a quick summary of the federated authentication schemes already available on Janet. And, in particular, what the policies of those federations already offer to Service Providers by way of guarantees. Two federated authentication policies are in full operation: eduroam for network access and the UK Access Management Federation for Education and Research (hereafter 'UK Federation') for web-based services.

Both federations rely on individuals’ home university or college authenticating them using their existing login credentials. In most cases those will be traditional usernames and passwords. Neither federation makes precise demands on things like password strength or expiry – it is presumed that whatever the home organisation considers good enough for its own local purposes is good enough for the remote service too. The UK Federation’s rule 6.3 requires that users are advised on safe password practice, while the eduroam policy requires them to be educated about best security practices.

Both federations require that home organisations may only declare a user to be authenticated if they are a current member of the organisation. UK Federation rule 6.4.1 requires that users who are no longer members must be revoked promptly, or at least that no attributes may be asserted for them. The eduroam policy requires home organisations to promptly disable accounts of users who no longer have a primary association with the organisation.

Both federations also require home organisations to enforce both the federation’s own policies and those of the services their users obtain access to. If a home organisation receives a complaint about one of the users it authenticated it is required to investigate the complaint and, if a breach of policy is identified, to deal appropriately with the responsible user. This approach recognises that the home organisation, where the user either works or studies, is likely to be best place to impose effective and dissuasive sanctions on them.

Finally both federation policies require that systems handling authentication credentials and tokens must be managed according to best practice; any security breaches that may have affected authentication information must be reported to Janet, as federation operator.

Both federations have been successful in providing usable access to services while providing an appropriate level of security. More than two hundred Janet customer organisations participate in eduroam with more than two hundred thousand successful authentications a month; more than nine hundred organisations are members of the UK Federation, enabling several million federated authentications each month.

Janet is currently piloting a third federation technology – Moonshot – which aims to build on the success of eduroam and the UK Federation to provide similar benefits across an even wider range of services. Moonshot will allow groups of services and identity providers, if they wish, to establish their own authentication and authorisation policies, however we anticipate that most will be based on a similar approach to that of eduroam and the UK Federation.