Federated Authentication for E-infrastructures

A growing challenge for on-line e-infrastructures is to manage an increasing number of user accounts, ensuring that accounts are only used by their intended users, that users can be held accountable for any misuse, and that accounts are disabled when users are no longer entitled to use them. Users face a similar challenge in managing multiple authentication credentials for different on-line services. One option, which may provide more efficient authentication for e-infrastructures and a better experience for users, is to build on the account management systems and processes already provided by users’ home universities or colleges. Federating authentication in this way is already commonly used to gain access to networks (eduroam) and electronic publications (UK Access Management Federation). E-infrastructures based on X.509 proxy certificates can implement federated login to certificate stores or issuers, for example, using the Short Lived X.509 Credential Services (SLCS) or Identifier-Only Trust Assurance (IOTA) profiles. Jisc is currently piloting technologies and processes that make federated authentication suitable for a wider range of e-infrastructure services. This paper therefore identifies the authentication services likely to become available to e-infrastructures through federation and considers the benefits they may bring.