The Future of Digital
Student Data Portability Simple Affiliation Validation for Academia

May 18, 2016
11:40 a.m.-11:55 a.m.


Niels van Dijk
Technical Product Manager


Identity Federations in Research and Education currently support the delivery of attributes using SAML authentication interfaces of their federations. Although Service Providers that only need validation can join a federation and use the attributes provided by an Identity provider to do their own assessment, there are downsides to that approach. One is that a federation Service Provider needs to live up to a rather heavyweight federation policy, put in place amongst others to protect user privacy: but if the Service Provider would not receive that privacy sensitive information in the first place, then maybe a much lighter policy can be used. Another is the SAML protocol itself, which is considered by many to be rather cumbersome to implement and maintain; especially if the only functionality that is needed is a simple assurance that a provided claim by someone is correct; functionality that SAML does not even provide since it was designed with authentication and providing attributes in mind (not validating them). In recent years new protocols such as OpenID Connect have emerged which are equally suitable for secure attribute transportation, but come with significantly lower technical impact. These downsides can mostly be addressed by creating a single transnational validation service. This can be a service provider in the national federations (via eduGAIN) with the accompanying policy. Towards the services that only need validation, it can provide the validation service. This means an attribute release profile with anonymous attributes combined with user-consent can be used, possibly also allowing a much lighter policy.

Follow this link to download the presentation slides