PIONIER.Id Federated Identity Management
Many IT services require users to be somehow recognizable for various reasons. In the simplest case it is supposed to help them remember their specific settings and use them whenever they use the services. Being entitled to use the services may also result from additional elements, such as purchasing a licence, or belonging to a certain group (researchers, students, etc.). In some cases it is necessary to issue a digital certificate to confirm the user’s identity.
Examples of such services include web conferences, access to academic portals, using WIKI-like systems, teamwork systems, or even commercial providers that give student discounts.
Users from institutions belonging to the PIONIER.Id federation may use many services in a remarkably simple way. After they have found their parent institution on the service website, they log into the system using their usual id and password, and they may use the service. If they wish to use another service, they do not even have to log again, as their institution remembers they have already done so.
Traditional logging onto services by a dedicated ID and password has long been perceived as a serious problem. If the ID is, for example, an e-mail address, and thus the same ID appears in many services, it makes it possible to create a profile of the user’s activity. Moreover, it is practically impossible to remember many different passwords, but if the user sets the same password for many services, and it gets stolen, it may open access to other services.
The aforementioned problems started to increase in the late 1990s along with the advent of electronic services. Solutions included creating a digital identity maintained by the state: something we are likely to face but it has not matured yet due to the scale of the problem. Academic communities worldwide recognized it relatively quickly and soon proposed using the parent institution’s account, now known as Federated Identity Management (FIM).
FIM is based on trust between parties forming the federation. Service providers must believe that parent institutions send true information about users, while the institutions must trust that service providers process the information appropriately. The trust results from regulations and official declarations that they will be observed. Building such a system requires scrupulosity and time, therefore it is relatively expensive. It is usually realized within a given country by an institution which manages an academic IT network. As in the case of an international provider it is necessary to repeat the same formalities in many countries, the eduGAIN confederation has been introduced to facilitate the process. National federations agree that they trust the procedures implemented by other federations and they use them as if they were using their own. Thanks to that, our Polish federation named PIONIER.Id may concentrate on developing Polish services, and at the same time have access to over a thousand service providers registered in other eduGAIN federations.
Any situations that require information about the user are naturally associated with the question of personal data and its protection. Solutions implemented by academic federations are effective and highly secure. The information that service providers receive about the user is reliable, but only to the extent which is absolutely necessary. For instance, in the case of a user of an electronic journal, the only information that is made available is a unique ID which does not reveal the user’s identity, adn a confirmation that she/he has concrete rights. If the service is a portal that demands e-mail communication, it will be justified to transmit an e-mail address. If it is a teamwork portal, the user may agree for his/her name and surname to be transmitted; then other users will be sure that his/her name and surname are authentic and no one is trying to impersonate him/her.
Thanks to PIONIER.Id and eduGAIN, the account in our parent institution is a digital passport that gives us access to numerous services without the need to open many accounts.