The manager of the Digital Identity Service, Esmeralda Pires, explains all about Federated Authentication technology, detailing how the FCCN Unit uses it to guarantee the security and mobility of the teaching and research community in Portugal.
Do you still remember the time when, to access a web service, the only available option required a previous registration where it was necessary to fill in the username and password? And that every time we accessed a new service we repeated this process over and over again, leaving us with a long list of passwords to memorize?
Federated authentication was created to solve this problem. This type of authentication has long been adopted by several commercial services, and today we use federated authentication almost without realizing it - we access several different services without a registration process, and log in using only the credentials from our email service or social network.
However, another question arises regarding the reliability of identity. What if my service wants to know if the user is a student, teacher or researcher? How can I be sure that the user is who they say they are? FCCN has the answer and the solution for these services.
The unit FCCN is responsible for two authentication infrastructures: CIÊNCIA ID and RCTSaai. These infrastructures ensure the authentication and authorization of users from the academic and research community. Services or applications that target users from the academic and/or research community can adhere to and integrate RCTSaai and/or CIÊNCIA ID authentication.
CIÊNCIA ID is an authentication and identification infrastructure intended for the services of the national and/or international science ecosystem. In addition to uniquely and permanently identifying citizens who engage in scientific activity in Portugal, through the registration of the CIÊNCIA ID account, it also provides a common authentication mechanism for the various science management platforms.
RCTSaai aims to simplify the provision of web services to the entire community served by FCCN. Students, teachers and employees of participating institutions, using their institutional account, have access to a range of services available through RCTSaai.
eduGAIN or international authentication
What if my service also intends to give access to foreign students or faculty? In this case, the service can integrate eduGAIN authentication. eduGAIN is managed by GÉANT and interconnects the existing identity federations worldwide. RCTSaai is one of 80 federations that is part of eduGAIN and enables students, staff and faculty from the international academic community to access services and collaboration platforms worldwide.
A good example of the use of eduGAIN authentication are the services of the Erasmus+ program(Erasmus+ App or Online Learning Agreement), where students authenticate using their institution's credentials and the services receive the necessary information about mobile students (European Student Identifier, contact information, home institution).
Web Services or Mobile Applications can and should adhere to federated authentication (RCTSaai, CIÊNCIA ID or eduGAIN) and, in this way, guarantee three fundamental elements to their users
User and Service Security
- Reduced number of credentials by the user to access the services (only use/generate the credentials of the home institution or CIÊNCIA ID);
- The services integrate users from other national and international institutions in a simple and secure way;
- Federated authentication RCTSaai/eduGAIN and CIÊNCIA ID relies on secure protocols (SAML and OpenID Connect) to perform authentication requests and exchange user information.
Confidence in Identity
- User registration is performed at the user's home institution, which is responsible for securing the user's information (e.g. RCTSaai: enrollment file, employment contract, etc.)
- User data is sent by the institution to the services only after successful authentication and consent by the user.
- Users use their institution's credentials to access collaboration services and platforms around the world;
- The services can accommodate users from all over the international academic community.