GEANTThis post is part of a formal deliverable of the GÉANT GN4 “Trust and Identity Harmonisation” task, which was funded for a one-year period from May 2015 – April 2016.  A series of blogposts will appear here on the REFEDS blog to help more widely disseminate the work of the task and progress achieved.  More information can be found on the GÉANT wiki.  Those interested in entity categories may like to watch an upcoming session at the Internet2 Global Summit or join the discussion at the REFEDS meeting on 12th June 2016 at TNC16.

The concept of Entity Categories was developed by the Research and Education FEDerations group based on an approach first adopted by the InCommon federation. Entity Categories define certain criteria for federation entities i.e. identity providers, service providers and attribute authorities, for the purpose of grouping them into clusters where all entities share the same characteristics. These characteristics could be of any type and the associated tags may have a variety of responses to them. For example, the REFEDS “Hide from Discovery” tag is applied to Identity Providers (IdPs) and instructs Service Providers (SPs) not to include the IdP in discovery or WAYF interfaces. This results in a simpler user experience and is an approach that allows service to be enhanced beyond the initial baseline in a scalable way.

The Trust and Identity Harmonisation task has focused mainly on those Entity Categories that help IdPs release attributes to SPs in a safe and consistent manner. Within GN4-1, the task worked on the existing Research and Scholarship Entity Category and two new proposals respectively for an Affiliation Entity Category and an Academia Entity Category.

Overall, the Entity Category subtask helped increase the usage of the Research and Scholarship Entity Category by 435% during the period of GN4-1.

The aim of this subtask was to work with REFEDS to identify and define entity categories to help automate and reduce the workload of attribute release and management for Identity Providers towards Service Providers. This work involved:

  • Identifying priority entity categories.
  • Working within REFEDS to specify entity category types and content, taking into consideration global needs.
  • Piloting key use cases within the GÉANT community in collaboration with Task 5 – Enabling Users.
  • Driving take-up of support for entity categories within the GÉANT eduGAIN membership by bringing proposals for their adoption to the eduGAIN SG.

Entity Categories go through a comprehensive consultation process within REFEDS before they can be endorsed as a standard for the community, and the task was not expected to complete work on any given new category within the 1-year timeframe of the GN4-1 project. Its primary focus was therefore on promotion and adoption of the existing Research and Scholarship Entity Category within the timeframe of GN4-1, and on supporting groundwork for two new definitions with the intention of passing this work on to REFEDS for consultation and standardisation.

The Entity Category subtask also collaborated with REFEDS during GN4-1 to define two new entity categories: the Academia Entity Category and the Affiliation Entity Category. “Academia” is intended as a flag to show Service Providers that any given IdP tagged with this category is from an organisation that is defined as being “academic” against a known set of criteria. This enables the SP to make authorisation decisions which may be driven by terms of use restricting data to academic entities. In this sense, it is different from the “R&S” tag, which indicates that a service is intended for academic users – the first tag identifies an organisation as academic, while the second highlights that a resource is intended for an academic audience. The “Affiliation” category is a simple flag that only shows a user to be “affiliated” to an organisation, therefore restricting Service Provider access to all personally identifiable information (PII).

The primary focus for pilot and production deployment was the Research and Scholarship Entity Category (R&S). Promotional activities for R&S, in collaboration with REFEDS, included a set of New Year’s Resolutions, a piece on how to improve the federation experience (upcoming promotion), and work to highlight the importance of releasing attributes to high-profile scientific organisations such as LIGO and CERN. The task also organised a training event at TNC15 for Federation Operators on both Research and Scholarship and the Code of Conduct that was attended by 50 participants representing 26 federations. This event proved to be very successful in terms of promotion and as of 29th February 2016 a total of 15 federations, 14 of which were at the training event, now support the Research and Scholarship Entity Category.

More generally, the following statistics on adoption of deployed entity categories were recorded during the course of the project:

Date Number of SPs Number of IdPs Number of Federations
May 2015 21 20 Unknown
September 2015 46 39 8
October 2015 51 43 11
November 2015 58 44 11
December 2015 61 47 13
January 2016 65 50 13
February 2016 80 87 15
March 2016 84 95 15
April 2016 87 98 15
May 2016 91 103 16

The number of SPs using the tag is increasing at a good rate, however for R&S to be fully successful more support is needed from the Identity Provider Community by demonstrating their intention to release attributes based on this category.

The biggest challenge when supporting Entity Category development is overcoming the risk-averse approach to data protection processes within Identity Provider organisations. This position is understandable, as organisations want to protect the privacy and security of their users and comply with legislation, but can be taken to the extreme to mean that no data is released to providers.

IT departments have also suffered from a lack of investment in the policy side of attribute management. Although the technology may have been installed and well operated, administrators often lack the workflow and permissions to implement processes such as an Entity Category attribute release policy. It is moreover often difficult to identify the right person within any given organisation to take a decision on the approach to be followed.

IT departments also lack the use case to support many of the scenarios that Research and Scholarship supports. Many of the resources that benefit from this approach to attribute release are used by high-end researchers, who are often scattered across multiple organisations. This means that an individual IT department may only receive support requests from one or two users, making the business case for implementation time hard to justify.

Additionally, defining new entity categories is a lengthy process simply due to the lack of shared definitions within the field of academia. As there is no consistent understanding of terms such as “academic”, “academia”, “affiliation” or event “staff”, work is needed to support research and debate around how these terms might be used and interpreted if used in normative documentation.

The adoption of Entity Categories is proving to be an effective, practical and automated yet risk-aware process to meet the requirements of data protection legislation. Service Providers have been keen to embrace this approach and recognise the benefits of handling attributes in this manner. Some Identity Providers have begun to engage with the Entity Category process, but significant work is needed to ensure that support for the process becomes established in federations. Federations also need support to encourage IdPs to trust entity categories, and to implement processes and automation (such as Resource Registries) which make them easier to adopt. Federations without a Resource Registry functionality face a greater challenge in the scalable deployment of entity categories, so this gap will need to be addressed at a national level, with support from GÉANT as needed.

Work to update the eduGAIN Policy framework to provide clearer guidance on Entity Category usage is recommended, alongside ongoing promotional and federation support work in conjunction with REFEDS. It is further recommended that work also continue in this sense on the two newly introduced entity categories.