Collaboration

There is considerable interest in leveraging SAFIRE and eduGAIN to integrate with the various library information providers, such as academic content, journal, and database publishers. Information providers variously term this “Shibboleth”, “SAML” or “Institutional” logins, and in most cases are already integrated with other federations around the world.

The following documents the integration status of various providers in SAFIRE.

In April 2020, SAFIRE was approached by the Royal Society of Chemistry (RSC) who expressed interest in joining SAFIRE as a Service Provider.

While Kortex have temporarily made limited free access available under their Free Student eTextbook Programme FSTP, federated authentication using institutional credentials is also now possible.

The international science community has asked for help in connecting researchers and scientists to collaborations that are rapidly forming in response to the COVID-19 pandemic.

Under the auspices of the RCCPii capacity development project, we recently concluded a successfull workshop on identity management & federation.

The benefits identity federations, and specifically eduGAIN, bring to scientific cyberecosystems was the subject of a recent article in HPCwire.

In simple terms, eduGAIN it is the web equivalent of the eduroam wireless roaming service — it is an academic inter-federation with 41 member countries from around the world. South Africa’s membership of eduGAIN will provide local academics and researchers with an easy way to log into over a thousand participating services worldwide using their home organisation’s username and password. Federated identity services play an increasingly critical role in facilitating access to big science projects, and so South Africa’s participation in this space is an important milestone towards allowing South African scientists to collaborate in international research.

This post documents SAFIRE’s experiments with, and ultimate deployment of, a smartcard-based HSM for SAML metadata signing in the hope that we can help other emerging federations along the way.

Identity provider proxies allow the hub-and-spoke federation to appear as a full mesh, at least for the purposes of IdP discovery. This means that service providers can make use of local discovery and see a list of individual SAFIRE identity providers rather than seeing a single entry for the whole federation.

In turn, this eliminates the “double discovery” problem for service providers that use local discovery to select amongst a number of different federations (e.g. sites that use DiscoJuice or derivatives). Instead of clicking through two discovery interfaces (local to select the federation, central to select the IdP), end users can select their identity provider directly at the SP.

Metadata is the basis of trust in any federation, and this makes the key management practices for metadata signing particularly important.

In response to suggestions from other federation operators, we’ve decided to try and get this “right” from the beginning — at least as far is actually practical for a small federation in its early stages. And “right” means that we should store our metadata signing key in some form of hardware security module.