Extended Model for Efficient Federated Identity Management with Dynamic Levels of Assurance Across eIDAS, REFEDS, and Kantara Frameworks for Educational Institutions
Abstract
:1. Introduction
1.1. Electronic Identity (eID)
- Single sign-on (SSO) technology, which allows users to authenticate once and gain access to multiple resources, without needing to log in again for each service;
- Identity providers, which enable the management and verification of user credentials and provide authentication information to other services within the federation;
- Security protocols, which are used to facilitate the secure exchange of authenticated requests between the identity provider and service providers, such as SAML (Security Assertion Markup Language), OAuth, and OpenID Connect [3];
- Attribute management, where specific user attributes (e.g., name, email address, and roles) are often shared across different domains to enable access decisions based on pre-defined rules;
- Privacy and control, where ensuring user privacy is critical, and users often have control over what information is shared with other domains within the federation.
1.2. Identity Federation
1.2.1. Use of the Hub and Spoke Model in Identity Federation
1.2.2. The Use of the Mesh Model in Federated Identity Management
1.3. Identity Profile and Authentication
1.4. IdP Proxy
2. Identity Federations: eIDAS, REFEDS, and Kantara
- eIDAS 2 (European Digital Identity Framework) [12]—The European Union regulation No. 1183/2024 creates a unified legal framework for electronic identification, authentication, and trust services between EU member states. This helps to enhance trust and security in the digital environments used within the EU.
- REFEDS (Research and Education Federations) [11] is an international organization that supports the development of identity federations for research and educational institutions worldwide. This organization provides a standardized way to describe how identity information is verified and secured in a digital environment [13]. The REFEDS organization profiles define the levels of security and trustworthiness of the identity information provided and used in online services and other digital resources. The description of identity assurance profiles helps organizations and users to understand how interconnected and secure the identity verification process is within digital environments [14].
- Kantara Initiative [15] is a global non-profit organization that develops standards, policies, and practices for digital identity management, verification, privacy, and trust. The organization uses identity profiles to help organizations and governments in creating secure and consistent systems for managing user identities across various digital platforms and services [16]. This helps to increase user safety online and reduces the risk of fake identities and online fraud.
2.1. Identity Federation Levels of Assurance
2.1.1. e-IDAS 2 LoA Profiles
2.1.2. REFEDS Identity Assurance Profiles
2.1.3. Kantara Profiles
2.2. Dynamic (Elevated) LoA Needs
2.3. Different Policies
2.4. Protocols Within Federated Identity Management
- The user requests access to a service or application that is protected and federated with the SP.
- The SP detects that the user is not authenticated and redirects the user to the IdP by sending a SAML authentication request.
- The IdP receives the authentication request and authenticates the user through the appropriate login.
- SP sends a request to create SAML Assertions to IdP for successful authentication.
- After successful authentication, the IdP creates a SAML assertion containing the authenticated user information.
- The IdP redirects the user to the SP, including the SAML assertion in an HTTP POST response.
- The SP receives the SAML assertion, verifies it (checking the signature and validity of the assertion), and then recognizes the user as authenticated.
- Once authenticated, the user gains access to the application or service requested from the SP.
2.5. Different Protocols
3. Interoperability Between eIDAS, REFEDS, and Kantara
3.1. Extended IdP Proxy
3.2. Management of Security and Privacy
3.2.1. Benefits of IdP Proxy in eIDAS (Electronic Identification, Authentication, and Trust Services)
3.2.2. Benefits of IdP Proxy in REFEDS (Research and Education Federations)
3.2.3. Benefits of IdP Proxy in Kantara Initiative Framework
4. New Proposed Model
- The user requests access to a service or application that is protected and federated with the SP.
- The SP detects that the user is not authenticated and redirects them to the IdP proxy by sending an SAML authentication request.
- The IdP Proxy sends the authentication request to the SP.
- The SP receives the request, analyzes the user, and selects the appropriate IdP to authenticate the user.
- The IdP proxy redirects the user to the IdP for authentication.
- The IdP authenticates the user and generates an SAML assertion containing the authenticated user information.
- The IdP redirects the user to the IdP proxy, including the SAML assertion in an HTTP POST response.
- The IdP proxy receives the SAML assertion from the IdP, verifies it, and then sends a new assertion to the SP.
- The SP receives and verifies the new SAML assertion from the IdP proxy, then grants access to the service for the user.
4.1. Unification of Attributes Between Federations
4.2. Selecting Identification Attributes Through an IdP Proxy
5. Extended Model for Efficient Federated Identity Management with Dynamic Levels of Assurance
Mapping of Attributes Between Federations
- urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
- urn:oasis:names:tc:SAML:2.0:nameid-format:transient
- function transformRefedsToEidas($eduPersonUniqueId) {
- // Extract the domain to determine the country
- $parts = explode("@", $eduPersonUniqueId);
- if (count($parts) != 2) {
- throw new Exception("The identifier format is not valid.");
- }
- $username = $parts[0];
- $domain = $parts[1];
- // Assign the country based on the domain (this can be customized)
- $countryMap = [
- "university.edu" => "MK", // North Macedonia
- ];
- $countryCode = $countryMap[$domain] ?? "XX"; // XX for unknown cases
- // Generate a unique UUID for this user
- $uuid = uniqid("", true); // Simulating a UUID
- // Create the eIDAS ID format
- $eidasId = strtoupper($countryCode) . "-" . md5($uuid); // Hash for uniqueness
- return $eidasId;
- }
- // Testing the function
- $eduPersonId = "john.doe@university.edu";
- $eidasId = transformRefedsToEidas($eduPersonId);
- echo "eIDAS ID: " . $eidasId;
- function transformEidasToRefeds($eidasId) {
- // Parse the eIDAS format
- $parts = explode("-", $eidasId);
- if (count($parts) != 2) {
- throw new Exception("The eIDAS ID format is not valid.");
- }
- $countryCode = $parts[0];
- $uuid = $parts[1];
- // Map of countries to REFEDS domains
- $domainMap = [
- "MK" => "university.edu",
- ];
- $domain = $domainMap[$countryCode] ?? "unknown.edu";
- // Generate a username based on UUID
- $username = substr($uuid, 0, 8); // Use the first 8 characters of the UUID
- // Form the REFEDS identifier
- $eduPersonId = $username . "@" . $domain;
- return $eduPersonId;
- }
- // Testing the function
- $eidasId = "DE-a1b2c3d4e5f67890abcdef1234567890";
- $refedsId = transformEidasToRefeds($eidasId);
- echo "REFEDS ID: " . $refedsId;
- 8c6976e5b5410415bde908bd4dee15dfb16e2536a4f1f6d6b88f0b8d1e7a5679.
- function transformKantaraToEidas($kantaraPID, $kantaraAssurance) {
- // Mapping LoA from Kantara to eIDAS
- $loaMapping = [
- "low" => "LoA/low",
- "medium" => "LoA/substantial",
- "high" => "LoA/high"
- ];
- // Determining the country prefix for eIDAS
- $countryCode = "MK"; // Can be retrieved from Kantara attributes
- // Using PID and creating the eIDAS Unique Identifier
- $hashedId = hash("sha256", $kantaraPID); // Hashing PID for high security
- $eidasUID = strtoupper($countryCode) . "-" . substr($hashedId, 0, 16); // Creating eIDAS UID
- // Mapping LoA from Kantara to eIDAS
- $eidasLoA = isset($loaMapping[$kantaraAssurance]) ? $loaMapping[$kantaraAssurance] : "LoA/low";
- return ["eIDASUID" => $eidasUID, "LoA" => $eidasLoA];
- }
- // Testing the function
- $kantaraPID = "PID-1234567890";
- $kantaraAssurance = "high";
- $eidasData = transformKantaraToEidas($kantaraPID, $kantaraAssurance);
- echo "eIDAS Unique Identifier: " . $eidasData['eIDASUID'] . "\n";
- echo "eIDAS Level of Assurance: " . $eidasData['LoA'] . "\n";
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- EL Haddouti, S.; Dafir Ech-Cherif EL Kettani, M. A Hybrid Scheme for an Interoperable Identity Federation System Based on Attribute Aggregation Method. Computers 2019, 8, 51. [Google Scholar] [CrossRef]
- Alaca, F.; Van Oorschot, P.C. Comparative Analysis and Framework Evaluating Web Single Sign-on Systems. ACM Comput. Surv. 2021, 53, 1–34. [Google Scholar] [CrossRef]
- saml-core-2.0-os. Available online: https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf (accessed on 27 September 2024).
- Varnosfaderani, S.D.; Kasprzak, P.; Pohl, C.; Yahyapour, R. A Flexible and Compatible Model for Supporting Assurance Level through a Central Proxy. In Proceedings of the 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom), Paris, France, 21–23 June 2019; IEEE: Piscataway, NJ, USA, 2019; pp. 46–52. [Google Scholar] [CrossRef]
- Malik, A.A.; Anwar, H.; Shibli, M.A. Federated Identity Management (FIM): Challenges and opportunities. In Proceedings of the 2015 Conference on Information Assurance and Cyber Security (CIACS), Rawalpindi, Pakistan, 18 December 2015; IEEE: Piscataway, NJ, USA, 2016; pp. 75–82. [Google Scholar] [CrossRef]
- Carretero, J.; Izquierdo-Moreno, G.; Vasile-Cabezas, M.; Garcia-Blas, J. Federated Identity Architecture of the European eID System. IEEE Access 2018, 6, 75302–75326. [Google Scholar] [CrossRef]
- Chiou, R.; Humphreys, G.F.; Jung, J.; Ralph, M.A.L. Controlled semantic cognition relies upon dynamic and flexible interactions between the executive ‘semantic control’ and hub-and-spoke ‘semantic representation’ systems. Cortex 2018, 103, 100–116. [Google Scholar] [CrossRef] [PubMed]
- AARC Blueprint Architecture–AARC I Authentication and Authorisation for Research and Collaboration. Available online: https://aarc-community.org/architecture (accessed on 14 March 2025).
- Filho, W.P.; Ribeiro, C.; Zefferer, T. Privacy-preserving attribute aggregation in eID federations. Futur. Gener. Comput. Syst. 2019, 92, 1–16. [Google Scholar] [CrossRef]
- Okabe, Y.; Komura, T.; Sato, H.; Yamaji, K.; Nakamura, M. An Authentication Federation Proxy Which Conceals Attributes and Authorization Policies Each Other. In Proceedings of the 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), Atlanta, GA, USA, 10–14 June 2016; IEEE: Piscataway, NJ, USA, 2016; pp. 202–207. [Google Scholar] [CrossRef]
- Identity Provider Proxy | SAP Help Portal. Available online: https://help.sap.com/docs/SAP_SINGLE_SIGN-ON/27aa32ff2f5f4e7ebf59a9560205eca2/d7b115cab48541908eec1ac1b78a5601.html (accessed on 27 September 2024).
- EUR-Lex-02014R0910-20241018-EN-EUR-Lex. Available online: https://eur-lex.europa.eu/eli/reg/2014/910/2024-10-18/eng (accessed on 15 March 2025).
- Consultation: REFEDS Assurance Framework Round 2-Consultations-REFEDS Wiki. Available online: https://wiki.refeds.org/display/CON/Consultation%3A+REFEDS+Assurance+Framework+round+2 (accessed on 27 September 2024).
- Horbe, R.; Hotzendorfer, W. Privacy by Design in Federated Identity Management. In Proceedings of the 2015 IEEE Security and Privacy Workshops, San Jose, CA, USA, 21–22 May 2015; IEEE: Piscataway, NJ, USA, 2015; pp. 167–174. [Google Scholar] [CrossRef]
- KIAF 1410-CO_SAC Kantara Identity Assurance Framework: Common Organizational Service Assessment Criteria (SAC) & Statement of Criteria Applicability (SoCA)-Excel Version. Available online: https://kantarainitiative.org/download/kiaf-1410-co_sac-kantara-identity-assurance-framework-common-organizational-service-assessment-criteria-sac-statement-of-criteria-applicability-soca-excel-version (accessed on 27 September 2024).
- Identity Assurance and Accreditation with Kantara Initiative. Available online: https://kantarainitiative.org/ (accessed on 27 September 2024).
- eIDAS Levels of Assurance. Available online: https://ec.europa.eu/digital-building-blocks/sites/digital-building-blocks/sites/display/DIGITAL/eIDAS+Levels+of+Assurance (accessed on 15 March 2025).
- Bukhari, A. Understanding eIDAS Level of Assurance. Available online: https://www.methics.fi/understanding-eidas-level-of-assurance/ (accessed on 27 September 2024).
- Sharif, A.; Ranzi, M.; Carbone, R.; Sciarretta, G.; Marino, F.A.; Ranise, S. The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes. Appl. Sci. 2022, 12, 12679. [Google Scholar] [CrossRef]
- Berbecaru, D.; Lioy, A.; Cameroni, C. Electronic Identification for Universities: Building Cross-Border Services Based on the eIDAS Infrastructure. Information 2019, 10, 210. [Google Scholar] [CrossRef]
- REFEDS Assurance Framework ver 1.00-Assurance-REFEDS wiki. Available online: https://wiki.refeds.org/display/ASS/REFEDS+Assurance+Framework+ver+1.0 (accessed on 3 October 2024).
- Glossary and Overview v2.0. Available online: https://kantarainitiative.org/download/6160/ (accessed on 16 March 2025).
- Identity Assurance. Available online: https://kantarainitiative.org/work-groups/iawg/ (accessed on 27 September 2024).
- Identity Assurance Program. Available online: https://kantarainitiative.org/us-identity-certification-program/ (accessed on 27 September 2024).
- Ziegler, J.A.; Stevanovic, U.; Groep, D.; Neilson, I.; Kelsey, D.P.; Kremers, M. Making Identity Assurance and Authentication Strength Work for Federated Infrastructures. In Proceedings of the International Symposium on Grids & Clouds 2021(ISGC2021), Taipei, Taiwan, 22–26 March 2021; Sissa Medialab: Trieste, Italy, 2021; p. 29. [Google Scholar] [CrossRef]
- Lin, Y.-D.; Truong, D.-T.; Ali, A.; Li, C.-Y.; Lai, Y.-C.; Dinh, T.-M.T. Proxy-Based Federated Authentication: A Transparent Third-Party Solution for Cloud-Edge Federation. IEEE Netw. 2020, 34, 220–227. [Google Scholar] [CrossRef]
- Strack, H.; Karius, S.; Gollnick, M.; Lips, M.; Wefel, S.; Altschaffel, R. Preservation of (higher) Trustworthiness in IAM for Distributed Workflows and Systems Based on Eidas; Gesellschaft für Informatik e.V.: Bonn, Germany, 2022; pp. 125–130. [Google Scholar] [CrossRef]
- REFEDS–The Voice of Research and Education Identity Federations. Available online: https://refeds.org/ (accessed on 27 September 2024).
- 2020_MyAID_Guidelines_eduGAIN.pdf. Available online: https://uni-foundation.eu/uploads/2020_MyAID_Guidelines_eduGAIN.pdf (accessed on 4 October 2024).
- Pöhn, D.; Hommel, W. An overview of limitations and approaches in identity management. In Proceedings of the 15th International Conference on Availability, Reliability and Security, Virtual Event, 25–28 August 2020; pp. 1–10. [Google Scholar] [CrossRef]
- eIDAS SAML Attribute Profile v1.4.1_final (4).pdf. Available online: https://ec.europa.eu/digital-building-blocks/sites/download/attachments/467109280/eIDAS%20SAML%20Attribute%20Profile%20v1.4.1_final.pdf?version=1&modificationDate=1729176514404&api=v2 (accessed on 16 March 2025).
- Groep, D.L.; Neilson, I. Comparison Guide to Identity Assurance Mappings for Infrastructures. Zenodo 2019. [Google Scholar] [CrossRef]
- SAML Proxying EntraID/Azure with the Shibboleth IdP-Shibboleth Knowledge Base-Confluence. Available online: https://shibboleth.atlassian.net/wiki/spaces/KB/pages/2783936889/SAML+Proxying+EntraID+Azure+with+the+Shibboleth+IdP (accessed on 16 March 2025).
- Internet2 Middleware-eduPerson Object Class Specification. Available online: https://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html (accessed on 16 March 2025).
Federates | eIDAS | REFEDS | Kantara |
---|---|---|---|
Password | X | ||
OTP (One-Time Password) | X | X | X |
Digital Certificate | X | X | |
Biometric Authentication | X | X |
Federation | eIDAS | REFEDS | Kanata | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
LoA Defenition | Low | Substantial | High | Low | Medium | High | LoA 1 | LoA 2 | LoA 3 | LoA 4 | |
Authentication | Username | X | X | X | |||||||
Pasword | X | X | |||||||||
X | |||||||||||
OTP | X | X | X | X | X | X | |||||
Digital certificate | X | X | X | X | X | X | X | X | X | ||
Biometic | X | X | X | - | - | - | X | X | X | X | |
Identity Profing | Minimum data | X | X | X | |||||||
Identity document | X | X | X | X | X | X | |||||
Biometric validation | X | X | X | X | X | X | X | X | X | ||
Multi factor Authentication | X | X | X | X | X | X | X | X | X | ||
Physical identification | X | X | X | X | X | X | X | X | X |
Protocols | eIDAS | REFEDS | Kantara |
---|---|---|---|
SAML | X | X | X |
OpenID Connect | X | X | |
OAuth | X |
No: | Attribute (Purpose/Semantic Meaning) | eIDAS | REFEDS (Commonly Used) | Kantara (IAF/NIST 800-63) |
---|---|---|---|---|
1 | A unique, persistent, non-reassigned identifier for the subject. Typically used for long-term identity correlation. | PersonIdentifier (Mandatory) | eduPersonUniqueId or schacPersonalUniqueID | UniqueID (or similar) |
2 | The subject’s legal last name or surname. | FamilyName (Mandatory) | sn (LDAP “surname”) | FamilyName |
3 | The subject’s primary given name. | FirstName (Mandatory) | givenName | GivenName |
4 | The subject’s date of birth (e.g., YYYY-MM-DD). | DateOfBirth (Mandatory) | schacDateOfBirth (if used) | DOB |
5 | The subject’s name at birth if different from current FamilyName/FirstName. | BirthName (Optional) | — | — |
6 | City, region, or country where the subject was born. | PlaceOfBirth (Optional) | schacPlaceOfBirth (if used) | — |
7 | The subject’s gender marker (e.g., “M”, “F”, “X”). | Gender (Optional) | schacGender (less common) | — |
8 | The subject’s current residential/postal address. | CurrentAddress (Optional) | — | Address |
9 | The subject’s email address, often used as a primary digital contact. | — (Not in base eIDAS set) | ||
10 | The subject’s telephone contact number. | — | telephoneNumber (less common) | Phone |
11 | The country (or countries) of which the subject is a citizen. | — (Some eIDAS profiles define “citizenOf”) | schacCountryOfCitizenship | — |
12 | Common in academia to indicate membership/role at an institution (e.g., “student@univ.edu”). | — | eduPersonScopedAffiliation, eduPersonAffiliation | — |
13 | Often used as a login identifier in academic federations (e.g., “username@institution”). | — | eduPersonPrincipalName | — |
14 | The subject’s ORCID iD, commonly used in research communities. | — | eduPersonOrcid | — |
15 | Specifies rights or privileges assigned to the subject (e.g., “license to use resource X”). | — | eduPersonEntitlement | — |
16 | Allows an IdP to express identity assurance qualifiers (e.g., identity verification level). | — | eduPersonAssurance | — |
17 | The subject’s preferred language or locale (e.g., “en”, “fr”). | — | preferredLanguage (not standard, but used in some LDAP schemas) | — |
18 | A name string suitable for display (e.g., “Dr. Jane Smith”). | — | displayName (commonly used) | DisplayName or FullName |
19 | The subject’s additional forename(s) or initial(s). | — | Could be part of givenName or separate attribute in some deployments | MiddleName (if used) |
20 | A chosen or informal name different from the person’s legal name. | — | eduPersonNickname (rarely used) | — |
21 | Honorific or title (e.g., “Mr.”, “Dr.”), if separately stored. | — | Sometimes schacSn1/schacSn2 or local attribute | NameTitle (if used) |
22 | The name of the subject’s affiliated organization (e.g., an employer, a university). | — | o (LDAP “organizationName”) | — |
23 | The department or unit in which the subject works/studies. | — | ou (LDAP “organizationalUnitName”) | — |
24 | The postal or ZIP code in the subject’s address. | — (part of CurrentAddress if used) | postalCode (if used) | Part of Address |
25 | The city/locality or state/province in the subject’s address. | — (part of CurrentAddress) | l (LDAP “localityName”) or st (“stateOrProvinceName”) | Part of Address |
26 | The country in the subject’s address. | — | c (LDAP “countryName”) | Part of Address |
27 | The subject’s time zone (rarely used as an identity attribute). | — | Not typically standardized in REFEDS | — |
28 | A user’s photograph, if stored. Rare in official ID frameworks, but sometimes used in enterprise directories. | — | jpegPhoto or thumbnailPhoto (LDAP) | Photo (if used) |
29 | X.509 certificate(s) associated with the subject. | — | userCertificate (LDAP) | — |
30 | A contact detail for IM (Jabber, Slack, etc.), if stored. | — | mozillaSecondEmail/custom LDAP attributes | — |
31 | The country portion of place of birth, if separately stored. | PlaceOfBirth can include country | schacPlaceOfBirth (may store country sub-field) | — |
32 | Indicates whether the name is a legal name, preferred name, alias, etc. | — | Some deployments add a “type” attribute or flags | NameType (if used) |
33 | The user’s “login handle” for single sign-on, which may or may not be the same as the unique identifier. | — | Typically eduPersonPrincipalName or local LDAP “uid” | Username (if used) |
34 | Indicates the strength of identity proofing or credential security. Not strictly a personal attribute, but often included in identity federation contexts. | Not an attribute, but eIDAS LoA (Low/Substantial/High) | eduPersonAssurance or refedsAssurance | AssuranceLevel (Kantara IAL/AAL) |
Identifier/Attribute | Persistent | Revocable | Reassignable | Opaque | Targeted | Portable | Global | Qualifier |
---|---|---|---|---|---|---|---|---|
SAML2 Transient NameID | No | N/A | N/A | Yes | N/A | N/A | Yes | N/A |
SAML2 Persistent NameID | Yes | Yes | No | Yes | Yes | Yes | No | Issuer ID |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Shemshi, V.; Jakimovski, B. Extended Model for Efficient Federated Identity Management with Dynamic Levels of Assurance Across eIDAS, REFEDS, and Kantara Frameworks for Educational Institutions. Information 2025, 16, 385. https://doi.org/10.3390/info16050385
Shemshi V, Jakimovski B. Extended Model for Efficient Federated Identity Management with Dynamic Levels of Assurance Across eIDAS, REFEDS, and Kantara Frameworks for Educational Institutions. Information. 2025; 16(5):385. https://doi.org/10.3390/info16050385
Chicago/Turabian StyleShemshi, Vjollca, and Boro Jakimovski. 2025. "Extended Model for Efficient Federated Identity Management with Dynamic Levels of Assurance Across eIDAS, REFEDS, and Kantara Frameworks for Educational Institutions" Information 16, no. 5: 385. https://doi.org/10.3390/info16050385
APA StyleShemshi, V., & Jakimovski, B. (2025). Extended Model for Efficient Federated Identity Management with Dynamic Levels of Assurance Across eIDAS, REFEDS, and Kantara Frameworks for Educational Institutions. Information, 16(5), 385. https://doi.org/10.3390/info16050385