How does eduGAIN work?
There are many different AAI (Authentication and Authorisation Infrastructure) systems in use across Europe, all of which are designed to control access to networks and applications, and ensure the secure movement of information within that network. It is currently necessary for organisations to join one another’s federation in order to establish the relationship necessary to exchange information across these systems.
Federated AAI environments
Different organisations and NRENs use Authentication and Authorisation Infrastructures (AAIs), building a trusted environment where users can be identified electronically using a single identity. These systems usually also contain information about a user's access rights based on attributes characterising their role. Resource owners (Service Providers) advantageously use these federated environments to control access rights of federation participants to the provided resources.
The existence of multiple AAIs makes it technically and administratively difficult for a user to go to a different institution (outside of their own federation) and log on securely. When a user attempts to gain access to protected resources and services from other federations, they must first be successfully authenticated by their home AAI and then authorised by the visited Service Provider.
The aim of eduGAIN (GÉANT Authorisation INfrastructure for the research and education community) is to enable different AAIs to interact seamlessly. The eduGAIN technology involves a translation of protocols between the ones used in local AAIs, as well as a mapping of attributes depending on local definitions. The information needed for locating entities in the different federations is centralised at a "Metadata Service", where it can be dynamically queried and updated.