AARC and GEANT GN4 projects are studying the Service Provider (SP) communities' (such as research infrastructures/communities) requirements on Level of Assurance (LoA). The survey results will serve the future development of federated authentication and authorization where end users' Home Organisation (e.g. the university or research institute employing the researcher) delivers him/her the authentication credentials and authenticates him/her.

Narrowly speaking, LoA for user authentication covers two things:

• Identity vetting: how an end user demonstrates his/her identity at the time when s/he receives the authentication credential from his/her Home Organisation (e.g. by presenting government photo-id face-to-face at a registration desk or self-registration on-line with)
• authentication: how an end user proofs his/her identity to his/her Home Organisation's Identity Provider server when s/he logs in (e.g. password or multi-factor authentication with a certificate or token) 

More widely speaking, LoA can also cover

• delivery of credentials to their holder
• revocation of credentials
• information security management of the Home Organisation
• Audits of the Home Organisation

Some people also count these in

• quality and freshness of user attributes (self-asserted by the user or Home Organisation vetted)

The intention is to collect SP communities' needs for the Level of Assurance (LoA) of the identity and authentication provided by research Home Organisations i.e. the universities or other institutes employing the researchers and assigning them user identities.

1. Questions on the research infrastructures/communities

Who are your end users (who need to log in to your services):

• researchers with a Home Organisation (that operates or potentially operates an IdP)
• citizen scientists
•  students with a Home Organisation (that operates or potentially operates an IdP)
• else/what?

2.How important it is for you that...

Identity concept

• all account belongs to an individual person (i.e. there are no shared accounts like "libraryuser1")?
• and all users are traceable (i.e. the home organization knows and can reach him/her)?
• and Home Organisation is willing to collaborate with you if their user misbehaves?
• that you (as an SP) can block him/her from your services?

• user identifiers are persistent i.e. not reassigned (re-cycled) to another person over time?
• user identifiers are shared by multiple SPs  (i.e. not pairwise/targeted)

Initial proof of identity

• the home organization has a documented identity vetting process (whatever it is)?
• the identity vetting process is face-to-face (presenting a government photo-ID) or equivalent?

On-line authentication

• Are password-based authentication good enough for you?
• Or should passwords have some kind of quality floor? (What kind of quality floor?)
• Do you need two factor authentication? (What kind of?)

Would you like to use step-up authentication as a service?

Step-up authentication means that the user first authenticates with a password, and subsequently with a second factor (such as by an one-time password delivered to his/her cellphone). Step-up authentication could be delivered to research communities as a service.

• if it costs you money?
• if it costs you work (for instance, you need to operate one or several registration authorities where your community's users come to show their photo-ID and you record their cellphone number)?

Freshness of user data

• Do you expect that user accounts are closed as an individual departs? How promptly?
• Do you expect that user's eduPersonAffiliation value is updated as an individual departs? How promptly?

Quality of user data

In larger universities the IdP/IdP gathers users' attributes from several registries with varying data quality. Some attributes can even be self-asserted by the user him/herself.

• Do you want to know the reliability of the user data on an attribute level? On what level of granularity?

LoA Audits

• Is it enough that the Home Organisation self-asserts that they comply with the LoA baseline?
• Plus someone has some enforcement rights (e.g. Home identity federation can remove “compliant” tag from the Home Organisation if there are doubts that a Home Organisation fails the minimum requirements)?
• also internal audits needed?
• also external audits needed?

---

Additional requirements

Do we think these issues have anything to do with the LoA things?

• attribute population; which attributes the Home Organisation populates for users
• attribute release; which attributes the Home Organisation is willing to release 

--- 

Communitites to target this survey to

• EGI (DavidG)
• wLCG (Romain).
• PRACE (Jules Wolfrat)
• DARIAH  - Peter G or GWDG
• CLARIN - Martin Matthiesen
• ELIXIR - Tommi Nyronen
• Photon/Neutron/Umbrella - Mirjam
• Libraries (Melanie?)
• find some more RIs from FIM4R community