Who puts the "Single" into SSO?
Like standards, SSO systems are a case where two is one too many. I know several groups currently working on federated ID for European researchers. I hope there will be communication between them during Summer 2014. Without it, there is a real risk that European researchers will need several "single" sign on ids.
One source of risk is that the requirements vary. There are many web portals that provide access to open data. They can be enhanced by adding a userid and supporting persistent projects. The security requirement here is low: the data is public, so at most there may be a concern that queries are proprietary.
You can register with ORCID using any email address, there is no assurance that a service provider can track back from an ORCID id to an actual, physical and legal, identity. At present, eduGAIN does not impose any particular level of real world verification on its members, nor does it pass through any details of what they have done. For the common case described above, that is OK.
However, there are other cases. One is remote access to an expensive experimental facility. Another is remote access to research data which is not open, e.g. because of privacy issues. For such cases, a UK grid certificate would be fine, because I had to show my passport to get one. Service providers like these need to know that identity providers meet some minimum standard of traceability into the real world.
All this is perfectly fixable, provided that everyone talks to each other. There isn't much time to do so, if we are to avoid a mess.
Author: Herman Stehouwer
Date: 30 Jun, 2014
Thanks for this very timely piece. It is certainly an issue that needs to be tackled, sooner rather than later.
Considering that the issue is to have some linkage back to the real world, how feasible is it to attempt such an SSO infrastructure at the global level?