LIGO is an international research collaboration which has its roots in the US and is an InCommon member. LIGO is regularly forming partnerships with other research groups from around the world. As well, like all research enterprises, it is committed to a strong education and outreach program. LIGO service providers fall into two categories: higher security services which are used exclusively by those within LIGO and lower security services which are used by a mixture of LIGO user and other collaborators. We require at least ePPN and preferably the entire Research and Scholarship (R&S) Entity Category suite of attributes to access either kind of service. For users within LIGO whose IdPs do not assert R&S, we provides an IdP of last resort so that they can reach the high security SPs. They can also access the lower security SPs with these credentials. For external collaborators accessing lower security services, we use their home IdPs to authenticate when R&S is available. All other users can use a Google identity via a Cirrus social-to-saml gateway service we have contracted. For education and outreach we have not yet implemented any services, but there is a clear use case for having services available to K-12 for these purposes.
Our primary issue with supporting our users are the following:
- within LIGO, there are a large number (>100) of users whose institutional IdPs are not in InCommon or whose IdPs do not support R&S. Because of security requirements for SPs within LIGO, we cannot leverage lower assurance IdPs such as the social-to-saml gateway from Cirrus and are therefore supporting our own IdP.
- of the users from outside LIGO that we support, only a few (<10%) are from institutions within the US that support R&S. About half of these users are from inside the US but come from institutions that aren't in InCommon or that don't support R&S. The other half are international. Only one of these international users is from an institution that supports R&S. Rather than support an IdP for every scientist who wants to collaborate with LIGO, we use the Cirrus social-to-saml gateway for these users since they do not access higher security services.
- we do not support any services for K-12 in our education and outreach efforts at the moment, but if K-12 identities become federated within InCommon or from another metadata feed which we can access, we would be very interested in pursuing that. Again, we would require ePPN (or at least a persistent untargeted ID) at a minimum, but would prefer the R&S attributes to support these users.