InAcademia x eduGAIN

InAcademia x eduGAIN

Like its parent product, eduGAIN, InAcademia provides real-time validation of academic affiliation using trusted sources, but unlike eduGAIN it provides a single point of interaction for the merchant, particularly those that operate OpenID Connect clients, which acts as a gateway to academic identity providers using the InAcademia service, with the potential to reach a high proportion of academic institutions across Europe, and without the need to understand the technical nuances of each national identity federation.

The benefits of InAcademia in comparison to full federation membership are extensive.

For merchants:

  • InAcademia directly supports OIDC clients (where the IdPs and eduGAIN protocol is typically SAML).
  • InAcademia is operated and governed by the European national identity federations, therefore, merchants using InAcademia have the benefit of the technology and experience without having to understand every aspect of the academic federated identity landscape.
  • InAcademia keeps in step with the various developments in policy and technology that would otherwise have to be understood and mitigated in-house by the merchant.
  • A fundamental design feature in InAcademia is the principle of data minimisation: InAcademia requests only the attributes necessary to confirm academic affiliation, and discards all superfluous data.
  • InAcademia handles error flows in a more predictable manner: native OIDC error flow combined with the heterogeneous nature of the eduGAIN landscape can be quite confusing. In comparison, service providers operating in eduGAIN have to understand and handle multiple error scenarios, from multiple identity provider technologies.
  • InAcademia logs key events and proactively works to resolve issues found with support of each national Federation.
  • Some federations operate an opt-in policy: if service providers were to rely on federation membership alone they would have to persuade on a 1:1 basis hundreds, if not thousands of institutions to opt into their SP, and would need to handle any technical idiosyncrasies of every national context.  InAcademia creates a 1:1 relationship (SP to InAcademia) instead of a 1:Many relationship (SP engaging with every Federation and Institution either to fix issues or to ensure IdPs opt in or don’t filter).

For institutions and federation operators:

  • InAcademia responds to a merchant request for validation with pseudonymised identifiers, and strips out any superfluous PII returned by the IdP before returning an id_token to the client, meaning that it’s a truly privacy-preserving route to using academic federated identities.
  • Once onboarded to InAcademia, the institution only need opt into InAcademia in order to benefit from its downstream services.
  • InAcademia is transparent in its privacy policy as regards the services to which is it proxy.
  • Federation operators have an opportunity to shape the future of the InAcademia service by joining its steering committee.
Skip to content