Setting up an international collaboration in 16 StepS

Setting up an international
collaboration in 16 steps
This step-by-step plan is meant for international
collaborations in higher education and research, which want
to share (web-based) services across national borders.
Typically, a collaboration consists of a number of institutions from multiple
countries, and within the collaboration, users from these institutions need
to access web services abroad. These services can be offered by the
universities participating in the collaboration, or by third parties.
In this guide, we explain the steps required
to set up the technical infrastructure to
support your international collaboration.
Its aim is to give an overview of the action
required by different stakeholders. We
distinguish a number of roles:
• t he institutions (e.g. universities) involved
in the collaboration,
• the service providers who offer services to
the collaboration,
• the national federation operators,
• and the representative of the
collaboration, who manages this entire
process and has functional knowledge of
the requirements of the collaboration.
For each step, we indicate which of these
parties should take action.
1. Get a Champion (collaboration)
Appoint a specific person within
each institution who is responsible
for the overall project and can make
decisions. This person serves as point of
contact, coordinates the activities and
communication and fixes issues within
the local organization.
2. List requirements (collaboration)
Decide on the functional requirements
for your collaboration, using for example
the MoSCoW-method and match these
to the technical possibilities.
3. Stakeholder analysis (collaboration)
Once the required functionality is
clear, create an overview of all relevant
stakeholders, and make sure they are all
involved in the process. These include
technical and administrative contacts
at all involved institutions and service
providers, as well as representatives of
all involved federation operators. Create
an inventory of the responsibilities of
each stakeholder and the risks involved
for the implementation of each of their
4.Secure resources (collaboration,
institutions, service providers)
Be sure there are enough people
involved within the organisation for
development, configuration and
management. Often, when working in
international collaborations, technical
implementations have to be tweaked
or made within the systems of the
organisation. It is then wise to have the
right resources in place
5.Involve all relevant national
federations (federation operators)
Make sure all relevant national
federations are involved from the start
of the project. Apart from their technical
role to manage the international
connections, they also have a large
expertise in federation technology.
6.Inform yourself about federations
(collaboration, institutions, service
It is useful to understand how a
federation works, so get familiar with the
functionality of identity federations. Your
local federation has more information,
and should be able to supply relevant
documentation. A good starting point in
the Netherlands is
7.Manage expectations
Discuss with everyone involved what
the goals of the collaboration and the
desired functionalities are. Then discuss
what is technically feasible and what
policies and processes come into play.
Make sure everyone understands the
possibilities, different options and
limitations. It is useful to make a plan
with milestones and to evaluate these,
so you can adjust the future milestones
according to the progress. Keep the
steps in the plan small, so they become
easier to manage.
8.Make sure institutions have a
SAML2 identity provider and
are connected to their national
federation (institutions)
International authentication between
universities and services is handled
using the SAML2 protocol. Sources
of identities are called “Identity
Providers” (IdPs); these are typically
systems hosted at the university that
are responsible for the management of
identities. Distribution of the identities
from identity providers to services is
handled through national federations,
which bring together multiple identity
providers and services in a single
infrastructure and policy framework.
9.Make an inventory of users
of the collaboration services
Determine which people need access.
Typically, the majority of users have
an account at a university, which can
be used to access shared services
via the national federation. However,
often also non-students/staff take part
in the collaboration, e.g., researchers
from industry partners or government
employees. Some federations run
a “home for the homeless” identity
provider to support such collaborations.
Discuss these issues with the involved
federation operators to determine the
best solution.
10.Connect local services to local
federations (service providers)
The services involved in the project
should be connected to the national
federations. The existing expertise of the
national federation’s experts should be
used to streamline this domestication
11.Agree on attribute exchange
(institutions, service providers,
federation operators)
Most services need more information
about a user than simply a valid
authentication. Such information might
include their name, email address, home
institution, whether they are student
or staff, etc. In most situations, none of
this information is available by default
for service providers. The institutions
that provide the user identities and
the services should agree on which
attributes are available and can be used
by the services. Also, not all federations
support transmission of all available
12.Local federations should be
member of eduGAIN (federation
EduGAIN is a framework for international
collaboration between identity
federations. If two national federations
are members of eduGAIN they can make
connections between their local IdPs and
‘foreign’ services, and vice versa. This
makes it possible to connect to a service
across international borders. Current
eduGAIN members are listed on http://
13.Federations test eduGAIN
connection (federation operators)
As a first step in making the international
connections, the federations involved
test their eduGAIN implementation by
connecting test services to foreign test
identity providers, and vice versa.
14.Publish participating IdPs and SPs
in eduGAIN (federation operators)
The national federations are responsible
for publishing the metadata of the
services and identity providers in
eduGAIN. The published metadata
can be used to create a technical
international connection between
services and identity providers.
Once these steps have been completed,
your international collaboration can fully
benefit from the advantages offered by
local federations. International users from
multiple countries can safely log into the
systems supported by your collaboration
using the credentials from their home
Note that in practice, the technical steps are
not the main problem: technical issues can
usually be solved. However, because of the
many parties involved, getting alignment
between all parties can be a big issue and
takes most time.
15.Make interconnections between
services and institutions via
eduGAIN (federation operators,
institutions, service providers)
Services and identity provider can
be connected to entities listed in the
eduGAIN metadata. Depending on the
type of federation, this configuration
process is carried out by different
parties. In the case of a hub-and-spoke
federation, like SURFconext (NL) or
WAYF (DK), it is the responsibility of
the federation operator. In the case of
mesh federations, like Swamid (SE) or
SWITCH (CH), this should be handled by
the administrators of the services and
identity providers themselves.
16.Educate users (collaboration)
Make the end-users aware of which
services are available, how they get
access to the applications, and how the
login procedure works.
Consider implementing a central
portal, through which users can access
all connected services used for you
collaboration. Without such a central
starting point, users might find it hard to
discover all services offered. For pointers
on the most effective way to present
identity to users of your site,
visit the REFEDS Discovery Guide at
Radboudkwartier 273
P.O. box 19035
NL-3501 DA Utrecht
T +31 (0)30 230 53 05
F +31 (0)30 230 53 29
This work is licensed under a Creative Commons Licence Attribution
3.0 Netherlands (