Setting up an international collaboration in 16 steps This step-by-step plan is meant for international collaborations in higher education and research, which want to share (web-based) services across national borders. Typically, a collaboration consists of a number of institutions from multiple countries, and within the collaboration, users from these institutions need to access web services abroad. These services can be offered by the universities participating in the collaboration, or by third parties. In this guide, we explain the steps required to set up the technical infrastructure to support your international collaboration. Its aim is to give an overview of the action required by different stakeholders. We distinguish a number of roles: • t he institutions (e.g. universities) involved in the collaboration, • the service providers who offer services to the collaboration, • the national federation operators, • and the representative of the collaboration, who manages this entire process and has functional knowledge of the requirements of the collaboration. For each step, we indicate which of these parties should take action. 1. Get a Champion (collaboration) Appoint a specific person within each institution who is responsible for the overall project and can make decisions. This person serves as point of contact, coordinates the activities and communication and fixes issues within the local organization. 2. List requirements (collaboration) Decide on the functional requirements for your collaboration, using for example the MoSCoW-method and match these to the technical possibilities. 3. Stakeholder analysis (collaboration) Once the required functionality is clear, create an overview of all relevant stakeholders, and make sure they are all involved in the process. These include technical and administrative contacts at all involved institutions and service providers, as well as representatives of all involved federation operators. Create an inventory of the responsibilities of each stakeholder and the risks involved for the implementation of each of their tasks. 4.Secure resources (collaboration, institutions, service providers) Be sure there are enough people involved within the organisation for development, configuration and management. Often, when working in international collaborations, technical implementations have to be tweaked or made within the systems of the organisation. It is then wise to have the right resources in place 5.Involve all relevant national federations (federation operators) Make sure all relevant national federations are involved from the start of the project. Apart from their technical role to manage the international connections, they also have a large expertise in federation technology. 6.Inform yourself about federations (collaboration, institutions, service providers) It is useful to understand how a federation works, so get familiar with the functionality of identity federations. Your local federation has more information, and should be able to supply relevant documentation. A good starting point in the Netherlands is www.surfconext.nl. 7.Manage expectations ­(collaboration) Discuss with everyone involved what the goals of the collaboration and the desired functionalities are. Then discuss what is technically feasible and what policies and processes come into play. Make sure everyone understands the possibilities, different options and limitations. It is useful to make a plan with milestones and to evaluate these, so you can adjust the future milestones according to the progress. Keep the steps in the plan small, so they become easier to manage. 8.Make sure institutions have a SAML2 identity provider and are connected to their national federation (institutions) International authentication between universities and services is handled using the SAML2 protocol. Sources of identities are called “Identity Providers” (IdPs); these are typically systems hosted at the university that are responsible for the management of identities. Distribution of the identities from identity providers to services is handled through national federations, which bring together multiple identity providers and services in a single infrastructure and policy framework. 9.Make an inventory of users of the collaboration services (collaboration) Determine which people need access. Typically, the majority of users have an account at a university, which can be used to access shared services via the national federation. However, often also non-students/staff take part in the collaboration, e.g., researchers from industry partners or government employees. Some federations run a “home for the homeless” identity provider to support such collaborations. Discuss these issues with the involved federation operators to determine the best solution. 10.Connect local services to local federations (service providers) The services involved in the project should be connected to the national federations. The existing expertise of the national federation’s experts should be used to streamline this domestication effort. 11.Agree on attribute exchange (institutions, service providers, federation operators) Most services need more information about a user than simply a valid authentication. Such information might include their name, email address, home institution, whether they are student or staff, etc. In most situations, none of this information is available by default for service providers. The institutions that provide the user identities and the services should agree on which attributes are available and can be used by the services. Also, not all federations support transmission of all available attributes. 12.Local federations should be member of eduGAIN (federation operators) EduGAIN is a framework for international collaboration between identity federations. If two national federations are members of eduGAIN they can make connections between their local IdPs and ‘foreign’ services, and vice versa. This makes it possible to connect to a service across international borders. Current eduGAIN members are listed on http:// www.edugain.org/technical/status.php. 13.Federations test eduGAIN connection (federation operators) As a first step in making the international connections, the federations involved test their eduGAIN implementation by connecting test services to foreign test identity providers, and vice versa. 14.Publish participating IdPs and SPs in eduGAIN (federation operators) The national federations are responsible for publishing the metadata of the services and identity providers in eduGAIN. The published metadata can be used to create a technical international connection between services and identity providers. Once these steps have been completed, your international collaboration can fully benefit from the advantages offered by local federations. International users from multiple countries can safely log into the systems supported by your collaboration using the credentials from their home institutions. Note that in practice, the technical steps are not the main problem: technical issues can usually be solved. However, because of the many parties involved, getting alignment between all parties can be a big issue and takes most time. 15.Make interconnections between services and institutions via eduGAIN (federation operators, institutions, service providers) Services and identity provider can be connected to entities listed in the eduGAIN metadata. Depending on the type of federation, this configuration process is carried out by different parties. In the case of a hub-and-spoke federation, like SURFconext (NL) or WAYF (DK), it is the responsibility of the federation operator. In the case of mesh federations, like Swamid (SE) or SWITCH (CH), this should be handled by the administrators of the services and identity providers themselves. 16.Educate users (collaboration) Make the end-users aware of which services are available, how they get access to the applications, and how the login procedure works. Consider implementing a central portal, through which users can access all connected services used for you collaboration. Without such a central starting point, users might find it hard to discover all services offered. For pointers on the most effective way to present federated identity to users of your site, visit the REFEDS Discovery Guide at http://discovery.refeds.org. SURFnet Radboudkwartier 273 P.O. box 19035 NL-3501 DA Utrecht T +31 (0)30 230 53 05 F +31 (0)30 230 53 29 email@example.com www.surfnet.nl 2013 This work is licensed under a Creative Commons Licence Attribution 3.0 Netherlands (www.creativecommons.org/licenses/by/3.0/nl).