eduGAIN is a form of interfederation. Participating federations share information (metadata) about entities from their own federation with eduGAIN. Next, eduGAIN bundles these metadata and publishes it on a central location.

Interfederation: exchanging metadata

eduGAIN is a form of interfederation. Participating federations share information (metadata) about entities from their own federation with eduGAIN. Next, eduGAIN bundles these metadata and publishes it on a central location. All participating federations now have a single location to find information about entities from other federations. Thanks to this information, Identity Providers and Service Providers from different federations can now connect to each other.

With interfederation, it's no longer necessary for entities to join each others' federation when they want to connect to each other.

eduGAIN aggregates metadata from participating federations (metadata service). This aggregate is consumed by all participating federations, such that Identity Providers and Service Providers can find each other.

Technically, this aggregate works as follows:

• Each participating federation produces a so called 'export metadata aggregate'; a file that contains the metadata of local Identity Providers and Service Providers that participate in eduGAIN. Note that this is often a subset of all Identity Providers and Service Providers from that federation.
• eduGAIN combines all export metadata aggregates and generates an "eduGAIN aggregate"; a file that combines all metadata from all participating federations.
• This eduGAIN aggregate is signed by eduGAIN and published on the internet, thereby making it available to all participating federations.
• Each participating federation must consume this eduGAIN aggregate and supply it to their local Identity Providers and Service Providers. A federation can decide to filter out certain entities before making it available locally, e.g. filter out it's own entities, to prevent them from appearing in the metadata twice.

Requirements for participating federations

Federations that participate in eduGAIN are likely to differ from each other technically and policy wise. Even so, with eduGAIN there is a common foundation to trust each other and exchange data.

To accomplish this, each participating federation must adhere to several policies prescribed by eduGAIN. An example of such a policy is the 'Metadata registration practice statement'. Each federation must publish this statement, which describes how new entities are allowed into the federation. By doing so, this process becomes known to all other federations. Another example of a technical policy is the 'eduGAIN SAML 2.0 Metadata Profile' specification, which describes  the SAML-profile every participant must support.

An overview of all policy documents for eduGAIN can be found on the website of eduGAIN.

Trust

Thanks to eduGAIN it's no longer necessary for entities to join each others' federation to enable federated login across national borders. That saves a lot of time. The idea behind eduGAIN is that federations that participate in eduGAIN trust each other as a whole.  So: if SWITCH-AAI (the Swiss federation for higher education and research) trusts the University of Zurich, SURFconext (the Dutch federation for secondary vocational-, higher education and research) trusts this entity as well, since both federation are members of eduGAIN.

Different types of federations

SURFconext and eduGAIN both operate in a different manner, due to their technical setup. SURFconext is a hub-and-spoke federation, whereas eduGAIN is based on the mesh-principle. This difference is important because it influences the way Identity Providers and Service Providers connected to SURFconext can participate in eduGAIN. To understand this difference, please read on to learn about the different federation architectures.