SAFIRE: supporting secure, seamless collaboration

The South African Identity Federation (SAFIRE), makes it possible for staff and students of higher educational institutions to log into services all over the world with one trusted identity provided by their home institution. It also makes life much easier for the user, not to mention safer, to be able to use their institutional log-in,
SAFIRE: supporting secure, seamless collaboration
South African Identity Federation

As teaching and learning resources are increasingly digital, students want to be able to access them from anywhere. Researchers collaborate globally, which means they need to be able to share data, tools and software remotely. While this kind of freedom of access is fantastic for the users, it brings a number of challenges for those providing user access, not least of which is keeping user identities private, in line with the Protection of Personal Information Act (POPIA). TENET’s Trust and Identity Services, in particular, the South African Identity Federation (SAFIRE), makes it possible for staff and students of higher educational institutions to log into services all over the world with one trusted identity provided by their home institution. It also makes life much easier for the user, not to mention safer, to be able to use their institutional log-in instead of another set of usernames and passwords.

“SAFIRE makes federated login possible,” says Guy Halse, head of Trust and Identity at TENET. “While that might sound highly technical, it’s not an unfamiliar concept to most. If you’ve ever logged into a website using your credentials from Google or Facebook you’ll have done a federated login of sorts.”

SAFIRE gives access to other educational organisations or research infrastructure with the same ease, but what makes academic federations different is that they provide trusted information directly from the university, which allows services to make decisions that would not be possible if they were using a social provider.

“There are more than 60 similar federations to SAFIRE all over the globe which exist to increase access to resources and promote research collaboration,” explains Halse. “SAFIRE allows you to connect to other institutions through inter-federation access and trust agreements.”

Why use SAFIRE?

Managing authentication and authorisation requires skills and resources, including time. This is why it has become common for National Research and Education Networks (NRENs) to provide federated identity as part of their service.

“Service providers don’t pay anything for the use of SAFIRE; it is a public good,” says Halse.

It allows researchers and university staff to save time and money on technical support and offer safer and more reliable access to more services, data, tools and software.

Who uses SAFIRE

“There are a number of use cases in South Africa,” says Halse, “but probably the biggest in terms of traffic are academic libraries.”

Many of the big academic publishers, like Elsevier and Thomson Reuters, have already adopted federated identity, because there is demand for it coming out of other countries. Which means these integrations already exist. Using federated access means students can access academic journals from anywhere, just using their institutional login. So libraries can facilitate off-campus logins through existing integrations which are already POPIA compliant.

Another important use case is regional and national research infrastructures. The South African Centre for Digital Language Resources (SADiLaR) is a national centre which forms part of the South African Research Infrastructure Roadmap. Their mandate is to support the creation, management and distribution of digital language resources, as well as applicable software. They do this through a repository, which can be accessed freely by researchers, through SAFIRE.

“Using SAFIRE for contributors to the SADiLaR data repository allows researchers at many South African universities and other research entities to log on without creating an account with us,” says Dr Friedel Wolff, technical manager at SADiLaR. “It also means that we don't need to vet contributors, only contributions. If an account proves that someone is an employee at a university, it already proves their bona fides, and reduces the burden on us to manage the user accounts.”

Ilifu, a data-intensive research cloud infrastructure, designed to be a regional hub for data-intensive research, particularly in the fields of astronomy and bioinformatics, also uses SAFIRE as their authentication service.

“Ilifu is part of the EGI cloud federation,” explains Professor Rob Simmonds, facilities manager at Ilifu and Professor of Computer Science at the University of Cape Town.

EGI is a federated global research infrastructure comprising both national and intergovernmental computing and data centres. This EGI federation has its roots in Europe but has become global. This is one of several global systems providing similar identity brokering services, including CILogin and eduTEAMS.

The EGI check-in system aggregates authentication and authorisation systems for services like Ilifu, and in South Africa relies on SAFIRE as the national identity federation service.

“We are however working on having a more direct link to SAFIRE so that users don’t need to have an EGI account to access Ilifu,” says Simmonds.

Building your own

Some research infrastructures and groups have sound reasons not to use SAFIRE and prefer to build their own access management solutions. For those choosing this route, Halse strongly advises they engage carefully with the Authentication and Authorisation for Research Collaborations (AARC) Blueprint Architecture, which is the outcome of a project established to explore best practices in authorisation and identification.

“This is a well-respected blueprint used, for instance, by EGI, and many other big players in the field,” says Halse. “The AARC blueprint helps you to think through all the various challenges, like how to fit Google into the mix of authentication, and how to build it in such a way that more elements can be plugged in later.”

A number of African NRENs are also embarking on work to build federated identities in their countries, and there has been much information sharing between African NRENs as part of that process.

“If we had to redo it there are many things I would change,” says Halse, “but where I think we made the right call was in the choice of architecture for our federation, which essentially centralises much of the complexity of the federation at a single point which is managed by TENET. This means that we have a small, highly-skilled team at TENET, who can manage some of the more complicated bits that would otherwise require every university to have similar skills of their own.”

This is what is known as the hub-and-spoke model, as opposed to the full-mesh model, which is the dominant model globally, but is more decentralised and requires specific expertise at each institution.

“When choosing solutions like this, it is more important to be context-specific than to follow what the rest of the world is doing,” says Halse. “We are one of the few NRENs with a hub-and-spoke architecture, and while it does mean more work and complexity for TENET, we can provide federated identity to all our university partners without expecting much expertise in this specialised area from them. Which is really valuable for countries like South Africa battling with skills shortages.”