CILogon: InCommon, OpenID, and LOA

Post date: Apr 29, 2011 5:56:01 PM

The top priority for the CILogon project is enabling secure access to cyberinfrastructure (CI) using campus credentials via the InCommon Federation. The nation's colleges and universities are natural identity providers for academic researchers, because of the strong relationships that researchers have with their campuses in their roles as faculty, staff, and students. Through the InCommon Identity Assurance program (currently under development), many researchers will be able to obtain a standards-compliant credential from their university that is recognized at Level of Assurance (LOA) "Level 2" according to the US Government ICAM Trust Framework. With this LOA 2 credential, researchers will be able to obtain a "CILogon Silver" certificate approved by the International Grid Trust Federation (IGTF) for use worldwide.

However, in some cases researchers will not be able to use CILogon via InCommon. For example, their home campus may not yet be an InCommon member, or they may not have an affiliation with a US university. Researchers in other countries may be able to obtain certificates via their national federation using services similar to CILogon, such as the TERENA Certificate Service in Europe, which is also approved by the IGTF.

Another option is to use OpenID with CILogon. Using accounts with Google, PayPal, or VeriSign, researchers can authenticate to CILogon via OpenID to obtain a "CILogon OpenID" certificate. While this type of certificate has a lower level of assurance, it is not without value. The Open Identity Exchange (OIX) is an approved LOA 1 provider under the ICAM Trust Framework, and OIX has in turn certified these OpenID providers (Google, PayPal, and VeriSign) at LOA 1. While LOA 1 provides no identity verification (unlike LOA 2 and above), it provides a basic strength of authentication for knowing that the person authenticating today is the same person who authenticated with the same identity yesterday. In many cases, this LOA is sufficient for access to CI (as determined by the CI provider).

CILogon supports both InCommon and OpenID authentication to enable wider access to CI. Depending on the type of authentication used, CILogon issues certificates from different Certification Authorities, which allows CI providers to know the LOA for a particular authentication and decide which LOAs to accept. To maintain a consistent LOA for "CILogon OpenID" certificates, the CILogon project has now decided to accept OpenID authentication only from those providers that are certified at LOA 1 (or above). Any future changes to this policy will be announced here well in advance.

Please see the CILogon FAQ for more information and send any comments or questions to