1. eIDAS-enabled Student Mobility
Sustainability in the Higher Education Domain
Cost Benefit Analysis
Aljosa Pasic
2ESMO Workshop
(Trondheim, June 3rd 2019)
GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR
AGREEMENT No INEA/CEF/ICT/A2017/

2. ESMO Sustainability in the Higher Education Domain (Ross)
Index
ESMO Sustainability in the Higher Education Domain (Ross)

3. ESMO Open Source Project
ESMO GW Development (today)
Developed in private GitLab over multiple repos per microservice
Publish ESMO GW as Open-Source Software (end of project)
Open-source license to study, change, and improve its design
GitHub
What is available
All common micoservices implementing the GW core modules
Protocol Specific microservices implementing interfaces to SP,s IdPs, APs (SAML 2, eIDAS SAML, OAuth 2, OIDC, GWT etc.)
Target Community
Higher Education Institutes developing their Student Information Systems that can benefit from user eIDAS authentication + DSAs
Promote ESMO through the Open Source University Alliance (EWP Initiative)
EU Projects working on similar solutions for enabling student mobility and convergence of eIDAS and student identities

4. Joining the ESMO OSS Community
Subscribing to the mailing list for the project on GitHub
GitHub Project repo will provide
Access to source code,
builds,
issues,
wiki description
resources etc.
List of entities that are hosting ESMO GWs and able to be contacted for connecting to

5. HEI Service Provider – Joining ESMO
Who could be interested:
HEI SPs wanting to adapt end user services to promote student mobility by enabling cross-border eIDAS authentication and academic attribute retrieval (e.g. Admissions, Moodles, Student Information Systems)
Join ESMO GitHub Project
Become familiar with ESMO on the wiki & its resources
Consider alternatives that best suit your needs
Connect to an existing ESMO GW (contact entity published on GitHub)
Deploy own instance of the ESMO GW with protocol specific microservices for your own institute or affiliation
Develop additional microservices for any specific protocols/functions needed and contribute it to the ESMO OSS repo.
Benefit from community knowledge e.g. by creating an issue on the repo to resolve an integration issue

6. HEI Attriute Provider – Joining ESMO
Who could be interested:
HEI APs connected to EWP that want to make their attributes available for end user student services like they wish for other HEIs to reciprocate
national federations and eduGAIN that can benefit by making their user attributes available to HEI SPs for services that require their data and enable HEI SPs to link this data with the user´s eID (ESMO delegated eIDAS authentication)
Join ESMO GitHub Project
Become familiar with ESMO on the wiki & its resources
Choose the alternative that best suits your needs
Connect to an existing ESMO GW (contact entity published on GitHub)
Deploy own instance of the ESMO GW with protocol specific microservices for your own institute or affiliation
Develop additional protocols/functions needed for your specific goals
Benefit from and contribute to community knowledge
Actively contribute to an Academic Attributes repo for publishing standard attribute sets
Forum for the community to raise issues with atributes and make new proposals as required by the SP services.

7. Integrate to EWP Network
EWP provides a trusted registry to establish trust between HEI entities for backend APIs, and was identified as ideal solution to provide the trust between ESMO GWs
The benefit of connecting over EWP is that all HEI Service Providers are then aware of published ESMO APIs and able to consume them
So EWP Hosts could query academic atributes over the ESMO GW by consuming an ESMO API and then discovering its DSA query API
That said, for HEIs to get full benefit of the ESMO GW today, where HEIs can connect with their native SP/AP interfaces and perform eIDAS authentication this needs direct interface to ESMO GW
ESMO Project has collaborated with EWP and today we connect ESMO GWs over our own instance of EWP
The next step is to integrate with the EWP Production network after our final production testing is concluded
Collaboration with EWP is key to reaching out to the greater HEI community in Europe and making the ESMO GW services available to all
Future ESMO GW development can consider to make more ESMO APIs available over EWP, so EWP Hosts can directly consume eIDAS Authentication service and DSA queries in the native protocols supported by their SPs

8. Index ESMO Sustainability in the Higher Education Domain (Ross)
Cost benefit Analysis (Aljosa)

9. Cost-Benefit Analysis Objectives
Contribute to the potential of the eID DSI “to generate revenue”, form the perspective of domain specific eID gateway
Assess possibilities of ESMO GW to “become progressively self-standing or reliant on alternative sources of public funding or on a mix of private and public financing”, especially in the post-CEF period (long-term sustainability)
Assessing a range of different solutions from cost-benefit view and operational scenarios offered when interconnecting the eIDAS infrastructure (e.g. national versus sectorial e-ID brokers, academic federations or university hubs)
Assess the needs and requirements in terms of governance, operations, financing and architecture of the stakeholders involved
Calculate combined savings of administrative and technical costs enabled by CEF eID for student mobility in general and ESMO GW in particular
Estimate demand for cross-border e-services in HEI domain and their reliance on high assurance e-ID (e.g. transfer of academic achievements and diploma issuing related services),
Identify conditions for gradually achieving the target of economically viable operation and maintenance of the services
Identity motivational factors to join eIDAS “ecosystem” and incentives for other public and private stakeholders (e.g. ICT industry developing information systems and IAM solutions for HEI community)

10. Objectives (2)
Estimate non-monetary benefits for the wider community or third party e-services (e.g. cross-border availability of academic data for Human resource departments)
Propose a model apt to be replicated in other sectors/domains, related sectorial governance of trust combined with eIDAS connectivity
Estimate value of component reuse and abstraction of complexities related to the discovery of attribute and service providers,
Compare costs related to the SP integration and interoperability in eIDAS eID services, with and without ESMO
Address uncertainty of the eIDAS nodes’ business models which are intertwined with service providers operational costs (e.g. National nodes that impose registration or transaction fees)
Address other possible risks related to eIDAS an ESMO GW adoption, and propose a contingency plan (e.g. bypass eIDAS infrastructure for the domain specific attribute transfer)
Estimate benefits from increased assurance level through CEF eID

11. “The Viability Triad” is Desirability, Feasibility, and Sustainability
Is target audience aware of current technology and market trends?
Will there be recurring demand?
Can it be differentiated (value proposition etc)?
Will it be valued?
Feasibility
Is the offering and implementation achievable from a technical perspective?
Are resources available for support (maintainance, marketing etc)?
How realistic is user adoption and acceptance on a short term?
Can it be done?
Sustainability
Will it result in profit and when?
Can it be reused, repeated and at what cost ?
Is there open source community that could reduce maintenance cost?
Should it be done?

12. Desirability: demand and market size
Facts: 4,000 higher education institutions, with over 19 million students (of these almost 3 million are in countries participating in the project, Spain, Greece and Norway) and 1.5 million staff.
Norway eID gateway common login solution for public services online number of logins is estimated at almost 70 million.
GÉANT 2020 Framework Partnership Agreement (FPA) has focus on authentication and it claims to have nearly 27,000,000 students and 2800 identity providers worldwide
In Austria mobile ID activation was 15 times higher than traditional eID card activation.
Predictions: At the time of Stork project the number of Erasmus students that would use e-ID was projected to grow to in Spain by 2015
Erasmus + supporting four million students in their cross-border learning mobility, and is expected to grow 20% by 2020
Habits and trends: Student cards are most commonly used in Denmark, Sweden (both 11%), and least used in Italy (2%). The Erasmus student network card (ESNCard), in the meantime, increased this figure significantly (over students in 40 countries)
Remote cross-border learning students (students who seek global education at local cost), More than two fifths (43 %) of the students from abroad studying at tertiary education level in the EU in 2016 were from Europe, 30 % were from Asia and 12 % were from Africa.
Compliance impact: Eurostat mentions that 74% are public sector HEIs, although sources from 2015 EUA report claim that 92% of HEI are public.

13. World of Erasmus and beyond
Top Down data collection from different sources contrasted with data from ESMO partners
Use of eduROAM and other cross-border

14. World of eduroam and eduGAIN
Presentation by Lucas Hammerle (SWITCH) from sept 2016

15. ESMO demand assessment

16. Benefit analysis
Student perspective: saving time in doing procedures, incl flexible timetables,
travelling time (if abroad)
travelling time (if already in other country)
waiting time
face to face ID verification and duration of process – 10 min
doc and attribute collection (1 day)
Admin perspective: avoiding manual entry of data (time plus less errors)
30 min/per user + copy cost
reduction of processing cost
Indirect and qualitative benefits: lower tuition fees, richer knowledge sources / educational content presentation, more results-oriented and pragmatic learning , enhanced chances of employability, breaking barriers across European HEIs, reputation benefits, direct for HEI digital inputs, save on info processing

17. Wider Benefits Context
EUROPEAN SINGLE DIGITAL MARKET
eIDAS regulation on electronic identifications & trust services
Government
Business
Individual
Harmonized european regulations
Building up trust and speeding up the transition to a digital economy
Transparency and accountability
High security requirements
Juridical value
“be digital, open and cross-border
by design”
Andrus Ansip, European Commission Vice-President for the Digital Single Market

18. Feasibility – three alternatives
Establishment of new HEI-specialized eIDAS brokers for specific groups of e-services, or specific group of HEI
Addition of ESMO functionalities to an existing eID brokerage platform
Convergence of ESMO functionalities with the related projects or results

19. About 2-4 PM and 0,5-1 PM respectively
Cost analysis
How much would development of a NEW eIDAS connectivity broker and/or attribute Exchange hub (i.e. how much effort did we spent on ESMO)?
How much would HEI e-service customisation and integration with eIDAS cost?
How much would operation and maintainance cost for both stakeholders: ESMO hub operator and for HEI admin of e-services?
Minimum PM
Minimum 2,5-4 PM
About 2-4 PM and 0,5-1 PM respectively

20. Motivation for service providers to join ESMO
Completeness
I need a complete solution for eIDAS connectivity and Education attribute aggregation from various EU member states
Reliability & Scalability
I need a reliable and scalable software solution, able to handle steady growth and peaks in authentication and aithorization 1 2
Compliance
I need to be compliant
with the eIDAS regulation and adaptable to the future ones.
Smooth integration
I need an easy integration with my existing student information system and do not want to worry about cost of adaptation. 4 3

21. Index ESMO Sustainability in the Higher Education Domain (Ross)
Cost benefit Analysis (Aljosa)
Risks and SWOT analysis (Francisco)

22. SWOT: Strengths
Unbound Attribute Aggregation
Multi-protocol translation
Scalability by design
Security and Privacy by design
Modularity and flexibility
Minimise impact and costs on existing services and APs
Network has flexible topology
Network can be exported or extended to other sectors

23. SWOT: Weaknesses
Willingness to adhere strongly dependent on existing APs and published data
Attribute set availability and compatibility across APs
Specific solutions depend on the availability of specific data, even having an AP does not guarantee it will agree on implementing and sending a needed attribute.
Potential uses still not mature enough among stakeholders, despite interest is arising (the complex use cases we solve, have a low incidence).
Being a too general solution so we cannot coordinate a specific response
No specific AP interfaces, just recycling. No agreement on it (openAPI?, Open banking:PSD2)
Complex solution, many jumps and actors.
Generic and non-optimised user experience (too abstract concepts of attribute, data source, etc.).
Multiple authentication

24. SWOT: Opportunities
DG-CNECT has started considering the potentials of DSA over eIDAS network, our solution is a candidate for a gradual and flexible adoption.
SURFNET was considering a use case of academic attribute transfer that can be resolved using ESMO.
Engage on similar communities, like Simple Saml PHP, Keycloack or FIWARE, as we can offer a compatible solution with added value.
EWP will become mandatory, so their network will increase usage. Publishing our Service APIs there is key in positioning and in following the Single Point of Entry doctrine.
Being a front-channel process facilitates compliance with GDPR and is aligned with the single marked strategy.
eIDAS profile: add personal data, especially biometrics: photo, fingerprint...

25. SWOT: Threats and Risks
eIDAS infrastructure delays/instability
Low levels of eIDAS credentials availability/use among academic population
Not converging with other initiatives with similar goals
Lack of interest from sector governance bodies
Not attracting adopters by not being able to define specific use cases we are a solution to
Not attracting enough data providers

26. SWOT: Threats and Risks
Need to have trusted relationship with APs so to avoid 2nd login where possible or usability could be an issue
Culture of getting local credentials for all, not overcome yet, nor in the near future
The more complex attributes get, the bigger the semantic inconsistencies. Need for harmonisation work across institutions

27. Index ESMO Sustainability in the Higher Education Domain (Ross)
Cost benefit Analysis (Aljosa)
Risks and SWOT analysis (Francisco)
ESMO beyond education domain (Aljosa)

28. Emerging eID usage models
Identity Provider Service
Separate Proofing from Authentication
Identity Broker
Service
Identity
Provider Infrastr.
Service
Provider 1
Provider 2
Provider 3
Identity
Identity Broker service
Service
Provider 1
Provider 2
Provider 3
Identity
Identity
Provider 1
Identity
Provider 2
Identity
Provider 3
Approaches
Service
Provider 1
Provider 2
Provider 3
Manage the Identities
Responsible for Identity Proofing, Credential Management and Authentication
Manage the Identities
Responsible for Credential Management and Authentication
Not responsible for for Identity Proofing
Do not manage the Identities
Not responsible for Identity Proofing, Credential Management and Authentication
Effect

29. What about atributes? What is a market for ESMO?
The product?
Attributes are stored in various databases around the world
Example product: digital badges for professional qualifications
The customers?
The Online Service Providers… but also emerging Attribute Brokers
Example: ID DataWeb ( Attribute Exchange Network (AXN)
In the future we might have e-attributes marketplace
ESMO can play the role of enabler
What do we know about attribute release in the physical and cyber world?
People are at the centre of the attribute market, and any solution should be user-centric and compliant with GDPR
CONTROL
Places such as shops, hospitals, factories, offices and the home, influence the way that people release their attributes and interact with the digital and physical service providers.
CONTEXT
Platforms provide the “closed” spaces for attribute release mainly to enable more personal services, but also community-based services (e.g. sharing)
INCENTIVES

30. The Roadmap to ESMO adoption
Motivation
Decision making
Technology choices
Incentives,
Awareness
Context driven Business Case
Cost-benefit analysis
ESMO Technology
Add-on services
Control of Attribute Release

31. Decision making support
Reduced
cost
Transformed experiences
Simplified management – less complexity
Reduce infrastructure & license cost – ESMO is open source
Reduce GW operation and service adaptation cost
Reduce incidents & support cost – shift these the the third party (ESMO GW operator)
Lower initial investment for eIDAS connectivity
Simple use of services by cross-border users with their “native” notified eID
Secure sharing of attributes inside and outside of your business sector.
Simplified help and support from external operator

32. Why do we also look beyond Education domain?
Value of ESMO concepts (e.g. DSA – Domain specific Attributes or GW2GW), architecture and components is also considerable for other sectors
Contribute to evolution of project results, transferability and scalability
Exploration of opportunities e.g. sector-specific versus universal e-ID brokers
Sustainability through shared (maintenance resources with other communities
Link to other projects or initiatives (SEAL, FIWARE, mobile eID), to increase visibility, or as part of the sustainability and road mapping efforts

33. Benefits for Finance sector
Compliance with KYI (Know Your Customer) with assured eIDAS attributes and additional DSAs from trusted network .
Payment Services Directive 2 (PSD2) initiative is pushing for openAPI access for bank customers information and 3rd party data sharing. OpenID Foundation’s Financial Grade API Working Group has also similar initiative on a global level.

34. Benefits for any sector

35. Where to look for collaborations?
Public sector
Cross-border service context
Innovation ecosystems (e.g. capability-based access control)

36. How to solve attribute release problem?
In many domains there is an issue of attribute release policy and trusted attribute Exchange. Sometimes there is specific hub and spoke solution, other times user is asked to provide self-asserted attributes
In Digital onboarding attribute collection and aggregation play fundamental role
Challenges are both technical and policy/trust
KYC attributes for example are required for risk, anti-fraud or suitability evaluations
Blockchain could solve issue of accountability for self-asserted data
eIDAS TSP would link real ID with digital ID of self-asserted issuer

37. How to attract AP
Different identity attributes are used for residents and non-residents.
Differences in the verification mechanisms
Many attribute providers do not have means or motivation to connect to AXN or GW
The GSMA MC4US project focused on a mobile network and financial sector.
− Identifying attributes needed to support processes such as AML and KYC, and to validate the process by which to trust the Operator’s data.
− Mapping eIDAS to US, Canadian, and UK identity frameworks

38. Conclusions Compliance Market growth Flexible configuration Tech shift
e-ID and DSA exchange can be cross-border business enabler,
There are many risks that prevent investment in eIDAS connectivity from service provider side:
the complexity and volatility of European eID ecosystem
the reliance on governmental infrastructure,
economics of scale,
user acceptance model,
cost of integration and maintenance etc.
ESMO model is based on idea of sector-specific gateways that would be operated by eID brokers
Compliance
Market growth
Flexible configuration
For all public sector organisations including public HEI
For service providers that have cross-border business or want to expand
No need to renew and adapt for each new attribute provider
Tech shift
Innovation
API Economy
Get ready for multi-channel e-ID and service provision
Attributes are another type of data so data-driven innovation is also a target
ESMO business case is related to providing functionalities through API (like Open banking there should be Open EDU API)

39. Index ESMO Sustainability in the Higher Education Domain (Ross)
Cost benefit Analysis (Aljosa)
Risks and SWOT analysis (Francisco)
ESMO beyond education domain (Aljosa)
Recomendations and Roadmap (Francisco)

40. Roadmap to maximize CEF eID uptake
Wider adoption
Visibility, Dissemination, Formation
Technology acceptance
Fun ding / community dev
Long term sustainability
Additional value propositions:
Better Services
More users
Cost savings
More efficient services
More effective services
Enabling transformation
CEF eID and ESMO uptake strategy
Reference institutions adoption
Partnerships
More promotion
Awareness
Interest
Credibility
Software Maintenance open community

41. Short-term to mid-term sustainability key is us.
Partner Commitment
Short-term to mid-term sustainability key is us.
Critical tasks in this sense:
Maintain deployed services (at first, INEA requirement)
Maintain the deployed Gateways
Gateway code maintenance/improvement
Facilitate packaging and deployment, generate documentation
But we can use an extra hand
Open Source Community

42. Roadmap draft Year 1: Partner maintenance and minor improvement
Release and distribution of the code
Define network adherence roles, procedures and requirements
Dissemination and contact with potential adopters (bottom-up)
We need to define a strategy where adoption as a SP requires adoption as AP
Alignment with other initiatives (EWP especially, EMREX, EID4U, Studies +)
Collect feedback to improve usability

43. Roadmap draft
Year 2:
Use results to seek sector governance bodies backing (top- down)
Start a software community around the Gateway
Negotiate the transfer of the Gateway operation to a education sector national level entity (target: NRENS)
Seek to secure additional resources for GW development
Reassess sector needs to plan the improvements over the code
Effective collaboration with EWP and the other initiatives
Promote potential use cases linking academia and job search sector (Linked-IN, EduPass)

44. Roadmap draft
Year 3+:
Depending on the acceptance, gradually escalate code improvements, and organise community maintenance
Dual approach: keep up with dissemination and contact with potential adopters (bottom-up) and keep pushing for sector governance bodies backing (top-down)
Promote the deployment of other MS GWs
Keep seeking development support and resources
Regularly reassess sector needs to plan the improvements over the code
Keep the contact with the initiatives and plan collaborations accordingly.
Promote yearly assembly to coordinate and disseminate

45. Recommendations
ESMO
Develop and distribute libraries to facilitate building ESMO microservices
Improve packaging and documentation
There is a knowledge gap on non-technical users
Seek adoption of the nodes by key entities on the sector (target: NRENs)
Seek code support by reference developers and institutions in the identity federation and management sector

46. Recommendations eIDAS
Enhance supported data set, include more personal contact info and biometric information (photo, fingerprint pattern)
Promote MS to notify other existing eID schemes, specially those more used/usable by citizens (regardless of being lower assurance)
To the possible extent, promote the adoption of non-targeted identifiers
Reinforce formation actions to close the technological gap on MS eIDs
Promote usage benefits among citizens

47. Recommendations Others EMREX convergence FIWARE convergence
Provide authentication
Integrate National Point of Contact in Gateway
FIWARE convergence
FIWARE IDM integrated on Gateway
ESMO Gateway as source of profile information
Explore non-EU expansion
With data transfer agreements
Liability problems on the legal framework

48. How to Join ESMO Three roles Developer Operator of gateway
AP/SP integration
Contact ESMO team to participate on the steering meetings
Assess the effort that can be devoted and the available prioritised tasks

49. How to Join ESMO AP/SP integration Operator of gateway
The HEI representative gets in touch with ESMO experts or contact
Joint assessment of needs and requirements about joining and/or deploying ESMO
Depending on the situation, HEI either does its own service adaptation to eIDAS or uses support from ESMO partners
Operator of gateway
Analyse which domain specific attributes are needed for the selected cross-border services
Analyse topology and governance details

50. Thank you for your attention
Francisco Aragó, Ross Little, Aljosa pasic
GRANT AGREEMENT UNDER THE CONNECTING EUROPE FACILITY (CEF) - TELECOMMUNICATIONS SECTOR
AGREEMENT No INEA/CEF/ICT/A2017/