Vier mensen aan een ronde tafel met laptops en presentatiescherm
Retrospective

SURF Identity & Access Unconference

On 15 October 2024, some 85 IAM specialists gathered at the very first SURF Identity & Access Unconference. Participants were allowed to come up with their own ideas for sessions on the spot - the basis of Unconference meetings - and they did! Because we only had one day and not the whole week, the topics were clustered into three rounds with a total of thirteen sessions.

The programme ended up looking like this:

Round Topics


11:15 - 12:00
  • SURFconext or Azure or linking your own IdP with SC?
  • eduID, anticipating, Citizen science, who provides support?
  • Role management, RBAC
  • IAM procurement


13:00 - 13:45
  • Third parties, alumni, guest accounts
  • SIEM, eduID and access to research networks
  • Non-human identities
  • Reliability eduID
  • Passwordless login


14:00 - 14:45
  • eduID for students
  • MBO & IAM
  • SSI, e.g. with SRAM
  • IAM governance

Three topics highlighted

In this retrospective, we highlight three topics: 'How do you set up IAM governance?', 'How do you stay in control as an institution?' and 'eduID: what exactly is it and how reliable is this educational identity?'

How do you set up IAM governance?

Within this topic, the main questions were: who owns an institution's accounts and who decides what rights someone gets? The IAM governance department arranges it technically, but that does not mean that this means they own everything. Many institutions shared their experiences: from finding stakeholders outside the IT department and aligning processes with the business, to plotting processes on the HOSA. An important tip was to collaborate with the FG and the security officer, but a 'holy grail' was not yet found by the attendees.

How do you stay sovereign as an institution?

Within this topic, the focus was on the use of SURF services versus Microsoft services. The discussion revolved around the trade-offs between using the federated solution SURFconext and big tech solutions, in particular Microsoft's EntraID as many institutions use Office 365. The ideal future vision is to have one primary identity for students. The long-term vision includes moving away from ADFS, improving MFA deployment and simplifying access and identity management, with the aim of reducing dependence on big tech companies.

Another related topic is procurement within IAM services. It proves valuable to hire an external expert for this in order to get responses from the market at all. The answer to the question of what role SURF can play in tenders was that the initiative for a tender should come from the institutions. SURF can then supervise the process.

eduID: what is it and is it reliable?

In many sessions, eduID was a topic of discussion. From arranging and managing roles for different external groups (guest lecturers, alumni, pre-school students) with eduID(SURFconext Invite) and eduID for students, to the question of whether eduID is a reliable identity. It concluded that the process of verification and enrolment varies from institution to institution.

It also discussed how institutions arrive at various levels of reliability for both identity and authentication. After all, Level of Assurances (LoA) are not foolproof and 100 per cent assurance is not possible; the threshold for possible misuse or errors in processes should therefore be as high as possible. To support institutions in this, SURF will provide more insight into the possibilities of eduID and its reliability. However, this requires feedback from institutions to determine how current levels comply and where eduID can be improved.

If you want to know what eduID can do for your institution, please contact Sander Baas, sander.baas@surf.nl

How to proceed? Give follow-up to this Unconference!

It was clear that one day was too short to discuss all topics or find solutions to common challenges. Therefore, we call on you to further share your collective knowledge and - together with colleagues from other institutions - follow up on the topics of the Unconference! If you want to contribute to this, please contact Arnout Terpstra, arnout.terpstra@surf.nl. He will put all interested parties in touch with each other.

This article is relevant to