gw-astronomy.org Frequently Asked Questions [public]

Quick Summary

Most scientists will not need to get a new login name and password to access the gw-astronomy registry, mailing list and wiki. These services use federated identity for those universities, laboratories or research collaborations that support it. That means you may be able to use your login name and password from your university, laboratory or research collaboration to log in. For instance, a scientist from the University of Wisconsin - Milwaukee (UWM) can use her UWM username (e.g. albert.einstein@uwm.edu) and password to login, a LIGO scientist can use his ligo.org ID, etc. When you follow the instructions for registering for a collaboration at gw-astronomy.org, you will see a list of all the institutions that support federated identity in a way that these servers can use. Select the one you belong to and use that username and password to register and then to login to these services.

What if my institution is not in the list?

Federated identity is a relatively new idea, and not all universities and laboratories are participating fully yet. But don't worry, we have a backup plan. You will notice that there is a Google login link in the list, and a Google icon for the same link above the list. If you already have a Google username and password, you can use those to register and login to the server.

Is there any other option?

Most users can get an identity that works well for them from https://unitedid.org. Users in countries that do not allow access to Google will not be able to use this service, unfortunately. We are actively working toward allowing users to use ORCIDs (https://orcid.org) to login. This page will be updated when that option becomes available.

More on Federated Identity

The idea behind federated identity is that once someone can authenticate you to a level sufficient for access to a service you should be able to use that same authentication to access all other services with similar security requirements, regardless of whether they belong to the same organization that is doing the authentication. In order to enable federated identity, institutions that can perform authentications must participate in identity federations. By participating, they agree to allow services from other trusted participants to use their authentication. Operationally, the service never sees a user's login name and password when using federated identity. Instead, the service passes the authentication request off to an identity provider at the user's home institution, which asks the user for her login name and password and performs the authentication. If the authentication is successful, the identity provider then passes an assertion of authentication back to the service the user is trying to access.

There are benefits for both users and service administrators in using federated identity. For users, the most obvious benefit is that they do not require yet another login id and password (and the burden of retaining that new information) for every different service they wish to access. Another less obvious benefit is that a user's home institution is more likely to implement strict security around authentication (since they store sensitive information about you like your payroll info), so the authentication is less likely to lead to a security problem or a stolen identity. Also, federated identity supports anonymity for cases where that is important - the identity provider does not need to let the service know anything about you in order to verify your identity. For service administrators, the benefits include that they do not need to maintain a system to create and store identities, they do not need to implement password retrieval and change mechanisms, and they do need to collect and store sensitive information like user passwords.

If you are from the USA, your home institution may participate in the national research and education identity federation called InCommon. Hundreds of US colleges and other institutions are members. InCommon allows services from any participating US service to access any participating institution's authentication services. Likewise, there are research and education identity federations in many other countries that allow federated identity within that country. But what about international logins? For that, there is an interfederation service called eduGAIN, which allows national research and education federations to interoperate. While support for interfederation in eduGAIN is not yet global, there is ongoing work to expand its coverage.

Finally, if you are not part of any organization that supports federated identity, all is not lost. There are services that support the use of social identities such as a Google login name and password to interoperate with identity federations. While these are not suitable for all applications, they do provide sufficient support for some services and are used as an identity provider of last resort for them. They also have the benefit that they provide federated identities for people who are not part of a research or education federation.

-- WarrenAnderson - 21 May 2015