Grand Unified is a facility from DeiC that fills a particular void between services and users in an identity federation.
Many online services are part of an identity federation such as WAYF. This has the advantage that users from a number of different organisations can log into the service with the user account they hold at their organisations – they don't have to get separate logins but can, so to speak, re-use their internal organisational accounts for these external services.
As a provider of such a federated service, you may experience that a user you want to give access doesn't have an organisational account and so can't log into the service. It could also be the case that the user does indeed have an organisational account but that the provider isn't satisfied with that account's authentication quality and wants to supplement the user's organisational login with another login factor. Grand Unified is a solution to both problems:
Through a web interface, the service provider (“SP”) registers the user in Grand Unified with relevant information (attributes) and then gives her an invitation token through a channel that the SP deems sufficiently secure (e.g. e-mail, snail mail, courier, face2face). At this stage, the service provider – now in the capacity of an identity manager – has identified the user and is in contact with him. The user then redeems the token in his browser and then associates the login means the SP has determined must be associated. It could be e.g. a password, a hardware key (u2f/fido) and/or a one-factor login from an organisation. After this, the user can access the provider's service with the login means she registered – she simply has to choose “Grand Unified” as her “organisation” in the list of possible login providers (next to University of Copenhagen, Aarhus University, etc.). The service then receives a login response with the information registered for the user by the provider in Grand Unified – in exactly the same way the service would receive information from the user's organisation were she logged in with an organisational account. The SP thus does not have to implement authentication locally – all authentication is outsourced to Grand Unified. And all users access the service via the same technical channel: SAML/OIDC-SSO. The service shall not grant access to users in any other way than by processing SAML/OIDC tokens.
Once a user has been created in Grand Unified by invitation from one service, she can actually reuse her “Grand Unified account” if at a later time she is invited to another service. If the second SP requires different login means than the user registered at her invitation from the first SP, she can supplement her existing “Grand Unified account” with the additional login means required by the new service. The same user can also be invited several times to the same service – and so receive multiple identities inside the service, linked to the same set of Grand Unified credentials (same “Grand Unified account”). If a user has multiple identities in a service, Grand Unified, upon successful login, asks her to choose which identity she wants to use in this session with the service. Also, the user will experience single-sign-on across the services or service identities her “Grand Unified account” is linked with: After a single authentication, she can access them all in the browser.
When creating a user in Grand Unified, the SP indicates which identity within the service the user is invited to. If the user has already been created but something gone wrong, the SP has the option of re-inviting him to the same service identity. E.g. if the original invitation token has expired, or if it turns out that other login means are desired than those specified by the original token. When the user redeems a Grand Unified invitation, the identity within the service is associated with a Grand Unified identity that the user either creates at the same time or already has.
Grand Unified thus essentially is an account linking engine – mapping between service identities and “Grand Unified identities”. And internally in Grand Unified, both kinds of identities have an immutable user ID. However, in addition, a user's “Grand Unified Account” always has one of her e-mail addresses associated as an alias for the actual user ID – so that she can easily remember what must be entered as a user ID in relation to login with e.g. a password or a hardware key.
For each service, the SP maintains a user registry in Grand Unified through a web interface and maintains relevant “organisationsal” information for each user. In this way, Grand Unified acts as a service-specific “organisation”, with a kind of micro-AD or micro-LDAP user base specific to the service. The SP can choose to use Grand Unified as a register of all users who must have access to the service – or simply over users without an institutional account ("guests") and users to whom he does not want to grant access via an unmodified institutional account (adding an extra login factor to it). If multiple services want to use the same user data base, this can easily be facilitated technically.
With the user registry in Grand Unified, a SP can also easily test how his service works with different user profiles – which may be relevant at the time the service is integrated into the identity federation. The SP can create any number of test users with various attribute values in the Grand Unified database for his service.
It is also possible to exhibit a Grand Unified user database as an actual user organisation (an identity provider, “IdP”) in the WAYF federation. That is actually the technology behind DeiC's own IdP. To become an IdP in the federation, a Grand Unified user base must of course meet the various requirements that the federation sets for actual IdPs. But such a “Grand Unified-backed” IdP can also be restricted to only be used by a selection of services – and in that way act as (the login system of) a virtual organisation for them. This does not require compliance with terms other than those agreed between the providers of the services in question.
Grand Unified is fully developed and now in pilot operation. In practice, you must contact sekretariat@wayf.dk to make Grand Unified available for your service, which must be already connected to WAYF through its SAML/OIDC interface. You will then be granted a user base and be set up as a Grand Unified administrator for the service, and be able to register and invite users. Soon we will show below what that looks like.