GakuNin, an identity and access management federation in Japan, has provided a stable trust framework to academia in Japan so far. For common services that all constituent members of university or institution use such as e-journal service the framework has worked well. There are many research communities: data science, material science, high energy physics, and research project using high performance computing resources. However, unfortunately those communities do not always rely on identity providers joining GakuNin because all identity providers in GakuNin do not always satisfy the requirement from the communities. As a result, a trust framework has been forced to be formed in each research community. Many of users in the research communities are also members of IdPs that join GakuNin. It is natural for users to demand to use home organization account for services in the research communities. In other words, users should not want to manage several accounts in their academic activities. In order to solve the situation, GakuNin have launched a new working group. The goal of the working group is to build a new trust framework focused on identification and authentication. The new trust framework will be useful for research communities in Japan, namely, it must be enabling collaboration with business sector, promoting international collaboration, and also ensuring world-wide interoperability.
In order to make the new trust framework actually effective, we need a system that realizes the concept of the new trust framework. Namely it must be able to mediates between identity providers and services provided by various research communities and to bridge the gap between requirements from the services and credentials issued from the identity providers. Based on the basic idea mentioned the above, we have developed a new authentication proxy service, called “Orthros”. Orthros supports the new GakuNin trust framework, bridge between identity providers and service providers, and enable identity assurance and authenticator assurance levels (IAL/AAL) management and also attribute assurance. In general, the requirements from service providers can be organized from IAL's or AAL's point of view. In order to satisfy the requirement of IAL, Orthros must be able to cooperate not only home organization identity providers operated by universities or institutions but also existing identity providers operated by governmental agencies, IT service vendors, social networking services or nonprofit organizations, because it is possible for home organization identity provider by itself not to be able meet the requirement from service providers.
In this paper, we describe the details of the new authentication proxy service, Orthros. We explain the design and implementation of Orthros and the features in details. The future development plan of Orthros is also mentioned.