Embed Size (px)
Citation preview
The InCommon Federation
The U.S. Access and Identity Management Federation
www.incommon.org
The InCommon Federation
• InCommon is the national research and education federation in the United States.
• InCommon membership includes higher education, federal research labs, government agencies and online service providers.
• InCommon establishes the trust relationship among organizations through common policies and procedures.
InCommon Facts
• Fact: InCommon has more than 3 million higher education users.
• Fact: InCommon membership has doubled yearly for several years
• Fact: InCommon higher education members include institutions of all sizes, including community colleges, research universities, and small liberal arts colleges.
• Fact: InCommon technology is based on standards being adopted globally.
The InCommon Federation
Today InCommon includes:
– 116 higher education participants
– Six government and nonprofit laboratories, research centers, and agencies (including NIH and NSF)
– 41 sponsored partners
– Two county K-12 school districts (as part of a pilot)
Attributes: Anonymous ID, Staff, Student, …
Federated Access in 30 seconds
Metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth
4. If attributes are acceptable to resource policy, access is granted!
3. Authorization: Privacy-preserving exchange of agreed upon attributes
2. Federation-based trust exchange to verify partners and locations
1. Authentication: single-sign-on at home institution
Home Institution – user signs in
Online Resource
Value of InCommon• Governance by a representative Steering Committee
– Formulates policy, operational standards and practices, establishes a common set of attributes and definitions.
• Legal Agreement
– Basic responsibilities, official signatory and establishment of trust, conflict and dispute resolution, basic protections
• Trust “Notary”– InCommon verifies the identity of organizations and their delegated officers
• Trusted Metadata
– InCommon verifies and aggregates security information for each participant’s servers, systems, and support contacts
• Technical Interoperability (Technical Advisory Committee)– InCommon defines shared attributes, standards (SAML), software (Shibboleth)
Value of InCommon
• InCommon uses SAML-based authentication and authorization systems (such as Shibboleth®) to enable scalable, trusted collaborations among its community of participants.
• InCommon supports both SAML 1.x and SAML 2.0.
• Several products interoperate with Shibboleth, including those offered by IBM (Tivoli), Oracle, Sun, and CA (Siteminder).
InCommon Benefits
• Participants exchange information in a standardized format.
• Once an organization is a participating member, setting up a new relationship can take as little as a few minutes.
• Community-based collaboration and support.
• Use of a common authentication and authorization software provides single sign-on convenience.
Who can join InCommon?
• Accredited two- and four-year higher education institutions.
• Partner organizations sponsored by higher education participants.
Joining InCommon
• Business, education, research, and government organizations who partner with higher education join the Federation as Sponsored Partners.
• Participation agreement – agreeing to the policies of the federation and the community.
• Develop your participant operation practices (POP), which helps other federation members determine level of trust, privacy policies, attribute collection/use policies.
• Metadata: “Data about data” – a lynchpin of federating.
What does it cost to join InCommon?
• One-time fee of $700.
• Annual fee of $1,000 (for up to 20 service provider systems).
Note: this is the cost for InCommon membership. Depending on your integration and infrastructure, you may incur additional costs for implementation of software and systems.
InCommon and the Federal Government
• Signed agreements with National Institutes for Health, National Science Foundation
• Interest expressed by, or in discussion with, several agencies, including:
• NASA• Department of Agriculture• Department of Energy• CA Big (National Cancer Institute)• CA Grid (National Cancer Institute)
InCommon and the NIH
– Working on LoA 1 applications with NIH• Clinical and Translational Science Awards
– National Libraries of Medicine• Genome data• Testing with University of Washington
– Piloting LoA 2 application with NIH eRA (electronic Research Administration)
• Involves NIH, InCommon, University of Washington, Penn State University, Johns Hopkins University, University of California Davis
• Technical demo September 22, 2009 (Federal Demonstration Partnership meeting)
• Rollout during 2010
InCommon and the NSF
– Piloting LoA 1 application (research.gov) at the National Science Foundation
• Involves InCommon, Penn State and the University of Washington• Testing sandbox is up and running• Technical demo September 22, 2009 (Federal Demonstration Partnership
meeting)
– More applications under consideration, once this pilot is completed
InCommon and the Federal Government
– Worked closely with GSA to provide feedback on the new federal trust framework.
• GSA
• Federal CIO Council (FCIOC)
• Information Security and Identity Management Committee (ISIMC)
• Program oversight by Identity, Credential and Access Management Subcommittee (ICAMSC)
– Federal trust framework based on OMB’s M-04-04 (risk management) and NIST 800-63 (electronic authentication guidelines).
– InCommon helped inform the latest revision of NIST levels of assurance (LoA).
InCommon Silver
– InCommon Silver profile comparable to NIST LoA2
– Silver pilot now underway at NIH
• Technical demonstration at FDP meeting Sept. 22• Full roll-out (with auditing, policy, and standards in place) in fall
2010.
– InCommon assurance profiles based on OMB M-04-04 and NIST 800-63.
– InCommon will soon submit its Bronze and Silver assurance profiles to the Identity, Credential and Access Management Subcommittee.
– Once approved by ICAMSC, Bronze and Silver will be approved for use with all federal agencies at LoA1 and LoA2, respectively.
InCommon Testing and Development
– InCommon is community governed and community driven
– Testing and Development done through pilots
• Involve the service provider and identity providers
• Staff and community recruit higher education institutions to serve in pilots
• NIH and NSF pilots good examples
• Current pilot example: several university libraries working with library database providers on Shibboleth/EZProxy hybrid
InCommon Transition
• InCommon works with partners such as NIH to manage transition.
• Apps can use both federation and traditional sign-on.
• Users from non-federated institutions can use generic identity providers such as ProtectNetwork or federal contractors.
Benefits to the Department of Education
– Through InCommon, each educational institution can manage authentication for its faculty, students and staff.
– With higher education institutions authenticating their users, the need for password resets will be eliminated (one estimate – a single password reset request costs $50).
– Adding higher education partners can take just minutes.
– Low up-front and annual costs.
– Community support.
Benefits to the Department of Education
– Federating additional applications becomes easier and less time-consuming.
– Shibboleth, and thus InCommon, can interoperate with the department’s existing Tivoli deployment.
– InCommon has had significant interaction with the GSA and other agencies developing the federal government’s new trust framework.
The InCommon Federation
The U.S. Access and Identity Management Federation
www.incommon.org
