Barry Johnson Here to give you a crash course in Federated Identity Management and give you a little intro to Incommon.
Identity management is a system of verifying the identity of an individual and issuing electronic credentials so that person can access electronic resources. The system typically maintains identity information in a central repository. Because the system is authoritative, it is the source for establishing trust and using that trust to facilitate access to resources.
Identity management answers these basic questions: - Who are you? An individual provides information to establish his or her identity (such as a drivers license, passport, or other materials) - After this identity proofing, the system begins assigning attributes as part of the electronic record – name, address, email, and the like - With the system populated with this information, it can now be used for authentication – verifying that the person wanting access to a resource is the same one to which we issued credentials.
There are three actors involved in the identity management system: 1 – the subject or user 2 – the identity provider, which maintains the identity system, issues credentials, and provides necessary information to the service provider 3 – the service provider – also known as the relying party or resource provider – owns or manages the restricted resource. The service provider takes the information provided by the identity provider – such as the name of the institution or the identity of the subject – to decide whether to allow access to the resource.
These are the three key terms for identity management – and they all start with “A”! Authentication typically is providing a user ID and password Authorization is the service provider making a decision about allowing access. Sometimes all that is needed is the name of a university. An attribute is a piece of information, such as a person’s name, email, or whether that person is faculty, staff or student.
Our user has an account at his university, but also must maintain separate accounts, including passwords, at any service he has access to: 1) Learning management system 2) Government services, such as research grant administration 3) the soothing music service or online journals from the library
Problems faced in the identity management world: Typically, there are many applications, both on-campus and hosted solutions, that students and faculty need to to interact with. Many of these applications have a need to verify identities and provide access to only those who are covered under a university contract. To do that, some applications want access to your LDAP directory. Some require batch uploads. Some have users create accounts. So, every time you add a service provider, you increase the possibility of security breaches and data spills.
Federated identity management solves these problems. A federation is just a group of organizations that agree on a standard method for exchanging information. Everyone agrees on policies and such things as a common definition of each attribute. Now, instead of one-to-one, we can do one-to-many – which means the federation scales much more easily than individual relationships. Users also gain the convenience of using their campus IDs and passwords to access many resources.
The key concept to federated identity management is the separation of authentication and authorization – and the use of standards. Identity providers do the authentication – users no longer set up accounts at each service provider. Users thus enjoy single sign-on convenience with their university identity. A standard set of attributes, and standards-based software, allows information to be passed among the members of the federation for authorization to resources.
Here’s the scenario using federated identity - with federated identity, a user has just one account – the one provided by his university already used for email and other on-campus applications. - The online services and resources no longer manage user accounts or keep personal data - With only one user ID and password, help desks see dramatic reductions in calls. - Federation participants agree on common policies and use standards-based software and processes. - The home organization (i.e. university) maintains privacy and security.
When a user needs access to a resource, they are sent to their institutions login page. Since the institution and the resource provider are both part of the federation, they can trust each other’s practices and attribute assertions. After authentication, the home institution’s identity management system will send along the attributes about the user that the resource provider needs to know And if they look good, the user gets access the resource. Simple as that.
InCommon is the higher education and research federation in the U.S. InCommon serves as the trust agent for all participants.
Privacy, security and scalability are the heart of the benefits of InCommon and a federated identity management approach.
Single sign-on for users, using credentials they know and already use every day. Because the home institution controls the identity database and authenticates users for each service, there are fewer opportunities for security breaches. Personally identifying information stays on campus. The bare minimum of info needed for access is provided to the service, but no more. The institution saves time and money, because adding another federated service is relatively quick and easy. Since federated identity is also based on roles and status, changes in status (such as employment or enrollment) are reflected immediately. The service provider does the authorizing, based on attributes passed by the identity provider. SO, the service provider can concentrate on providing the service, as opposed to dealing with accounts.
This gives you a idea how many folks are part of Incommon. As September 2010, InCommon has 253 participants, including 180 colleges and universities.
InCommon participants include colleges and universities, government and non-profit research facilities and agencies, and sponsored partners – non-profit and for-profit entities that offer federated services.
Federated resources offered by InCommon participants affect many campus business and academic functions every day. There are a number of HR and student services applications, as well as learning management systems, and library databases.
Federated Identity Management
What is Identity Management?
• A system of standards, procedures and
technologies that provides electronic credentials to
• Maintains authoritative information about
• Establishes the trust needed for transactions.
• Facilitates and controls user access to online
applications or resources.
Who are you? (identification)
•Collect personally identifying information to prove you
are who you say you are (identity proofing), such as
drivers license, passport, or biometric data
•Assign attributes [(name, address, college or university,
department, role (faculty, staff, student), major, email
How can you prove it? (authentication)
•Verifying that the person seeking access to a resource is
the one previously identified and approved
Three entities involved in gaining access to a resource:
1.Subject (i.e. user) – The person identified and the subject of
assertions (or claims) about his or her identity.
2.Identity Provider – Typically the university or organization that
maintains the identity system, identity-proofs the subject and issues a
credential. Also provides assertions or claims to the service provider
about a subject’s identity.
3.Service Provider (sometimes called the relying party) –
Owner/provider of the protected resource to which the subject would
like to access. Consumes the assertion from the identity provider and
makes an authorization decision.
Authentication – Verification (via a user ID and password) that a
subject is associated with an electronic identifier. This is the
responsibility of the identity provider.
Authorization – Determining whether a subject is eligible to gain
access to a resource or service. The authorization decision is made by
the service provider and is based on the attributes provided by the
Attribute – A single piece of information associated with an electronic
identity database record, such as name, phone number, group
affiliation, email address, major.
1. Tedious user registration at all
2. Unreliable and outdated user
data at resources
3. Different login process at each
4. Many different passwords
5. Identity provider may need to
support multiple custom
authentication methods and/or
be asked for access to its
• Growing number of applications – on-campus and
outsourced or hosted
• All of these service providers must:
– Verify the identity of users (faculty, staff, students, others)
– Know who’s eligible to access the service
– Know the student is active and hasn’t left school
• Increase in outsourced or cloud services raises concerns
about the security and privacy of the identity data
A Solution: Federated Identity Management
Federation: An association of organizations that come together to
exchange information, as appropriate, about their users and
resources in order to enable collaborations and transactions.
All participants in a federation agree on the same policies and
procedures related to identity management and the passing of
Instead of one-to-one relationships, the federation allows one-to
Federated Identity Management
• Parties agree to leverage the identity provider’s database,
rather than creating separate data stores
• Users no longer register with the service provider, using their
university credentials for transactions
• Single sign-on convenience for users
• Identity provider does the authentication; service provider does
• Attributes are the key – maintain privacy and security
1. Single sign on
2. Services no longer manage user
accounts & personal data
3. Reduced help-desk load
4. Standards-based technology
5. Home org and user controls
Attributes: Anonymous ID, Staff, Student, …
Federated Access in 30 seconds
Metadata, certificates, common attributes &
meaning, federation registration authority,
4. If attributes are acceptable
to resource policy, access
3. Authorization: Privacy-
preserving exchange of
agreed upon attributes
2. Federation-based trust
exchange to verify partners
1. Authentication: single-sign-
on at home institution
Home Institution – user signs in
InCommon is the federation for U.S. research and education,
providing higher education and their commercial and non-profit
partners with a common trust framework for access to online
• Through InCommon, campuses leverage their identity databases
to allow for the use of one set of credentials to access multiple
• Online service providers no longer need to maintain user
• Identity providers manage the levels of their users' privacy and
• InCommon uses SAML-based authentication and authorization
systems (such as Shibboleth®) to enable scalable, trusted
collaborations among its community of participants.
InCommon Federation Benefits
• Convenience – Single sign-on with higher education
• Safety – Enhanced security with fewer data spills
• Privacy – Release of only the minimum information necessary
to gain access to resources (via attributes)
• Scalability – Once implemented, federated access relatively
simple to extend
• Authentication – Campus does the authentication, maintaining
control of user information
• Authorization – Service provider makes access decisions
based on attributes
InCommon Participants Year-by-Year
• 253 InCommon Participants (Sept. 2010)
• Almost 5 million end-users (faculty, staff, students)
Resources available via InCommon are many and diverse
• Asset management
• Talent management
• Visas & INS compliance
• Mobile alerts
• Travel management
• Energy management
• Surveys and market analysis
Learning and Research
• Databases and analytical tools
• Multi-media access
• Homework labs
• Quiz tools
• Plagiarism detection
• Software downloading
• Alcohol awareness education
• Student travel discounts
• Transportation and ride-share
Strong support from key higher education partners, such as: Microsoft,
Apple, National Student Clearinghouse, NSF, NIH, Gov-affiliated Labs 17