InCommon and Federated Identity Management - PowerPoint PPT Presentation

1 / 24
About This Presentation

InCommon and Federated Identity Management


InCommon and Federated Identity Management * Federated identity management solves these problems. A federation is just a group of organizations that ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 25
Provided by: annw1


Transcript and Presenter's Notes

Title: InCommon and Federated Identity Management

InCommon and Federated Identity Management
What is Identity Management?
  • A system of standards, procedures and
    technologies that provides electronic credentials
    to individuals.
  • Maintains authoritative information about
  • Establishes the trust needed for transactions.
  • Facilitates and controls user access to online
    applications or resources.

Identity Management
  • Who are you? (identification)
  • Collect personally identifying information to
    prove you are who you say you are (identity
    proofing), such as drivers license, passport, or
    biometric data
  • Assign attributes (name, address, college or
    university, department, role (faculty, staff,
    student), major, email address
  • How can you prove it? (authentication)
  • Verifying that the person seeking access to a
    resource is the one previously identified and

  • Identity Management
  • Authentication does not verify that the identity
    proofing is correct. It establishes that the
    previously identified person is the same one who
    is seeking access to a resource.

  • Key Entities
  • Three entities involved in gaining access to a
  • Subject (i.e. user) The person identified and
    the subject of assertions (or claims) about his
    or her identity.
  • Identity Provider Typically the university or
    organization that maintains the identity system,
    identity-proofs the subject and issues a
    credential. Also provides assertions or claims to
    the service provider about a subjects identity.
  • Service Provider (sometimes called the relying
    party) Owner/provider of the protected resource
    to which the subject would like to access.
    Consumes the assertion from the identity provider
    and makes an authorization decision.

Key Terms Authentication Verification (via a
user ID and password) that a subject is
associated with an electronic identifier. This is
the responsibility of the identity
provider. Authorization Determining whether a
subject is eligible to gain access to a resource
or service. The authorization decision is made by
the service provider and is based on the
attributes provided by the identity provider.
Attribute A single piece of information
associated with an electronic identity database
record, such as name, phone number, group
affiliation, email address, major.
The Problem
  • The system of authentication and authorization,
    and the passing of attributes, requires that the
    identity provider and service provider agree on
    policies and procedures.
  • When you have one identity provider working with
    many service providers or one service provider
    working with many identity providers things get
  • Individual service providers keep subject
    information in their own databases, or may want
    direct access to an identity providers database,
    or may require frequent batch uploads of identity

  1. Tedious user registration at all resources
  2. Unreliable and outdated user data at resources
  3. Different login process at each resource
  4. Many different passwords
  5. Identity provider may need to support multiple
    custom authentication methods and/or be asked for
    access to its identity database

The Problem
  • Growing number of applications on-campus and
    outsourced or hosted
  • All of these service providers must
  • Verify the identity of users (faculty, staff,
    students, others)
  • Know whos eligible to access the service
  • Know the student is active and hasnt left school
  • Increase in outsourced or cloud services raises
    concerns about the security and privacy of the
    identity data

A Solution Federated Identity Management
Federation An association of organizations that
come together to exchange information, as
appropriate, about their users and resources in
order to enable collaborations and
transactions. All participants in a federation
agree on the same policies and procedures related
to identity management and the passing of
attributes. Instead of one-to-one relationships,
the federation allows one-to many relationships.
Federated Identity Management
  • Parties agree to leverage the identity providers
    database, rather than creating separate data
  • Users no longer register with the service
    provider, using their university credentials for
  • Single sign-on convenience for users
  • Identity provider does the authentication
    service provider does the authorization
  • Attributes are the key maintain privacy and

1. Single sign on 2. Services no longer manage
user accounts personal data stores 3. Reduced
help-desk load 4. Standards-based technology 5.
Home org and user controls privacy
InCommon Federation
InCommon is the federation for U.S. research and
education, providing higher education and their
commercial and non-profit partners with a common
trust framework for access to online resources.
About InCommon
  • Through InCommon, campuses leverage their
    identity databases to allow for the use of one
    set of credentials to access multiple resources.
  • Online service providers no longer need to
    maintain user accounts.
  • Identity providers manage the levels of their
    users' privacy and information exchange.
  • InCommon uses SAML-based authentication and
    authorization systems (such as Shibboleth) to
    enable scalable, trusted collaborations among its
    community of participants.

InCommon Federation Benefits
  • Convenience Single sign-on with higher
    education credentials
  • Safety Enhanced security with fewer data spills
  • Privacy Release of only the minimum information
    necessary to gain access to resources (via
  • Scalability Once implemented, federated access
    relatively simple to extend
  • Authentication Campus does the authentication,
    maintaining control of user information
  • Authorization Service provider makes access
    decisions based on attributes

Federated Access in 30 seconds
4. If attributes are acceptable to resource
policy, access is granted! 3. Authorization
Privacy-preserving exchange of agreed upon
attributes 2. Federation-based trust exchange to
verify partners and locations 1. Authentication
single-sign-on at home institution
Online Resource
Attributes Anonymous ID, Staff, Student,
Home Institution user signs in
InCommon Participants Year-by-Year
  • 400 InCommon Participants
  • Almost 6 million end-users (faculty, staff,

Federated ResourcesResources available via
InCommon are many and diverse
  • Business Functions
  • Benefits
  • Asset management
  • Talent management
  • Visas INS compliance
  • Mobile alerts
  • Travel management
  • Energy management
  • Surveys and market analysis
  • Learning and Research
  • Journals
  • Databases and analytical tools
  • Multi-media access
  • Homework labs
  • Quiz tools
  • Plagiarism detection
  • Software downloading
  • Alcohol awareness education
  • Student travel discounts
  • Transportation and ride-share services.

Strong support from key higher education
partners, such as Microsoft, Apple, National
Student Clearinghouse, NSF, NIH, Gov-affiliated
InCommon Assurance Profiles
  • Bronze and Silver profiles equate to the U.S.
    governments NIST 800-63 levels of assurance 1
    and 2, respectively
  • Require more stringent identity proofing policies
    and procedures, allowing for access to
    higher-risk applications (such as financial
    service apps)
  • Status Several universities working through the
    policy and technical processes for implementing
  • CIC universities (Big Ten schools and the Univ.
    of Chicago)

InCommon Collaboration Groups
  • Collaboration
  • InC-Library
  • InC-Student
  • InC-NIH
  • InC-Research Agencies
  • US Federations
  • https//

Outreach and Education
IAM Online Monthly presentations on identity
and access management.
CAMP, Advance CAMP, Day CAMP Conferences
focused on federated identity and access
management. Affiliate
Program Linking higher ed with partners able to
help build the necessary underlying
infrastructure that supports federated access. Shibboleth Workshop
Series Intensive workshops to learn and install
InCommon Cert Service
  • Service developed by and for the higher education
    community. InCommon is a non-profit,
    community-governed organization the primary
    driver is to provide value to the community.
  • Unlimited SSL certificates, and (soon) unlimited
    personal certificates (for signing, encryption,
    code signing and authentication)
  • One fixed annual fee.
  • One publicly signed certificate source for all
    campus servers and domains
  • Includes all domains owned by the college or
    university such as professional organizations
    or athletic sites (including any .org, .com, .net
    or others).
  • Internet2 members receive a 25 percent discount

InCommon and Federated Identity Management
Write a Comment
User Comments (0)