Transcript Slide 1
The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org The InCommon Federation • InCommon is the national research and education federation in the United States. • InCommon membership includes higher education, federal research labs, government agencies and online service providers. • InCommon establishes the trust relationship among organizations through common policies and procedures. InCommon Facts • Fact: InCommon has more than 3 million higher education users. • Fact: InCommon membership has doubled yearly for several years • Fact: InCommon higher education members include institutions of all sizes, including community colleges, research universities, and small liberal arts colleges. • Fact: InCommon technology is based on standards being adopted globally. The InCommon Federation Today InCommon includes: – 116 higher education participants – Six government and nonprofit laboratories, research centers, and agencies (including NIH and NSF) – 41 sponsored partners – Two county K-12 school districts (as part of a pilot) Federated Access in 30 seconds 4. If attributes are acceptable to resource policy, access is granted! 3. Authorization: Privacypreserving exchange of agreed upon attributes 2. Federation-based trust exchange to verify partners and locations 1. Authentication: single-sign-on at home institution Online Resource Attributes: Anonymous ID, Staff, Student, … Metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth Home Institution – user signs in Value of InCommon • Governance by a representative Steering Committee – Formulates policy, operational standards and practices, establishes a common set of attributes and definitions. • Legal Agreement – Basic responsibilities, official signatory and establishment of trust, conflict and dispute resolution, basic protections • Trust “Notary” – InCommon verifies the identity of organizations and their delegated officers • Trusted Metadata – InCommon verifies and aggregates security information for each participant’s servers, systems, and support contacts • Technical Interoperability (Technical Advisory Committee) – InCommon defines shared attributes, standards (SAML), software (Shibboleth) Value of InCommon • InCommon uses SAML-based authentication and authorization systems (such as Shibboleth®) to enable scalable, trusted collaborations among its community of participants. • InCommon supports both SAML 1.x and SAML 2.0. • Several products interoperate with Shibboleth, including those offered by IBM (Tivoli), Oracle, Sun, and CA (Siteminder). InCommon Benefits • Participants exchange information in a standardized format. • Once an organization is a participating member, setting up a new relationship can take as little as a few minutes. • Community-based collaboration and support. • Use of a common authentication and authorization software provides single sign-on convenience. Who can join InCommon? • Accredited two- and four-year higher education institutions. • Partner organizations sponsored by higher education participants. Joining InCommon • Business, education, research, and government organizations who partner with higher education join the Federation as Sponsored Partners. • Participation agreement – agreeing to the policies of the federation and the community. • Develop your participant operation practices (POP), which helps other federation members determine level of trust, privacy policies, attribute collection/use policies. • Metadata: “Data about data” – a lynchpin of federating. What does it cost to join InCommon? • One-time fee of $700. • Annual fee of $1,000 (for up to 20 service provider systems). Note: this is the cost for InCommon membership. Depending on your integration and infrastructure, you may incur additional costs for implementation of software and systems. InCommon and the Federal Government • Signed agreements with National Institutes for Health, National Science Foundation • Interest expressed by, or in discussion with, several agencies, including: • • • • • NASA Department of Agriculture Department of Energy CA Big (National Cancer Institute) CA Grid (National Cancer Institute) InCommon and the NIH – Working on LoA 1 applications with NIH • Clinical and Translational Science Awards – National Libraries of Medicine • Genome data • Testing with University of Washington – Piloting LoA 2 application with NIH eRA (electronic Research Administration) • Involves NIH, InCommon, University of Washington, Penn State University, Johns Hopkins University, University of California Davis • Technical demo September 22, 2009 (Federal Demonstration Partnership meeting) • Rollout during 2010 InCommon and the NSF – Piloting LoA 1 application (research.gov) at the National Science Foundation • Involves InCommon, Penn State and the University of Washington • Testing sandbox is up and running • Technical demo September 22, 2009 (Federal Demonstration Partnership meeting) – More applications under consideration, once this pilot is completed InCommon and the Federal Government – Worked closely with GSA to provide feedback on the new federal trust framework. • • • • GSA Federal CIO Council (FCIOC) Information Security and Identity Management Committee (ISIMC) Program oversight by Identity, Credential and Access Management Subcommittee (ICAMSC) – Federal trust framework based on OMB’s M-04-04 (risk management) and NIST 800-63 (electronic authentication guidelines). – InCommon helped inform the latest revision of NIST levels of assurance (LoA). InCommon Silver – InCommon Silver profile comparable to NIST LoA2 – Silver pilot now underway at NIH • Technical demonstration at FDP meeting Sept. 22 • Full roll-out (with auditing, policy, and standards in place) in fall 2010. – InCommon assurance profiles based on OMB M-04-04 and NIST 800-63. – InCommon will soon submit its Bronze and Silver assurance profiles to the Identity, Credential and Access Management Subcommittee. – Once approved by ICAMSC, Bronze and Silver will be approved for use with all federal agencies at LoA1 and LoA2, respectively. InCommon Testing and Development – InCommon is community governed and community driven – Testing and Development done through pilots • Involve the service provider and identity providers • Staff and community recruit higher education institutions to serve in pilots • NIH and NSF pilots good examples • Current pilot example: several university libraries working with library database providers on Shibboleth/EZProxy hybrid InCommon Transition • InCommon works with partners such as NIH to manage transition. • Apps can use both federation and traditional sign-on. • Users from non-federated institutions can use generic identity providers such as ProtectNetwork or federal contractors. Benefits to the Department of Education – Through InCommon, each educational institution can manage authentication for its faculty, students and staff. – With higher education institutions authenticating their users, the need for password resets will be eliminated (one estimate – a single password reset request costs $50). – Adding higher education partners can take just minutes. – Low up-front and annual costs. – Community support. Benefits to the Department of Education – Federating additional applications becomes easier and less timeconsuming. – Shibboleth, and thus InCommon, can interoperate with the department’s existing Tivoli deployment. – InCommon has had significant interaction with the GSA and other agencies developing the federal government’s new trust framework. The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org