The InCommon Federation

The U.S. Access and Identity Management Federation

www.incommon.org

The InCommon Federation

• InCommon is the national research and education federation in the United States.

• InCommon membership includes higher education, federal research labs, government agencies and online service providers.

• InCommon establishes the trust relationship among organizations through common policies and procedures.

InCommon Facts

• Fact: InCommon has more than 3 million higher education users.

• Fact: InCommon membership has doubled yearly for several years

• Fact: InCommon higher education members include institutions of all sizes, including community colleges, research universities, and small liberal arts colleges.

• Fact: InCommon technology is based on standards being adopted globally.

The InCommon Federation

Today InCommon includes:

– 116 higher education participants

– Six government and nonprofit laboratories, research centers, and agencies (including NIH and NSF)

– 41 sponsored partners

– Two county K-12 school districts (as part of a pilot)

Attributes: Anonymous ID, Staff, Student, …

Federated Access in 30 seconds

Metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth

4. If attributes are acceptable to resource policy, access is granted!

3. Authorization: Privacy-preserving exchange of agreed upon attributes

2. Federation-based trust exchange to verify partners and locations

1. Authentication: single-sign-on at home institution

Home Institution – user signs in

Online Resource

Value of InCommon• Governance by a representative Steering Committee

– Formulates policy, operational standards and practices, establishes a common set of attributes and definitions.

• Legal Agreement

– Basic responsibilities, official signatory and establishment of trust, conflict and dispute resolution, basic protections

• Trust “Notary”– InCommon verifies the identity of organizations and their delegated officers

• Trusted Metadata

– InCommon verifies and aggregates security information for each participant’s servers, systems, and support contacts

• Technical Interoperability (Technical Advisory Committee)– InCommon defines shared attributes, standards (SAML), software (Shibboleth)

Value of InCommon

• InCommon uses SAML-based authentication and authorization systems (such as Shibboleth®) to enable scalable, trusted collaborations among its community of participants.

• InCommon supports both SAML 1.x and SAML 2.0.

• Several products interoperate with Shibboleth, including those offered by IBM (Tivoli), Oracle, Sun, and CA (Siteminder).

InCommon Benefits

• Participants exchange information in a standardized format.

• Once an organization is a participating member, setting up a new relationship can take as little as a few minutes.

• Community-based collaboration and support.

• Use of a common authentication and authorization software provides single sign-on convenience.

Who can join InCommon?

• Accredited two- and four-year higher education institutions.

• Partner organizations sponsored by higher education participants.

Joining InCommon

• Business, education, research, and government organizations who partner with higher education join the Federation as Sponsored Partners.

• Participation agreement – agreeing to the policies of the federation and the community.

• Develop your participant operation practices (POP), which helps other federation members determine level of trust, privacy policies, attribute collection/use policies.

• Metadata: “Data about data” – a lynchpin of federating.

What does it cost to join InCommon?

• One-time fee of $700.

• Annual fee of $1,000 (for up to 20 service provider systems).

Note: this is the cost for InCommon membership. Depending on your integration and infrastructure, you may incur additional costs for implementation of software and systems.

InCommon and the Federal Government

• Signed agreements with National Institutes for Health, National Science Foundation

• Interest expressed by, or in discussion with, several agencies, including:

• NASA• Department of Agriculture• Department of Energy• CA Big (National Cancer Institute)• CA Grid (National Cancer Institute)

InCommon and the NIH

– Working on LoA 1 applications with NIH• Clinical and Translational Science Awards

– National Libraries of Medicine• Genome data• Testing with University of Washington

– Piloting LoA 2 application with NIH eRA (electronic Research Administration)

• Involves NIH, InCommon, University of Washington, Penn State University, Johns Hopkins University, University of California Davis

• Technical demo September 22, 2009 (Federal Demonstration Partnership meeting)

• Rollout during 2010

InCommon and the NSF

– Piloting LoA 1 application (research.gov) at the National Science Foundation

• Involves InCommon, Penn State and the University of Washington• Testing sandbox is up and running• Technical demo September 22, 2009 (Federal Demonstration Partnership

meeting)

– More applications under consideration, once this pilot is completed

InCommon and the Federal Government

– Worked closely with GSA to provide feedback on the new federal trust framework.

• GSA

• Federal CIO Council (FCIOC)

• Information Security and Identity Management Committee (ISIMC)

• Program oversight by Identity, Credential and Access Management Subcommittee (ICAMSC)

– Federal trust framework based on OMB’s M-04-04 (risk management) and NIST 800-63 (electronic authentication guidelines).

– InCommon helped inform the latest revision of NIST levels of assurance (LoA).

InCommon Silver

– InCommon Silver profile comparable to NIST LoA2

– Silver pilot now underway at NIH

• Technical demonstration at FDP meeting Sept. 22• Full roll-out (with auditing, policy, and standards in place) in fall

2010.

– InCommon assurance profiles based on OMB M-04-04 and NIST 800-63.

– InCommon will soon submit its Bronze and Silver assurance profiles to the Identity, Credential and Access Management Subcommittee.

– Once approved by ICAMSC, Bronze and Silver will be approved for use with all federal agencies at LoA1 and LoA2, respectively.

InCommon Testing and Development

– InCommon is community governed and community driven

– Testing and Development done through pilots

• Involve the service provider and identity providers

• Staff and community recruit higher education institutions to serve in pilots

• NIH and NSF pilots good examples

• Current pilot example: several university libraries working with library database providers on Shibboleth/EZProxy hybrid

InCommon Transition

• InCommon works with partners such as NIH to manage transition.

• Apps can use both federation and traditional sign-on.

• Users from non-federated institutions can use generic identity providers such as ProtectNetwork or federal contractors.

Benefits to the Department of Education

– Through InCommon, each educational institution can manage authentication for its faculty, students and staff.

– With higher education institutions authenticating their users, the need for password resets will be eliminated (one estimate – a single password reset request costs $50).

– Adding higher education partners can take just minutes.

– Low up-front and annual costs.

– Community support.

Benefits to the Department of Education

– Federating additional applications becomes easier and less time-consuming.

– Shibboleth, and thus InCommon, can interoperate with the department’s existing Tivoli deployment.

– InCommon has had significant interaction with the GSA and other agencies developing the federal government’s new trust framework.

The InCommon Federation

The U.S. Access and Identity Management Federation

www.incommon.org