www.incommon.org
1
What is Identity Management?
• A system of standards, procedures and technologies
that provides electronic credentials to individuals.
• Maintains authoritative information about individuals.
• Establishes the trust needed for transactions.
• Facilitates and controls user access to online
applications or resources.
2
Identity Management
Who are you? (identification)
• Collect personally identifying information to prove you
are who you say you are (identity proofing), such as
drivers license, passport, or biometric data
• Assign attributes [(name, address, college or university,
department, role (faculty, staff, student), major, email
address]
How can you prove it? (authentication)
• Verifying that the person seeking access to a resource
is the one previously identified and approved
3
Identity Management
Authentication does not verify that the identity proofing is
correct. It establishes that the previously identified person
is the same one who is seeking access to a resource.
4
Key Entities
Three entities involved in gaining access to a resource:
1.Subject (i.e. user) – The person identified and the subject of
assertions (or claims) about his or her identity.
2.Identity Provider – Typically the university or organization that
maintains the identity system, identity-proofs the subject and issues a
credential. Also provides assertions or claims to the service provider
about a subject’s identity.
3.Service Provider (sometimes called the relying party) –
Owner/provider of the protected resource to which the subject would
like to access. Consumes the assertion from the identity provider and
makes an authorization decision.
5
Key Terms
Authentication – Verification (via a user ID and password) that a
subject is associated with an electronic identifier. This is the
responsibility of the identity provider.
Authorization – Determining whether a subject is eligible to gain
access to a resource or service. The authorization decision is made by
the service provider and is based on the attributes provided by the
identity provider.
Attribute – A single piece of information associated with an electronic
identity database record, such as name, phone number, group
affiliation, email address, major.
6
The Problem
The system of authentication and authorization, and the passing of
attributes, requires that the identity provider and service provider
agree on policies and procedures.
When you have one identity provider working with many service
providers – or one service provider working with many identity
providers – things get complicated.
Individual service providers keep subject information in their own
databases, or may want direct access to an identity provider’s
database, or may require frequent batch uploads of identity
information.
7
1. Tedious user registration at all
resources
2. Unreliable and outdated user
data at resources
3. Different login process at each
resource
4. Many different passwords
5. Identity provider may need to
support multiple custom
authentication methods and/or
be asked for access to its
identity database
8
The Problem

Growing number of applications – on-campus and outsourced
or hosted

All of these service providers must:


Verify the identity of users (faculty, staff, students, others)

Know who’s eligible to access the service

Know the student is active and hasn’t left school
Increase in outsourced or cloud services raises concerns
about the security and privacy of the identity data
9
A Solution: Federated Identity Management
Federation: An association of organizations that come together to
exchange information, as appropriate, about their users and
resources in order to enable collaborations and transactions.
All participants in a federation agree on the same policies and
procedures related to identity management and the passing of
attributes.
Instead of one-to-one relationships, the federation allows one-to
many relationships.
10
Federated Identity Management
• Parties agree to leverage the identity provider’s database,
rather than creating separate data stores
• Users no longer register with the service provider, using their
university credentials for transactions
• Single sign-on convenience for users
• Identity provider does the authentication; service provider does
the authorization
• Attributes are the key – maintain privacy and security
11
1. Single sign on
2. Services no longer manage
user accounts & personal data
stores
3. Reduced help-desk load
4. Standards-based technology
5. Home org and user controls
privacy
12
InCommon Federation
InCommon is the federation for U.S. research and education,
providing higher education and their commercial and non-profit
partners with a common trust framework for access to online
resources.
13
About InCommon
• Through InCommon, campuses leverage their identity databases
to allow for the use of one set of credentials to access multiple
resources.
• Online service providers no longer need to maintain user
accounts.
• Identity providers manage the levels of their users' privacy and
information exchange.
• InCommon uses SAML-based authentication and authorization
systems (such as Shibboleth®) to enable scalable, trusted
collaborations among its community of participants.
14
InCommon Federation Benefits
• Convenience – Single sign-on with higher education
credentials
• Safety – Enhanced security with fewer data spills
• Privacy – Release of only the minimum information necessary
to gain access to resources (via attributes)
• Scalability – Once implemented, federated access relatively
simple to extend
• Authentication – Campus does the authentication, maintaining
control of user information
• Authorization – Service provider makes access decisions
based on attributes
15
Federated Access in 30 seconds
4. If attributes are acceptable
to resource policy, access
is granted!
3. Authorization: Privacypreserving exchange of
agreed upon attributes
Online Resource
Attributes: Anonymous ID, Staff, Student, …
Metadata, certificates, common attributes &
meaning, federation registration authority,
Shibboleth
2. Federation-based trust
exchange to verify partners
and locations
Home Institution – user signs in
1. Authentication: single-signon at home institution
InCommon Participants Year-by-Year

More than 7.5 million end-users (faculty, staff,
students)
600
Number of Participants
500
400
300
200
100
0
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014
17
Federated Resources
Resources available via InCommon are many and diverse
Business Functions
Learning and Research
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Benefits
Asset management
Talent management
Visas & INS compliance
Mobile alerts
Travel management
Energy management
Surveys and market analysis
Journals
Databases and analytical tools
Multi-media access
Homework labs
Quiz tools
Plagiarism detection
Software downloading
Alcohol awareness education
Student travel discounts
Transportation and ride-share
services.
Strong support from key higher education partners, such as: Microsoft,
Apple, National Student Clearinghouse, NSF, NIH, Gov-affiliated Labs
18
InCommon Assurance Profiles
Bronze and Silver profiles equate to the U.S. government’s
NIST 800-63 levels of assurance 1 and 2, respectively
 Require more stringent identity proofing policies and
procedures, allowing for access to higher-risk applications
(such as financial service apps)
 Status: Several universities working through the policy and
technical processes for implementing Silver
 CIC universities (Big Ten schools and the Univ. of
Chicago)
assurance.incommon.org

19
InCommon Collaboration Groups

Collaboration
 InC-Library
 InC-Student
 InC-NIH
 InC-Research Agencies
 US Federations
https://spaces.internet2.edu/display/InCCollaborate/
20
Outreach and Education
IAM Online – Monthly presentations on identity and access management.
www.incommon.org/iamonline
CAMP, Advance CAMP, Day CAMP – Conferences focused on federated
identity and access management. www.incommon.org/camp
Affiliate Program – Linking higher ed with partners able to help build the
necessary underlying infrastructure that supports federated access.
www.incommon.org/affiliate
Shibboleth Workshop Series – Intensive workshops to learn and install
Shibboleth. www.incommon.org/educate/shibboleth
InCommon Cert Service
• Service developed by and for the higher education community. InCommon is
a non-profit, community-governed organization – the primary driver is to
provide value to the community.
• Unlimited SSL certificates, and (soon) unlimited personal certificates (for
signing, encryption, code signing and authentication)
• One fixed annual fee.
• One publicly signed certificate source for all campus servers and domains
• Includes all domains owned by the college or university – such as
professional organizations or athletic sites (including any .org, .com, .net or
others).
• Internet2 members receive a 25 percent discount
22
www.incommon.org
info@incommon.org
23