CAMP Notes – Lightning Talks Monday, June 21, 2010 Federated Identity Case Studies – Lightning Talks Doug Falk – National Student Clearinghouse - The National Student Clearinghouse is an InCommon sponsored partner. - The Clearinghouse is a non-profit that was formed in the mid-1990s to help colleges/universities manage flow of data with loan providers. - There are now 3,500 colleges and universities that are Clearinghouse members. - The primary contact is the registrar; the services and products help the registrar’s office manage data. - The Clearinghouse does not maintain identities for students, relying on schools to do the authentication. - Student Self-Service is the first federated application from the Clearinghouse. The application originally relied on a home-grown linking system, with schools need to write some code. Three universities are now using Shibboleth and federating with another school in testing. The Clearinghouse would like to get more schools actively federating to take advantage of the governance and scalability. The use of InCommon also greatly reduces the number of calls to the Clearinghouse for help with the home-grown authentication system. - Student Self-Service was launched to allow students, once authenticated, can then access a number of services – such as printing an enrollment certificate. Brian Marks – WebAssign - WebAssign is an InCommon sponsored partner. - The company operates an online homework system, primarily eared to the sciences (physics, chemistry and math), and was spun-off from North Carolina State Univ. in 2003. - WebAssign first federated with Penn State and now has 10 schools using Shib and InCommon. - With federated access, WebAssign does not need to issue credentials and can rely on the federating process for account provisioning and course enrollment provisioning. - With federated access, instructors no longer need to be heavily involved with course management, like uploading course lists and keeping lists up-to-date, since the attributes can provide such information to WebAssign. - Several institutions also use federated WebAssign for math placement exams. Anne Marie Alexander – Duke and federated iTunesU - In 2004, Duke provided iPods to freshmen, which sparked interest in iTunesU. - When the university started with iTunesU, the project office entered everything manually. - As part of its federating process, Duke started using Grouper, which receives course information from PeopleSoft, including such information as the names of TAs and faculty. That information is pushed from Grouper to the LDAP. And the eduCoure attribute is used. - There are as many as 58 courses using iTunesU. Mike Conlon – University of Florida – VIVO (www.vivoweb.org) - - - - - The University of Florida has federated 240 service providers with about 120 to go (this number is high because of the decentralized nature at Florida). Most of the research apps have been federated. VIVO is an open source semantic web application originally developed and implemented at Cornell. When installed and populated with researcher interests, activities, and accomplishments, it enables the discovery of research and scholarship across disciplines at that institution. VIVO supports browsing and a search function that provides for rapid retrieval of desired information. VIVO is an open-source discovery tool with information about grants, publications, current work, and research interests. This is an application enabling a national network for scientists. The software is available from SourceForge, with a Shibboleth version going in production in the fall. At that point, VIVO will use Shibboleth and InCommon for the distributed system, operating like a website and implemented through libraries. There seems to be significant interest among research librarians. The ecosystem of apps supported by VIVO is unlimited. It is a simple open format to gather data. There are federal agencies involved, including NSF, NIH and the VA. Michelle Morrison – Medical University of South Carolina (MUSC) - MUSC is interested in collaborations around education, research, and patient care. - Three South Carolina universities are part of InCommon and MUSC would like to expand to include associated hospitals. - MUSC is now sharing library resources and doing authorization through Shib and EZProxy. They also plan to use Grouper, but is in test mode right now. - In terms of research, there is a state-wide IRB (Institutional Review Board) and the plan is to use Shib for authentication. - The participating hospitals currently use proprietary software, but the goal is to federate with community hospitals and referring physicians around the state. - MUSC chose to use the InCommon Federation because the initiative originated with the academic institutions. Paul Caskey – University of Texas System - Each campus in the University of Texas System has federated with InCommon. All are also members of the UT federation. The UT System office engineered the federation of all campuses with InCommon and the campuses actually consume UT metadata. The system office takes care of data flows to and from InCommon. This provides flexibility for Texas-specific metadata. - There are 76 service providers within the UT federation; but the system office encourages outside vendors to join InCommon and federate that way. - The system is now rewriting its member operating practices (which is analogous to the InCommon POP) to make it more compliant with the emerging federal government specifications for its TFPAP (Trust Framework Provider Adoption Process). - Also working on levels of assurance and a related auditing process. The system office did a self-survey with all campuses, asking them to answer structured questions about LoA and identity management policies. This helped determine what changes need to be made to reach higher levels of assurance. - The University of Texas System views its federation and the InCommon Federation as a core business process. They cannot do business without the federation and it also serves as a gateway to the rest of the world. Jim Greene (Michigan State University) – CIC Identity Management Effort - The CIC is the Committee for Institutional Cooperation, comprised of the Big Ten schools plus the University of Chicago. - The CIC IdM task force is sponsored by the CIOs of the CIC institutions. - The task force developed a list of 30-plus items, including shared issues, problems, and things the members would like to see accomplished. The group picked the top three to work on and then gathered volunteers: 1) TeraGrid and federated access to the TeraGrid, 2) federated wireless; 3) InC Silver by all CIC institutions by 2011. - TeraGrid – This is a distributed high-performance computing grid made available to researchers. The large percentage of users are at CIC institutions. There are level of assurance issues with authentication and identity vetting, as well as questions about how to route problems and calls when people have problems logging in. - Federated Guest Wireless – Europe has widespread deployment of Eduroam – those from participating institutions log in with their home credentials. Eduroam is operated through a series of Radius servers (not via Shibboleth). The task force will explore whether the CIC can deploy and federate Eduroam, whether to recommend if InCommon should be involved, and determine whether there are options other than Eduroam - InC Silver Certification by Fall 2011 – The prerequisite seems to be having policies and practices in place and documented so your auditor can then provide verification. George Laskaris – NJ Edge - Through a grant, NJ Edge built a state-wide video repository, using federated identity management, to serve K-12, higher ed, and public libraries. - The three-year grant is for a collaboration among Rutgers, William Patterson University and NJ Edge. - There are three types of collections – 1) a commons repository built on Fedora, offering non-licensed academic material; 2) licensed academic content (several repositories) that interact statewide via Shibboleth; and 3) learning on demand (each institution has the ability to use any lecture capture system and upload the material to the repository). - Repositories have the ability for metadata tagging to facilitate searching. This is done by librarians for librarians. - There is also a powerful annotation tool, allowing for the identification of segments from different videos and linking them together to form an object. - The federated identity management structure took a lot of collaboration among the librarians. - Libraries are saving money every year by using the repository in place of individual vendor contracts. At the same time, vendors need assurance that the repositories are protecting the video resources and not making them available to those who have not paid for the license. - Since colleges and universities already operate identity management systems, federating was not a problem. The challenge is with K-12 (more than 500 school districts) and public libraries. There is talk of doing something on the county level with these groups. - There is a YouTube-like interface so faculty can easily place their own videos in the repository. Ken Klingenstein – Eduroam, Attributes, and Other Issues - Eduroam - This is well established in Europe. It is operated using a series of Radius servers. The University of Washington is approaching this as an incentive to join the alumni association, with alumni receiving wireless access nationwide and worldwide. There is not much work to implementing Eduroam on a campus, since a Radius server would already be in place. - “It’s all about the attributes” is increasingly evident. Many companies, for example, just care about “over legal age” as an attribute. In education, “student-ness” is of great interest to companies. - Return on Investment –The Office of Personnel Management in the federal government released information on federated identity, including an indication that the return on investment for federated identity is less than 14 months. - Domesticating applications – This is becoming of greater interest and means externalizing access control. When you have 200,000 IDs in your identity management system, you want to use groups – and that’s how you domesticate applications. Celeste Copeland – Federating PeopleSoft at UNC-Chapel Hill - Last year, the University of North Carolina-Chapel Hill moved its student data to PeopleSoft. There was a desire to integrate with the Sun portal and other applications. - Services around campus were Shibbolized, so UNC-Chapel Hill decided to accomplish these integrations, and make things look seamless to users, by Shibbolizing PeopleSoft. - This has been a successful project, although it wook some work to get attributes working with PeopleSoft security. There was also work in ensuring that everyone who needed access, including student applicants, had the appropriate level of access.