1. The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org

2. The InCommon Federation InCommon is the national research and education federation in the United States. InCommon membership includes higher education, federal research labs, government agencies and online service providers. InCommon establishes the trust relationship among organizations through common policies and procedures.

3. InCommon Facts Fact: InCommon has more than 3 million higher education users. Fact: InCommon membership has doubled yearly for several years Fact: InCommon higher education members include institutions of all sizes, including community colleges, research universities, and small liberal arts colleges. Fact: InCommon technology is based on standards being adopted globally.

4. The InCommon Federation Today InCommon includes: –116 higher education participants –Six government and nonprofit laboratories, research centers, and agencies (including NIH and NSF) –41 sponsored partners –Two county K-12 school districts (as part of a pilot)

6. Attributes: Anonymous ID, Staff, Student, … Federated Access in 30 seconds Metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth 4. If attributes are acceptable to resource policy, access is granted! 3. Authorization: Privacy- preserving exchange of agreed upon attributes 2. Federation-based trust exchange to verify partners and locations 1. Authentication: single-sign-on at home institution Home Institution – user signs in Online Resource

8. Value of InCommon Governance by a representative Steering Committee –Formulates policy, operational standards and practices, establishes a common set of attributes and definitions. Legal Agreement –Basic responsibilities, official signatory and establishment of trust, conflict and dispute resolution, basic protections Trust “Notary” –InCommon verifies the identity of organizations and their delegated officers Trusted Metadata –InCommon verifies and aggregates security information for each participant’s servers, systems, and support contacts Technical Interoperability (Technical Advisory Committee) –InCommon defines shared attributes, standards (SAML), software (Shibboleth)

9. Value of InCommon InCommon uses SAML-based authentication and authorization systems (such as Shibboleth ® ) to enable scalable, trusted collaborations among its community of participants. InCommon supports both SAML 1.x and SAML 2.0. Several products interoperate with Shibboleth, including those offered by IBM (Tivoli), Oracle, Sun, and CA (Siteminder).

10. InCommon Benefits Participants exchange information in a standardized format. Once an organization is a participating member, setting up a new relationship can take as little as a few minutes. Community-based collaboration and support. Use of a common authentication and authorization software provides single sign-on convenience.

11. Who can join InCommon? Accredited two- and four-year higher education institutions. Partner organizations sponsored by higher education participants.

12. Joining InCommon Business, education, research, and government organizations who partner with higher education join the Federation as Sponsored Partners. Participation agreement – agreeing to the policies of the federation and the community. Develop your participant operation practices (POP), which helps other federation members determine level of trust, privacy policies, attribute collection/use policies. Metadata: “Data about data” – a lynchpin of federating.

13. What does it cost to join InCommon? One-time fee of $700. Annual fee of $1,000 (for up to 20 service provider systems). Note: this is the cost for InCommon membership. Depending on your integration and infrastructure, you may incur additional costs for implementation of software and systems.

14. InCommon and the Federal Government Signed agreements with National Institutes for Health, National Science Foundation Interest expressed by, or in discussion with, several agencies, including: NASA Department of Agriculture Department of Energy CA Big (National Cancer Institute) CA Grid (National Cancer Institute)

15. InCommon and the NIH –Working on LoA 1 applications with NIH Clinical and Translational Science Awards –National Libraries of Medicine Genome data Testing with University of Washington –Piloting LoA 2 application with NIH eRA (electronic Research Administration) Involves NIH, InCommon, University of Washington, Penn State University, Johns Hopkins University, University of California Davis Technical demo September 22, 2009 (Federal Demonstration Partnership meeting) Rollout during 2010

16. InCommon and the NSF –Piloting LoA 1 application (research.gov) at the National Science Foundation Involves InCommon, Penn State and the University of Washington Testing sandbox is up and running Technical demo September 22, 2009 (Federal Demonstration Partnership meeting) –More applications under consideration, once this pilot is completed

17. InCommon and the Federal Government –Worked closely with GSA to provide feedback on the new federal trust framework. GSA Federal CIO Council (FCIOC) Information Security and Identity Management Committee (ISIMC) Program oversight by Identity, Credential and Access Management Subcommittee (ICAMSC) –Federal trust framework based on OMB’s M-04-04 (risk management) and NIST 800-63 (electronic authentication guidelines). –InCommon helped inform the latest revision of NIST levels of assurance (LoA).

18. InCommon Silver –InCommon Silver profile comparable to NIST LoA2 –Silver pilot now underway at NIH Technical demonstration at FDP meeting Sept. 22 Full roll-out (with auditing, policy, and standards in place) in fall 2010. –InCommon assurance profiles based on OMB M-04-04 and NIST 800-63. –InCommon will soon submit its Bronze and Silver assurance profiles to the Identity, Credential and Access Management Subcommittee. –Once approved by ICAMSC, Bronze and Silver will be approved for use with all federal agencies at LoA1 and LoA2, respectively.

19. InCommon Testing and Development –InCommon is community governed and community driven –Testing and Development done through pilots Involve the service provider and identity providers Staff and community recruit higher education institutions to serve in pilots NIH and NSF pilots good examples Current pilot example: several university libraries working with library database providers on Shibboleth/EZProxy hybrid

20. InCommon Transition InCommon works with partners such as NIH to manage transition. Apps can use both federation and traditional sign-on. Users from non-federated institutions can use generic identity providers such as ProtectNetwork or federal contractors.

21. Benefits to the Department of Education –Through InCommon, each educational institution can manage authentication for its faculty, students and staff. –With higher education institutions authenticating their users, the need for password resets will be eliminated (one estimate – a single password reset request costs $50). –Adding higher education partners can take just minutes. –Low up-front and annual costs. –Community support.

22. Benefits to the Department of Education –Federating additional applications becomes easier and less time- consuming. –Shibboleth, and thus InCommon, can interoperate with the department’s existing Tivoli deployment. –InCommon has had significant interaction with the GSA and other agencies developing the federal government’s new trust framework.

23. The InCommon Federation The U.S. Access and Identity Management Federation www.incommon.org