Identity Federations: Here and Now Renée Shuey Penn State and InCommon

Agenda The need for Federations in Higher Ed. Federation Overview Federating Software: Shibboleth InCommon: the US Higher Ed federation Other Federations: Europe and the U.S. government’s eAuthentication federation Penn State federation use cases Q&A

The Problem for Higher Education Increasing collaboration Mandates for increased research consortia Increasing number of on-line resources Access management complexities for resource providers Usability: Account management Current Federal and State laws (e. g., FERPA, HIPAA, Gramm-Leach-Bliley Act)

The Opportunity for Higher Education Simplified Usability for all collaborations Home organizations carefully manage the release of personal information On-line resource providers focus on the protection and authorization of use of their on-line resources.

The Rising Call for Better On-line Collaboration Instructors sharing course materials through learning partnerships Researchers coordinating remote instruments and data gathering Growing on-line collections Increasing diversity of content providers eCommerce partnering in Higher Ed (Software, Music, etc.) Institutions working with outsourced learning management systems for course hosting, grading, scheduling, testing, Network security monitoring Visiting scholar access rights with peer institutions Federal Government resources and administration financial aid, grant submissions, etc.

Federations Otherwise independent entities that give up a certain degree of autonomy in order to achieve a common set of goals. Working together requires Common way to express meaning Agreed upon ways to convey information Acceptable governance and trust models

Identity Federations Enroll, authenticate and attribute locally...Act federally IdP provides trustworthy needed identity information to Resource Providers Part of access management decision Trust established through Federation Operator by means of standards, rules, and participation agreements

Federations and Trust Requires common IdP and RP practices Federation governance roles include Establishing the rules Overseeing adherence (e.g., audits) Degrees of trust may be inherent/useful Allows flexibility in IdP and RP services What happens when trust is violated? Liability and indemnification

Not all Federations are the same... Identity federations may have different rules or constraints on identity release For example in Europe... Some may choose to offer on-line services as well, or hold contracts for resources on behalf of members Some are for specific business purposes or industries, etc.

With InCommon - The Home organization manages accounts and the release of personal information

InCommon Federation Created to support Higher Education and its research and business partners Federation operator is an LLC formed by Internet2 Builds on existing campus identity management and single sign-on systems Makes use of industry standards and open source federating software, Shibboleth

Shibboleth The Shibboleth software implements the OASIS SAML v1.1 specification, providing a federated Single-SignOn and attribute exchange framework. OASIS SAML v1.1 shibboleth.internet2.edu Built on OpenSAML, also created by the Internet2 community: OpenSAML is a set of open-source libraries in Java and C++ which can be used to build, transport, and parse SAML messages.

InCommon Participation Requirements Common identity attributes Software Guidelines Transparency of Policy and Practices POP (Participant Operational Practices) Participation Agreement Minimal “bar” to entry Limited Liability; No Indemnification General Liability Insurance Modest annual fee

InCommon’s Governance & Committee’s Steering Committee Tracy Mitrano, Cornell – Chair Jerry Campbell, University of Southern California – Vice Chair Christopher Crowhurst, Thomson Learning Clair Goldsmith, University of Texas System Ken Klingenstein, Internet2 Mark Luker, Educause Peggy Plympton, Lehigh University Carrie Regenstein, Carnegie Mellon University Gene Spencer, Bucknell University Mike Teets, OCLC Technical Advisory Committee RL "Bob" Morgan, University of Washington – Co-Chair Renee Shuey, Penn State – Co-Chair Tom Barton, University of Chicago Scott Cantor, The Ohio State University Steven Carmody, Brown University Keith Hazelton, University of Wisconsin - Madison Walter Hoehn, University of Memphis Ken Klingenstein, InCommon Steering Committee Mike LaHaye, Internet2 David Wasley, retired (U. Calif.)

Current InCommon Participants: 27 Case Western Reserve University Cornell University Dartmouth *Elsevier ScienceDirect Georgetown University *HAM - Texas Medical Center Library *Internet2 Miami University *Napster, LLC *OCLC Ohio University *OhioLink - The Ohio Library & Information Network Penn State SUNY Buffalo The Ohio State University The University of Chicago *Turn It In University of Alabama at Birmingham University of California, Irvine University of California, Los Angeles University of California, Office of the President University of California, San Diego University of Rochester University of Southern California University of Virginia University of Washington *WebAssign * Sponsored Participant

Federations using Shibboleth in Europe Established national Federations Finland (HAKA) Switzerland (SWITCHaai) National Federations getting ready United Kingdom Denmark, Germany, Sweden (SWIF) REFEDS – Research and Education Federations Toward federating federations:

eAuthentication Federation (EAF) For all Federal agency outward facing applications 24 agencies: USDA, NIH, DOEd, NSF, etc... Over 600 applications Members are Federal agencies and Credential Service Providers Many of the applications are of interest to Higher Education

EAF Organization EAF Executive Business & Legal Rules, FPKI Cert Policies Fed PKI OA XCert and MOA Interop Lab SAML Spec. CAF Polic y Operation s Provider s FPKIPA

Components of EAF Organized around Assurance Levels 1, 2 for assertion-based credentials Local authentication followed by identity message to agency application Business and Legal rules imposed on applications and Credential Providers alike 3, 4 for cryptography-based PKI predominates Serviced by Federal PKI Policy Authority and Federal PKI Operational Authority Major growth area for Federal Apps in first round

Linking Federations How can federations interoperate? Information models must be compatible Conversion may be difficult Communication protocols Gateways are hard and may break trust models Governance and trust models Must be equivalent at some level

Governance & Linking Federations Governance sets community standards May need to enhance or redefine somewhat Must uphold inter-federation agreement Responsible for trust between federations May require stronger role within federation May affect existing participation agreements May incur new liabilities, etc. Federation services might not interoperate

Linking InCommon and eAuthentication Higher Ed is an important community for many Federal agency applications Both have federations in place Have been working together for > year Compatible technology Similar identity attributes InCommon has richer set InCommon includes privacy protections

Linking InCommon and eAuthentication Trust issues eAuth defines 4 levels of identity assurance InCommon currently allows ‘best effort’ will need to define at least one compatible LOA Privacy Operational issues Will need to include LOA in identity assertions Will need to tag metadata, etc...

Linking InCommon and eAuthentication Where we are now Draft Memorandum of Agreement Draft “InCommon Bronze” requirements Based on eAuth Level 1 Working on inter-federation assessment Identifying WG's to address operation, policy, and technical issues – May 10 Goal - Interoperability by Fall '06

Penn State, InCommon, & Shibboleth Using Shibboleth since Summer '02 InCommon provides trust model for access to external resource providers Production Uses Napster WebAssign ANGEL Course Management System WorldWide University Network (WUN) LionShare

Penn State, InCommon & Shibboleth Pilot or discussion phase Office of Student Aid PHEAA/AES Career Services Simplicity ITS-Teaching and Learning with Technology NETg Thomson Publishing Turnitin ITS-Digital Library Technology Elsevier, OCLC, JSTOR, and others

Penn State and the eAuthentication Pilot Credential Assessment Jan '05 - LOA 1 Identified issues Password guessing, strength, expiration Authorization to Operate Statement Stored secret (password resets) Documentation Align policies and practices Proposed solution – approved by GSA/NIST GAP Analysis University of Washington, Penn State, and Cornell University

Penn State and the eAuthentication Pilot FastLane pilot An interactive real-time system used to conduct NSF business over the Internet. Application assessed as level of assurance 1 Used by faculty to submit grant proposals, check status, participate in panels, enter financial transactions Credential Service Provider assessed as a level of assurance 1

Useful URLs and pointers    Subscribe to shib mailing lists    Emerging issues/technologies/recipes   SAML 2.0:

Questions? Contact Information Renee Shuey