CSG 1 TIER* Trust and Identity in Education and Research

What is TIER 2 Internet 2 runs InCommon Federation. InCommon provides a secure and privacy-preserving trust fabric for research and higher education, and their partners. InCommon operates an identity management federation and a related assurance program. InCommon has about 700 participants. T rust Management of individual principals, their authentication, authorization, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime and repetitive tasks. Internet 2 provides cloud based services (certificate service, MFA) as well as software (Shibboleth, Grouper, etc.) I dentity Universities are institutions of higher education and research which grant academic degrees in a variety of subjects and provides both undergraduate education and postgraduate education. They are "communities of teachers and scholars”. The community remains location based. E ducation Comprises "creative work undertaken on a systematic basis in order to increase the stock of knowledge, including knowledge of man, culture and society, and the use of this stock of knowledge to devise new applications." Research communities are increasingly virtual and cross boundaries of Universities. R esearch

TIER Vision: Service Development “WE BELIEVE” Identity components can be aggregated into services Inaction is a greater risk than action (e.g., If we do not develop identity as componentized services, someone else will e.g., social identities). A common R&E approach is possible. Most identity components can be instantiated as a cloud service. Higher Education is well positioned to do this (trusted relationships with each other and key partners like federal agencies). We are 3-5 years from achieving this vision. 3

4 Grouper Kuali KIM CommIT Shibboleth Consortium Shibboleth Consortium InCommon Federation Multi Factor Okta, Ping, OneLogin Oracle Identity Manager Social Identity (Google, Facebook) Certificates Apereo CAS CoManage Coordinated via personal communications and individual best effort. Privacy Lens EduRoam EduGAIN

5 TIER LANDSCAPE Service & Middleware Development InCert, Grouper, CoManage, I2 – Shibboleth, Kuali KIM, CommIT, Other community investment, etc. Campus IdM standards (prevision/de- provisioning/ac cess) Service Delivery (InCommon “ branded” identity services) (MFA: Duo, Toopher; certs: Comodo), etc. * (Service fees – cover cost – FY15 $800K income) Service Delivery InCommon Federation Federation standards, Research collaboration (R&S) * (Federation dues – cover cost – FY15 $1M income) External relationships Vendors/Partne rs such as Apereo, Okta, Ping, Other, etc. Entity relationships such as REFEDS, Shib consortium board, Kuali Board, etc. TIER Subcommittee 2: InCommon Steering TIER Subcommittee 1: Investor Campus Steering TIER Subcommittee 3: External Relationships for federation, service development and delivery = Existing Activities

Governance Structure Internet 2 Board TIER Steering/Board Service Development Steering Committee (SDSC) InCommon Steering Committee (ICSC) External Relations Subcommittee (includes members from ICSC and SDSC) 6 = Existing Activities

Current TIER Charter Committee 7 TIER Committee MembersRepresenting Klara JelinkovaUniversity of Chicago, InCommon Steve CorbatoUniversity of Utah, Kuali Tracy FutheyDuke University Kevin MorooneyPenn State University (also Kuali) Eric DennaUniversity of Maryland (also Kuali) Joel CooperSwarthmore College,, InCommon Melissa WooUniversity of Oregon,, InCommon Chris HolmesBaylor University,, InCommon Dennis CromwellIndiana University,, InCommon Kelli TrosvigUniversity of Washington (also Kuali) Shel WaggenerInternet2 Ron KraemerUniversity of Notre Dame

August 2014 © Internet2 GOAL: TIER Community Unified Middleware Model Secure, Identity and Metadata Services Single Signon and Identity Components AuthN (Who) Multi Factor Multi- Level (Groups) AuthZ (What) Business Rules Engine / Grammar Federated Registry (Directory Search / Lookup) Network Objects (Files, Datasets, etc.) People Files / Datasets Nodes Metadata Registry Services Persistence and Replication Lightweig ht Workflow Services Automated Provisioning / Deprovisioning and Rules Enforcement

Transformational frame- work to support inter- institutional research and collaboration, within the future context of identity being “owned” by the individual, not the university Extend IAM to the cloud AND deliver federated IdM, including role-based IAM (e.g., encompassing AD/LDAP/Kerberos), R&S attribute release, EduGAIN (interfederation) IAM in a box: person registry, identity/attribute storage, provisioning/deprovisioning. and AuthN/Z Maturity of Campus IDM Operations and Outstanding Need Multi Year Journey with Regular Interim Milestones

Transformational frame- work to support inter- institutional research and collaboration, within the future context of identity being “owned” by the individual, not the university Extend IAM to the cloud AND deliver federated IdM, including role-based IAM (e.g., encompassing AD/LDAP/Kerberos), R&S attribute release, EduGAIN IAM in a box: person registry, identity/attribute storage, provisioning/deprovisioning and AuthN/Z Campus with emerging or less mature “IDM Program” Recognizes value of I2 (& InCommon) services and participation but lacks resources or ability to implement. Campus IdM not (or little) leveraged for research. Campus with IDM Team that has delivered Shib/Grouper Mature campus IDM operations are sustainable but would be enhanced with systematic non- SAML role-based IAM. Campus IdM in support of research via federation services. R1 with advanced IDM team & inter- institutional collaboration needs Researchers have urgent need to conduct research across institutions (whether an I2 member or not) Maturity of Campus IDM Operations and Outstanding Need

How will we get there: Structure The current TIER Committee assembled over the summer & will continue as a standing governance committee for TIER. We will not fix what is not broken. – InCommon federation works well. – We will integrate InCommon Steering through its ER&G subcommittee (already done) as a subcommittee of TIER. This subcommittee will continue to be staffed by InCommon/Internet 2 – John Krienke. 11

How will we get there: Funding We will concentrate on what needs attention. Internet2 community middleware development efforts should not (really cannot) continue to without expanded and updated governance and investment. Budget (and spend) set and governed by the community. We will recruit investment campuses (e.g., $50K-100K/yr for 3yrs). Those campuses will establish a Service Development subcommittee to guide campus investments. This subcommittee will be staffed by Internet2 – AVP Steve Zoppi. 12

How will we get there: External Relations We will start working on external relations. – InCommon has both IdP and SP entity relationships as well as some service brokerage. – NET+ Service Brokerage to be primary home for cloud services, with service oversight by TIER. – We will set up an External Relations subcommittee from InCommon Steering, Service development and Internet2 industry support. This subcommittee will be staffed by Internet2. 13

So What’s Next Join the Mail List: We Need your Feedback (Architecture, Governance, Funding, Vision) EDUCAUSE: CIO Discussion TechExchange: Technical Deep Dive 14

Conversation 15

Maturity of Campus IDM Operations and Outstanding Need Transformational frame- work to support inter- institutional research and collaboration, within the future context of identity being “owned” by the individual, not the university Extend IAM to the cloud AND deliver federated IdM, including role-based IAM (e.g., encompassing AD/LDAP/Kerberos), R&S attribute release, EduGAIN IAM in a box: person registry, identity/attribute storage, provisioning/deprovisioning and AuthN/Z This is what we are eager for ASAP… federation of non-SAML authN services (AD/LDAP/Kerberos) still is needed for remote access services including VPN, RDP, and system access needed for research collaboration that includes protected data across institutions. Federated support for research VOs (IdP of last resort, EduGAIN, campus R&S attribute release) “IAM in a box” helps large schools even if previously rolled their own and have “solved problem”. For smaller schools or those that haven’t yet solved, gives a very clear step to take with clear deployment guide to get to baseline for IAM. The details and requirements for this come from the investors. This is the direction and vision but detailed scope would be set the direction here….