The InCommon Federation The U.S. Access and Identity Management Federation
The InCommon Federation InCommon is the national research and education federation in the United States. InCommon membership includes higher education, federal research labs, government agencies and online service providers. InCommon establishes the trust relationship among organizations through common policies and procedures.
InCommon Facts Fact: InCommon has more than 4 million higher education users. Fact: InCommon membership has doubled yearly for several years Fact: InCommon higher education members include institutions of all sizes, including community colleges, research universities, and small liberal arts colleges. Fact: InCommon technology is based on standards being adopted globally.
The InCommon Federation Today InCommon includes: –139 higher education participants –Six government and nonprofit laboratories, research centers, and agencies (including NIH and NSF) –46 sponsored partners –Two county K-12 school districts (as part of a pilot)
Attributes: Anonymous ID, Staff, Student, … Federated Access in 30 seconds Metadata, certificates, common attributes & meaning, federation registration authority, Shibboleth 4. If attributes are acceptable to resource policy, access is granted! 3. Authorization: Privacy- preserving exchange of agreed upon attributes 2. Federation-based trust exchange to verify partners and locations 1. Authentication: single-sign-on at home institution Home Institution – user signs in Online Resource
InCommon Technologies InCommon uses SAML-based authentication and authorization systems (such as Shibboleth ® ) to enable scalable, trusted collaborations among its community of participants. InCommon supports both SAML 1.x and SAML 2.0. Several products interoperate with Shibboleth, including those offered by IBM (Tivoli), Oracle, Sun, and CA (Siteminder).
Value of InCommon Governance by a representative Steering Committee –Formulates policy, operational standards and practices, establishes a common set of attributes and definitions. Legal Agreement –Basic responsibilities, official signatory and establishment of trust, conflict and dispute resolution, basic protections Trust “Notary” –InCommon verifies the identity of organizations and their delegated officers Trusted Metadata –InCommon verifies and aggregates security information for each participant’s servers, systems, and support contacts Technical Interoperability (Technical Advisory Committee) –InCommon defines shared attributes, standards (SAML), software (Shibboleth)
InCommon Benefits Participants exchange information in a standardized format. Once an organization is a participating member, setting up a new relationship can take as little as a few minutes. Community-based collaboration and support. Use of a common authentication and authorization software provides single sign-on convenience.
Who can join InCommon? Accredited two- and four-year higher education institutions. Partner organizations sponsored by higher education participants.
Joining InCommon Business, education, research, and government organizations who partner with higher education join the Federation as Sponsored Partners. Participation agreement – agreeing to the policies of the federation and the community. Develop your participant operation practices (POP), which helps other federation members determine level of trust, privacy policies, attribute collection/use policies. Metadata: “Data about data” – a lynchpin of federating.
What does it cost to join InCommon? One-time fee of $700. Annual fee of $1,000 (for up to 20 service provider systems) (through 12/31/2009) As of January 1, 2010 (based on Carnegie Class) –Very High Research - $3000 –High Research - $2500 –Comprehensive and Doctoral - $1500 –Others - $1100 Note: this is the cost for InCommon membership. Depending on your integration and infrastructure, you may incur additional costs for implementation of software and systems.
2010 Tiers Approved by the Steering Committee, based on new Internet2 Levels: Carnegie Classification and Corporate Revenue 14 Very High ResearchL1$3,000 High ResearchL2$2,500 Doctoral, Large Masters, Medical Schools L3$1,500 All otherL4$1,100 Corporate: > $1B RevenueL1$3,000 Corporate: < $1B RevenueL3$1,500 Corporate: < $10M RevenueL4$1,100 Others: Case by Case, Similar Size Basis L1-4$
InCommon and the Federal Government Signed agreements with National Institutes for Health, National Science Foundation Interest expressed by, or in discussion with, several agencies, including: NASA Department of Agriculture Department of Energy CA Big (National Cancer Institute) CA Grid (National Cancer Institute)
InCommon and the NIH –Working on LoA 1 (Bronze) applications with NIH Clinical and Translational Science Awards –National Libraries of Medicine Genome data Testing with University of Washington –Piloting LoA 2 (Silver) application with NIH eRA (electronic Research Administration) Involves NIH, InCommon, University of Washington, Penn State University, Johns Hopkins University, University of California Davis Technical demo September 22, 2009 (Federal Demonstration Partnership meeting) Rollout during 2010
InCommon and the NSF –Piloting LoA 1 application (research.gov) at the National Science Foundation Involves InCommon, Penn State and the University of Washington Testing sandbox is up and running Technical demo September 22, 2009 (Federal Demonstration Partnership meeting) –More applications under consideration, once this pilot is completed
InCommon and the Federal Government –Worked closely with GSA to provide feedback on the new federal trust framework. GSA Federal CIO Council (FCIOC) Information Security and Identity Management Committee (ISIMC) Program oversight by Identity, Credential and Access Management Subcommittee (ICAMSC) –Federal trust framework based on OMB’s M (risk management) and NIST (electronic authentication guidelines). –InCommon helped inform the latest revision of NIST levels of assurance (LoA).
InCommon Silver –InCommon Silver profile comparable to NIST LoA2 –Silver pilot now underway at NIH Technical demonstration at FDP meeting Sept. 22 Full roll-out (with auditing, policy, and standards in place) in fall –InCommon assurance profiles based on OMB M and NIST –InCommon will soon submit its Bronze and Silver assurance profiles to the Identity, Credential and Access Management Subcommittee. –Once approved by ICAMSC, Bronze and Silver will be approved for use with all federal agencies at LoA1 and LoA2, respectively.
Recent History for the “Future” Jan 2009: InCommon Future Group Formed, chartered by InCommon Steering, AMSAC, RACGroup March 2009: Future Group Meets in Oakland April 2009: Draft Report for Public CommentReport May 2009: Three Town Hall Forums for Comment July 2009: Board Report Issued: “InCommon Future Report and Recommendation” September 2009: –CIC and RUCC universities urge support of InCommon –Interim Financial Plan for Board Discussion –Internet2 Board: “… The Board is firmly committed to ensuring that InCommon is properly positioned to provide sustainable leadership in this field for the indefinite future... ” –Community Response: Increase Financial Support, Increase InCommon Annual Dues –Internet2’s Response: Increase Financial Support: Exec Director, Interim Business Plan December 2009: Final Business Plan due to Internet2 Board for Approval 20
InCommon Governance InCommon Steering Committee –Executive committee (Chair, Vice-Chair, Treasurer, Secretary) –Focus on policy, outreach, and strategic planning Continuing Internet2 commitment to the entire space –Will move to hire an Exec Director for InCommon –Provides operations and management –Providing working capital to build out services Governance Evolving –Presently overseen by Internet2 Board with input from following: Internet2 CEO; Internet2 AMSAC council; and InCommon Steering Committee 21
InCommon InCommon will focus on three aspects of the identity middleware ecosystem: 1.Leadership, Advocacy, Outreach 2.Help Coordinate Development and Research Activities Around Globe –Shib, Grouper, COmanage, Paccman, ISOC (DKIM), … 3.Deliver Trust Services to its Participants –InCommon Federation (basic) –Bronze, Silver Profiles for Levels of Assurance of Identity –Certificate Services for U.S. Higher Education –Shib & IdM Training and Consulting –Outsourced Federation Services 22
Trust Services Basic – available today Bronze/Silver – in pilot, expected availability is late spring or early summer. Certificate service – In negotiation, likely rollout will be late first quarter of Shibboleth training – planning conference for June. Developing corporate partners plan rollout for first quarter. Managed federations – waiting for a customer 23
The InCommon Federation The U.S. Access and Identity Management Federation