InCommon Update FedEd Meeting June 16, 2004 Carrie Regenstein.

Slides:



Advertisements
Similar presentations
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Advertisements

Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.
Federations in Texas Barry Ribbeck University of Texas Health Science Center at Houston.
Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
UCLA’s Shibboleth Plan Shibboleth is an integral part of UCLA’s Enterprise Directory & Identity Management Infrastructure (EDIMI) Project Integrate with.
Information Resources and Communications University of California, Office of the President Current Identity Management Initiatives at UC & Beyond: UCTrust.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth Update a.k.a. “shibble-ware”
1 11 th Fed/Ed PKI Meeting Some quick updates from recent HEPKI-TAG and SURA work Jim Jokl
InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Collaboration & InCommon EDUCAUSE Midwest Regional Conference March 21, 2005 Carrie E. Regenstein UW-Madison.
1 Update on the InCommon Federation, Higher Education’s Community of Trust EDUCAUSE 2005 October 19 10:30am-11:20am.
Release & Deployment ITIL Version 3
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
Federated Administration: The Cutting Edge. Topics  Federations: The Basics Business drivers and the basic model Technical Considerations and the marketplace.
Dr Ken Klingenstein Shibboleth and InCommon: An Update and Next Steps.
1 The Partnership Challenge Higher education’s missions are realized in increasingly global, collaborative, online relationships –Higher educations’ digital.
1 The InCommon Federation John Krienke Internet2 Spring Member Meeting Tuesday, April 25, 2006.
Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.
1 The InCommon Federation, Higher Education’s Community of Trust: Why join and how to do it EDUCAUSE 2005 Pre-Conference Seminar October 18 8:30am-Noon.
7 October 2015 Shibboleth. Agenda  Shibboleth Background and Status  Why is Shibboleth Important (to Higher Ed)?  Current Pilots Course Management.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shibboleth & Federations Renee’ Shuey May 4, 2004 ITS – Emerging Technologies The Pennsylvania State Universtiy.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
InCommon Update Internet2 Meeting April 20, 2004 Ken Klingenstein and Carrie Regenstein.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Shibboleth A Federated Approach to Authentication and Authorization Fed/Ed PKI Meeting June 16, 2004.
Internet2 Middleware Initiative. Discussion Outline  What is Middleware why is it important why is it hard  What are the major components of middleware.
Federations 101 John Krienke Internet2 Fall 2006 Internet2 Member Meeting.
Federations: InQueue to InCommon Renee Woodten Frost 19 April 2004.
Shibboleth at Columbia Update David Millman R&D July ’05
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Timothy Putprush Baltimore, MD September 30, 2009 Federal Emergency Management Agency (FEMA) Integrated Public Alert and Warning System Presentation to.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Origins: The Requirements of Participating in Federations CAMP Shibboleth June 29, 2004 Barry Ribbeck & David Wasley.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
The Policy Side of Federations Kenneth J. Klingenstein and David L. Wasley Tuesday, June 29, CAMP Shibboleth Implementation Workshop.
01 October 2001 “...By Any Other Name…”. Consequences and Truths (Ken) The Pieces and the Processes (Bob) Directories (Keith) Shibboleth and SAML (Scott)
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Shibboleth Roadmap
USHER U.S. Higher Education Root Certificate Authority
Introduction to Federations
Internet2 Middleware & Security/University of Michigan
Shibboleth Deployment Overview
Introduction to Federations
Internet2 Middleware & Security/University of Michigan
Presentation transcript:

InCommon Update FedEd Meeting June 16, 2004 Carrie Regenstein

Why a Federation for the Academic Community?  Scenario #1: Instruction Professor teaches at USC, which has enrolled students from CMU, through an inter-institutional cooperative agreement of universities. During scheduled office hours, the professor works at her workstation, when a pop-up box appears that John Doe from CMU is requesting to initiate a videoconference with her. (authZ #1) Info is also conveyed that CMU asserts that this is, in fact, who he claims to be and further, is an enrolled student in the class. She can make an informed decision about whether to accept the videoconference invitation. (authZ #2) The info is believed because it has been delivered in the context of a trusted federation.

Why a Federation for the Academic Community?  Scenario #2: Research A group of researchers, spread across a number of participating institutions of the federation, want to securely share a web site located on one of the campuses. Each researcher can use his or her own campus identity and login to access the restricted site. Confidence is based on the fact that the institutions belong to a trusted federation.

Why a Federation for the Academic Community?  Scenario #3: Living and learning A content provider (aka “target”) wants to change from IP access controls to better technologies for gating content to an institutional customer, and is therefore willing to accept campus credentials for access to content. This provides better security and enables higher levels of granularity in controlling access if restricted access is desired. The basis for the content provider trusting in the origin is the trusted federation.

What is InCommon?  InCommon is… a formal federation of organizations focused on creating a common framework for trust in support of research and education… whose purpose is to facilitate collaboration through the sharing of protected resources, by means of an agreed-upon, common trust fabric.  The InCommon federation is intended to support production- level end-user access to protected resources by providing the means to allow organizations to make effective decisions about sharing resources, based upon the attributes presented by a requesting user.

Shibboleth Status  Open source, privacy preserving federating software  Being very widely deployed in US and international universities  Target - works with Apache(1.3 and 2.0) and IIS targets; Java origins for a variety of Unix platforms.  V2.0 likely to include portal support, identity linking, non web services (plumbing to GSSAPI,P2P, IM, video) etc.  Work underway on intuitive graphical interfaces for the powerful underlying Attribute Authority and resource protection  Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft.  Growing development interest in several countries, providing resource manager tools, digital rights management, listprocs, etc.  Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc.) 

InCommon Federation Overview  Federation operations – Internet2  Federating software – Shibboleth 1.1 and above, though others may be added later  Federation data schema - eduPerson or later and eduOrg or later  Became operational April 2004, with several early entrants to help shape the policy issues.  Precursor federation, InQueue, has been in operation for about six months and will feed into InCommon  and

InCommon Management  Operational services by I2 Participant services Backroom (CA, WAYF service, etc.)  Governance Executive Committee - Carrie Regenstein - chair (Wisconsin-Madison), Jerry Campbell, (USC), Lev Gonick (CWRU), Clair Goldsmith (Texas System), Mark Luker (EDUCAUSE),Tracy Mitrano (Cornell), Susan Perry (Mellon), Mike Teets, (OCLC), David Yakimischak (JSTOR). Project manager – Renée Frost (Internet2)  Participation open to.edu and affiliated business partners (Elsevier, OCLC, Napster, Diebold, etc.)  Contractual and policy issues being defined now. I2 held harmless.  Likely to take 501(c)3 status; starting as a LLC

Exec Committee’s Working Groups  Policy Sub-Committee (Tracy Mitrano, chair) Drafting evolutionary policies and procedures for federation participants. Considering other policy frameworks, e.g., EDUCAUSE Higher Ed Bridge Cert Authority (HEBCA), I2’s US Higher Ed Root (USHER) Cert Authority, GJ’s one pager, etc.  Communications, Membership, Pricing and Packaging Sub-Committee (Susan Perry, chair) Who can join? How? Getting the word out … in English

InCommon Pilot  Phase One participants Cornell, Dartmouth, OSU, Penn State, SUNY-Buffalo, University of Rochester, USC, UT-Health Science Center- Houston, UVa, JSTOR, OCLC  The JSTOR Challenge The Goal: JSTOR will not accept IP authentication. It will only accept Shib. The Invitation: JSTOR is seeking at least one campus to give up its IP authN and only use Shib to access JSTOR. The Guest List: Pilot schools? CSG? Any school that’s ready, willing, and able. The Prize? TBD

Trust in InCommon – participant/federation  Participants trust the federated operations to perform the federation’s activities well InCommon issues component identity credentials for participants’ Shib platforms and collects & distributes necessary operational information among participants. The operator (Internet2) posts its procedures, attempts to execute them faithfully, and makes no warranties InCommon will make a reasonable effort to ensure that it is working with individuals who represent the participant organization. Enterprises read the procedures and decide if they want to participate

Trust in InCommon- participant/participant  Origins and targets trust each other bilaterally in out-of- band or no-band arrangements Participants post a statement of basic information Origins trust targets dispose of attributes properly Targets trust origins to provide attributes accurately Risks and liabilities managed by end enterprises, in separate ways

InCommon Trust - ongoing  Use trust  Build trust cycle  Clearly need consensus levels of I/A  Multiple levels of I/A for different needs Two factor for high-risk Distinctive requirements (campus in Bejing or France, distance ed, mobility)  Standardized data definitions unclear  Audits unclear  International issues

InCommon internal ops  InCommon CA Identity proofing the enterprise Issuing the enterprise signing keys (primary and spare) Signing the metadata  InCommon Federation Aggregating the metadata Supporting campuses in posting their policies

Getting to first base  Alphonse-Gaston: establishing a set of rules to determine criteria for InCommon participation Individual participants may not want to know the details about other participants’ policies. Do they need to? –Trust engendered through optional disclosures. Federation participants use different assumptions, e.g, some University Systems may want to join as a collective system, while others would prefer to join as individual campuses. Is consistency important? Are multiple federation memberships problematic? Should participants be asked to vouch for other potential participants?

Developing an inventory of campus identifiers  What assertions are acceptable for what purposes?  Risk and trust requirements will be determined by the resource holder as well as the user considering their personal privacy risk. Taken together, these requirements will determine the technologies and policies implemented. At the low risk & low trust end of the continuum: public information websites, videoconferencing meeting for the Shib Development Team. –What assertions— if any — should be required? At the mid-level of risk and trust: access to copyrighted materials, course management systems, business services, etc. At the high risk & high trust end of the continuum: access to medical records, data from a bio-terrorism lab, videoconferencing meeting of security experts discussing response to network security emergency.

Developing levels of trust Inventory of Campus Identifiers: Context  The identifier inventory informs the process of determining the requirements for trust, including what assertions are acceptable for what purposes.  The table represents a few sample applications and where they might fall on a risk/trust continuum.  Risk and trust requirements are determined by the resource providers and the users considering their personal privacy risk.

Risk - Trust Matrix

The potential for InCommon  The federation as a networked trust facilitator  Needs to scale in two fundamental ways Policy underpinnings need to move to normative levels among the participants; “post and read” is a starting place… Inter-federation issues need to be engineered; we are trying to align structurally with emerging federal recommendations  Needs to integrate with PKI and with federal and international activities  If it does scale and grow, it could become a most significant component of cyber-infrastructure…

Authenticate locally, Act federally  For general information  For participation information

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.