Blog from September, 2012

IAM Online – Wednesday, October 10, 2012

3 pm ET / 2 pm CT / 1 pm MT / Noon PT

Implementing an Effective Identity and Access Management Program

What does it take to implement an effective identity and access management (IAM) program? The EDUCAUSE IAM Working Group has been developing the IAM Program Outline to answer that question.

This IAM Online presentation will provide a high-level description of the IAM Program Outline, including some of the guidance offered for those starting an IAM Program, the policy framework institutions may need to consider, and governance issues. The speakers will also discuss the assumptions the working group has made along the way. Please plan to join us! You'll find more information about the presentation at


David Sherry, Chief Information Security Officer, Brown University
Miguel Soldi, Assistant Chief Security Officer, University of Texas System

Host and Moderator:

Rodney Petersen, Senior Government Relations Officer and Managing Director, Washington Office, EDUCAUSE


We use Adobe Connect for slide sharing and audio: For more details, including back-up phone bridge information, see

About IAM Online

IAM Online is a monthly online education series including essentials of federated identity management, hot topics from the EDUCAUSE Identity and Access Management Working Group, and emerging topics in IAM. Experts provide overviews, answer questions and lead discussions. IAM is brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.

For those looking to install or upgrade Shibboleth, InCommon's next Shibboleth installation training will take place Oct. 22-23, 2012, in Gainesville, Florida.

The InCommon Shibboleth Identity and Service Provider Workshops will provide you with technical installation and configuration experience with Shibboleth Single Sign-on and Federating Software, version 2.

Developed for organizations new to Shibboleth and those with existing implementations interested in upgrading to the v2 release, the workshops will offer the chance to:

  • Install either a prototype Shibboleth identity or service provider in a virtual machine environment.
  • Hear tips for configuring and running the software in production.
  • Learn about integration with LDAP directories and selected packages.
    Registration is open – and details are available at

This Shibboleth Workshop Series event is sponsored by InCommon, Internet2, and the University of Florida.

Internet2 was awarded today a $1.84 million grant by the National Institute of Standards and Technology (NIST) for the first year of a two-year project to work with the research and education community to build privacy infrastructure and tools to help individuals preserve their privacy and strengthen the nation's identity ecosystem. Internet2's partners include Carnegie Mellon University, Brown University, University of Texas, the Massachusetts Institute of Technology, and the University of Utah.

“This builds on our 10-year history of Internet2’s leadership providing federated identity services for universities. Privacy is a critical attribute of identity and a far-reaching concept, arising in many very different situations as users want to manage their privacy across several contexts – on campus and in business, as a citizen or consumer,” said Internet2 CEO & President Dave Lambert. “All of these uses and applications require a consistent and robust privacy infrastructure in the nation’s identity ecosystem. We intend to build key elements of that infrastructure over the next two years and to work closely with the National Strategy for Trusted Identities in Cyberspace.”

The consistent and robust privacy infrastructure planned includes common attributes; user-effective privacy managers; anonymous credentials; Internet2's InCommon Identity Federation service; and the use of multi-factor authentication and other technologies.

NOTE: Information about this and the other grants is available in the NIST/NSTIC release.

Attribute-based Policy Configuration at Scale

Today administrators of identity provider (IdP) middleware in the InCommon Federation configure attribute release policy based on the identity (entityID) of service providers (SPs). I’m happy to say those days are numbered. A new approach to user attribute release based on entity attributes has arrived. This new technique promises to scale better, by relieving administrators from the burden of having to rely on policy files that are inherently difficult to maintain.

This idea isn’t new. Access control based on user attributes (as opposed to user identifiers) remains the holy grail of identity and access management systems throughout the enterprise. Unfortunately, federation has only made this problem worse, not better.

At the level of the federation entity (i.e., the IdP or the SP), the stars have aligned so that policy based on entity attributes is a reality:

  • A SAML V2.0 Metadata Extension for Entity Attributes already exists and is being deployed around the world as we speak.
  • SAML middleware increasingly supports entity attributes at both the IdP and the SP, and at the discovery service as well. Shibboleth is leading the way in this area. The Shibboleth IdP, for instance, has supported entity attributes since v2.3.4.
  • Federation operators everywhere are beginning to decorate entity descriptors in SAML metadata with entity attributes of significant value.

The Research & Scholarship (R&S) Category in the InCommon Federation is an initial effort along these lines. To support R&S, IdP administrators configure for attribute release once, for all R&S SPs, both present and future.

The kicker, however, will most certainly be self-asserted entity attributes. Once administrators are able to tag their metadata with arbitrary entity attributes, they will certainly do so in unique and interesting ways. In the same way metadata tagging has been found to increase the value of other types of information (research papers, blog articles, photographs, etc.), self-asserted entity attributes will cause the information content of SAML metadata to skyrocket.

The sooner we get there, the better.

The September 2012 issue of the InCommon Update features:

  • Shibboleth Training Workshop Oct. 22-23, 2012
  • Research & Scholarship Category Update
  • Leveraging a Phone for Password Reset
  • Participant Logo Available
  • New Certificate Service subscribers
  • New InCommon Participants
  • Information about new Sponsored Partners