Blog from April, 2013

Open Science Data Cloud Console New R&S Service Provider

The Open Science Data Cloud Console has been approved for the InCommon Research and Scholarship Category (R&S). R&S allows participating identity providers to release a minimal set of attributes to an entire group of approved services, rather than negotiating attribute release one-by-one.

The Open Science Data Cloud provides and supports cloud computing and storage services for the scientific research community. The OSDC is run by the Open Cloud Consortium, a non-profit organization whose primary goal is to support scientific advances by working with researchers in a variety of disciplines.

With the addition of these new services, there are now 12 R&S SPs. Also, 48 IdPs have indicated support for the R&S Category. A complete list of R&S services and the IdPs that support them is maintained on the InCommon web site. See the InCommon wiki for more information about the R&S Category, including application forms for both SPs and IdPs.

Upgrade to InCommon Certificate Manager Coming April 27, 2013

An upgrade to the InCommon Certificate Manager (CM) has been scheduled for Saturday, April 27, 2013, from 3:00 AM EDT through 7:00 AM EDT. The CM will be completely unavailable during this time (a period of time when few InCommon sites normally request certificates). Please plan to request new certificates prior to the maintenance period, or you'll need to wait until after the maintenance has completed to do so.

This scheduled maintenance will only affect the Certificate Manager interface, which is used by RAOs and DRAOs to request certificates. The Comodo root CA, the InCommon intermediate CA, and all other critical certificate-related services will continue to be available without interruption. If you need emergency access to certificate management functionality, or if you have any questions or concerns, please contact Comodo Technical Support as indicated on the InCommon web site.

This upgrade will add several new features and enhance the look and feel of the CM. Some of the major benefits of this upgrade include:

  • Enhanced Certificate Discovery Scanning (which helps sites find systems on their network that have SSL web certificates installed)
  • Remote certificate lifecycle management for Microsoft IIS 5.x - 7.x and Apache2 for UNIX-like systems
  • Domain Control Validation

The most important of these new features is Domain Control Validation (DCV). As you know, Comodo and InCommon have an obligation to issue certificates only for domains that the customer controls. Currently sites demonstrate that control by creating an InCommon-specified CNAME in the DNS, a record that then gets validated by InCommon as proof that you control the specified domain.

Once DCV has been enabled, you will be able to verify a domain via any of three methods:

  • CNAME (create a specified DNS entry, as you have previously done with InCommon)
  • Email (pick from one of a small list of administrative email addresses acceptable under the CAB Forum requirements,
    then click on a link sent to that email address)
  • HTTP (create a file with a specified name/location on a web server running on the domain name)

These three methods are described in detail in the documents referenced below.

Once you do DCV verification for a domain, in keeping with industry-wide CAB Forum requirements, that verification will be valid for up to 12 months, during which time you will not need to re-verify your control over that domain.

ALL CURRENTLY VERIFIED DOMAINS will be grandfathered in for the first year, and will not need to be DCV reverified until 12 months from now.

For more information on DCV, please visit this Comodo Knowledgebase article

Updated documentation for the new version of the Certificate Manager is available online at the InCommon web site:

InCommon Affiliates Support Federation, Identity Management

Seven InCommon Affiliates have renewed their participation in the program for 2013. The InCommon Affiliate Program connects higher education institutions and their partners with organizations that provide implementation and integration products or services related to identity and access management.

Current affiliates provide a number of services, including:

  • consulting on identity management, federated identity management, and identity assurance
  • general software services
  • hosted and managed identity management and federation services

“The Affiliate Program has proven to be very beneficial to InCommon, particularly as we expand the range of institutions that participate,” according to Jack Suess, chair of the InCommon Steering Committee and vice president for information technology at the University of Maryland, Baltimore County. “The consulting, software, and managed/hosted services provided by the various affiliates are key to the growth of InCommon.”

The 2013 affiliates include Aegis Identity, Dell Software Services, Fischer International, Gluu, Microsoft, Unicon, and VivanTech. Below is a brief summary of each affiliate’s expertise. For more details, visit

Aegis Identity Software offerings include TridentHE, an identity management platform developed specifically for higher education. TridentHE automates provisioning and de-provisioning, identity synchronization, password management and user self-service.

Dell Software Services offers Quest One Identity Solutions significantly reduces administrative costs and IT burdens through automation and comprehensive end-user self-service capabilities. Quest One addresses real-world enterprise identity and access management needs.

Fischer International’s award-winning identity management solution includes its “Federation On-Ramp,” a low-cost, managed solution that provides institutions with an immediate entryway to the InCommon Federation and without having to dedicate or hire skilled resources to deploy and manage a federation infrastructure.

Gluu’s Federated Identity Appliance, based on Shibboleth and identity virtualization, is an on-premise solution monitored 24×7 and supported by Gluu. The Fappliance can be deployed as on-premise hardware or a cloud VM instance.

Microsoft’s identity and access management solution is built on Active Directory, a directory service in Windows Server, and also includes a number of technologies and services, including Active Directory Federation Services. Microsoft is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Unicon provides services and support for open source solutions. The company’s experienced, highly skilled experts supply architectural knowledge, deep technical skills, and best practice expertise to ensure successful deployments of Shibboleth.

VivánTech provides strategic consulting, software-related services, and project management to the higher education community. Its unique offerings include enterprise software strategy, secure mobile applications for enterprise systems, workflow automation solutions with graphical front-ends, cloud solutions and others.

Multi-factor Authentication Deadline Extended to April 26

The deadline for applications to participate in the Multi-Factor Authentication Cohortium has been moved to April 26, 2013. Whether you have a current deployment of multi-factor authentication, or you think you may be deploying some time in the next few years, the Cohortium will be a great place to learn from others and share your experiences.