An online identity service can be partitioned into three layers:

Identity Service
Platform
Software

The Software determines the potential functionality of the service. The Platform is a deployment of the software that supports the Service. The Identity Service is what is actually delivered for its users; it includes the Software and the Platform, as well as all other functions that may be required, such as user administration, user support, marketing, policy and legal compliance, etc.

Each of these layers requires supporting activities by one of the following roles. Your responsibilities within InCommon will depend on which of the roles you fill.

  • Identity Service Operator - The role that is responsible for the Identity Service for its community of users. The Identity Service Operator establishes the identity service’s policies, manages its business, and oversees its technical operation (which may be outsourced to a SaaS Platform Deployer).
  • Platform Deployer - The role that is responsible for the Platform used to provide the Identity Service Operator’s Service.
  • Software Implementer - The role that implements the Software used by the Platform Deployer.

Your organization may be filling all of these roles, but it is also possible for these roles to exist within two or more organizations through outsourcing relationships, use of open source software, etc. Note this implies that the community members will have some form of affiliation with the Identity Service Operator (e.g., student, faculty, friend of the library, supporter of the football team). As a corollary, the Identity Service Provider will always be the institution or organization with which the community members are affiliated.

The following examples should help you determine where you fit within this ecosystem.

Example: University Identity Management Office

State U provides identity services for its staff and faculty, as well as others who collaborate with them. State U determines the members of its community, establishes its IAM policies, etc. State U also operates software from the InCommon Trusted Access Platform to support its service. In this case, State U is the Identity Service Operator and the Platform Deployer. InCommon is the Software Implementer.

Identity Service OperatorState U
Platform DeployerState U
Software ImplementerInCommon

Example: University Identity Management Office (Outsourced IT)

State U provides identity services for its staff and faculty, as well as others who collaborate with them. State U determines the members of its community, establishes its IAM policies, etc. IamRUs operates its proprietary proprietary software platform in support of (and under contract to) State U's service. In this case, State U is the Identity Service Operator, and IamRUs is the Platform Deployer and Software Implementer.

Identity Service OperatorState U
Platform DeployerIamRUs
Software ImplementerIamRUs