Federated Enterprise Identities
Campuses have been assigning Digital Identities and associated Credentials to members of their communities for 10-20 years. These usually take the form of a userid and password. Initially, the identities were used primarily to access email. More recently, they are being used to access a wide range of both in-sourced and out-sourced business systems and systems supporting instruction. Students use them to submit course work; instructors use them to review submitted work and to post grades. In the last few years, a growing number of campuses have deployed Web Single SignOn system that provide an "authenticate once" function when accessing this broad array of web systems. Federated Business Identities (as asserted by both campuses and businesses) have been using the OASIS SAML protocol to carry Assertions.
The vast majority of campuses have created Business Processes to ensure that a Digital Identity is given to the person whose real world identity is associated with that Digital identity. Similar processes have existed for years with payroll systems (eg the I-9 process). Similarly, campuses have created Business Processes requiring a person to "prove" their identity as part of obtaining a Digital Identity. The goal is to ensure that a person submitting course work as John Smith is indeed John Smith. And that an Instructor submitting grades as Jane Doe is indeed Jane Doe. Consequently, these accounts are viewed as having a sufficiently high Level of Assurance to allow them to be used for business transactions within the enterprise that issued accounts. Increasingly, these accounts are being used to authenticate to gain access to information and services at business partners (agents) of the campus.
In recent years, however, campuses have also been issuing credentials to communities and people outside their core communities. These communities may have a weaker relationship to the campus (eg applicants, parents); individual people may be partnering with researchers on the campus. Many of the people in these new groups, however, are physically remote from the campus, and consequently the process of linking a person to these accounts is probably much weaker than the process used for members of the core communities. Interestingly, many of the people in these new communities already have identities issued by social identity providers; however, campuses have only begun to look at leveraging these social identities rather than issuing new identities that have an LoA at about the same level as the social providers. Consequently, Service Providers can no longer rely on a successful campus authentication (with no other information) as meaning that the user has a strong association with the campus. The current reality is that campuses can authenticate a large pool of people that includes their core communities and many others, and that these authentications are done at a broad spectrum of Assurance Levels.
Because of their Registration processes and Business processes, campuses can, however, associate meaningful information with each user. Beyond merely asserting that a successful authentication has taken place, campuses can differentiate members of the core community from these other groups by asserting attributes that describe the person's relationship with the campus; Social Identity Providers cannot currently do that. Minimally, a campus can assert whether a person is a faculty member, student, or staff, or a member of one of these other populations. If the person is a member of the core community, the campus can reliably assert additional information such as name and permanent identifiers.
Currently, campus identity providers and the social identity providers are categorized as operating at "LoA 1" (see TN -- Levels of Assurance). Currently, no US campuses are certified as operating at LoA 2. However, because the campuses have business processes in place as part of their Registration and Account Issuance Business Processes that include identity vetting, many people feel that campus issued identities are "stronger" than social identities (which do not have comparable processes). The Australian Federation considers campus-issed credentials to be at "LoA 1.5" (which is not defined anywhere...).
With userids and passwords, users can decide to share these values with other people, thus allowing other people to access systems using their Digital Identity. Multiple people can know the password, and can use it simultaneously. This is a problem with any Identity service that relies on passwords. Consequently, the above sentence has to be tempered to "an Instructor submitting grades as Jane Doe is indeed Jane Doe (or someone who knows Jane's password, either because Jane shared the password or they cracked Jane's weak password)".
As a result, Service Providers have adopted a "Risk Assessment" framework. See TN – Levels of Assurance for a detailed description. Basically, an SP performs an evaluation to determine the severity of an incident where an imposter is able to login to their site. The result of that analysis allows them to specify a required "Level of Assurance" for the Credentials that are used to login to the site. The campus can use Profiles to evaluate their Policy, Business Practice, and technology for a set of Credentials to determine their associated LoA. A user can access a specific SP if they are able to authenticate using Credentials with the required LoA. As a result, some campuses now have some set of people able to authenticate with mechanisms that are thought to be "stronger" than just userid/passwords.