...
- Which services reside where?
- How is vetting / credentialing performed?
- How do application owners determine required Level of Assurance (LOA) for their applications?
- How do Identity providers comply with applications' LOA requirements?
- Who supports the end users and applications?
- Who audits identity providers' practices and what standards are used?
- What is the role of Information Security Governance?
...
Federation Technology Standards
Security Assertion Markup Language (SAML):
Standard developed and ratified by OASIS, an international non-profit standards organization, and managed by the OASIS Security Services Technical Committee
Has broad vendor and industry acceptance
Open source software package for web single sign-on across or within organizational boundaries
SAML-based software managed by Internet2. See other Internet2 middleware initiatives in higher education, including OpenSAML
Higher-education and increasing vendor acceptance
Provides extended privacy functionality
Open ID: a user-centric distributed web-SSO technology perceived as being lighter-weight and less focused on communities of trust than SAML
OAuth: an open standard for access delegation, provides to clients a “secure delegated access” to server resources on behalf of a resource owner commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
Benefits of Federation
- Sharing of Resources between institutions
- Collaboration between institutions and users.
- Increase security (fewer usernames and passwords to manage)
- Lower support costs (no application-based identity management)
- Improved user experience (fewer usernames and passwords to remember)
Challenges of Federation
Deploying new infrastructure is hard. The infrastructure must be there before gains can be realized, which makes justification a challenge.
Policy development can take considerable time.
Trust can be difficult to achieve.Good policy and governance helps ("trust but verify")
Making it ubiquitous across entities of varying size is a challenge.Many times, the smaller organizations will benefit most.
The InCommon Assurance Program awards certifications to qualifying institutions of higher education and research organizations that support InCommon requirements for consistent management of digital credentials.
Good security and identity practices help ensure that an individual using an electronic credential is the person you think it is. For Service Providers in an identity federation, having Identity Provider Operators support a standard practice set (or profile) can mitigate the risk of service compromise. For Identity Providers it is a way to provide single sign-on access to applications requiring an increased level of confidence in a credential. InCommon has published two sets of profiles: Bronze and Silver. These profiles align with the U. S. government's NIST levels of assurance level 1 and level 2, respectively. Bronze has a security level that slightly exceeds the confidence associated with a common Internet credential. Silver has a security level appropriate for financial transactions., it is a way to provide single sign-on access to applications requiring an increased level of confidence in a credential.
See CommIT: Simplifying Admissions Identity Management for Georgetown University's way to leverage federated single sign-on to match electronic records for college applicants and institutions using a single set of user credentials that can be used across various services.See Social-to-SAML: Accepting Social Identities for InCommon Federated Services for an overview of how two institutions of higher education are using social identities (e.g., Google and Yahoo) to provide access to selected federated services for users who may have little or no continuing relationship with the institution. Presentation slides.
d. Cloud Computing and Software as a Service (SaaS)
...