Page History

...

Paul Caskey (UT System) <pcaskey@utsystem.edu>

Mission/Goals

The Mission mission of the External Identities Working Group is to move the community of knowledge towards the goal of making external identities useful and sufficiently trusted in a variety of campus-based use cases. This group is focused on the use of these external identities by individuals, rather than an enterprise using an external identity provider as their enterprise IDPIdP.

Specific Goals for the External Identities Working Group include:

• Exploring/developing deployment models for using external identities in a variety of risk profiles
• Identifying and examining the technical components which that are needed to make external identities useful across a broad array of services
• Exploring the notion of account linking between a campus-issued account and an external account
• Understanding the differences between external identities and locally assigned identities
• Exploring various approaches to raising that raise the level of trust associated with external identities (references to other work on trust elevation, e.g. OASIS Trust Elevation Subcommittee)

Membership

Membership in the subcommittee Working Group is open to all interested parties. Members join the subcommittee Working Group by joining subscribing to the mailing list, participating in the phone calls, and otherwise participating actively engaging in the work of the subcommitteegroup.

The chair of the subcommittee Working Group is appointed by the InCommon TAC and is responsible for keeping the TAC informed regarding subcommittee Working Group status.

Deliverables

1. Update (and i.e., make current) the set of use cases developed by the Social Identities Working Group. This should include use cases for both of these the following situations:  
   1. Social account linked to a campus-issued identityaccount
   2. Social account identity used by a non-community member.
2. Develop a set of criteria for selecting account providers that should be included when working on the other deliverablesexternal providers in a variety of usage scenarios. Ensure that both social account providers and external account providers (eg PayPal, Verisign, residential internet providers?providers (e.g., Google, Facebook, Twitter) and non-social providers (e.g., Microsoft, PayPal, VeriSign) are included.
3. Identify and document properties of external accounts that could would be of interest to an application accepting authentication events from the external account providersweb applications and other relying parties.
4. Define and document how a gateway would represent the properties of an external account external account to an application.
5. Document , and identify properties and pro's and con's of, the advantages and disadvantages of a central gateway approach versus a local gateway approach.
6. Provide application owners with recommendations on regarding risk profiles when using external identitiesexternal identities. (These profiles need not be based on the traditional 800-63 categories.)  List List and describe various approaches to trust elevation.
7. Collect and comment on approaches that campuses are taking to do "account linking" .
   1. Identify the  properties properties that an external account external account must/could should possess which that would affect using it in this wayits use.
   2. Linking a campus account to a known external accountexternal account, and linking an external account external account to an existing campus-issued account, where both accounts are used by the same person.
   3. Using an external account's credentials and authentication method external authentication provider to authenticate to a campus-issued accountbased service.
   4. Develop recommendations for Recommend ways that campus-owned attributes could be asserted following authentication with an external account (eg external account (e.g., group memberships)
8. Produce a set of longer-lived recommendations for practitioners, roughly comparable to the NMI-DIR documents (eg e.g., papers, not just wiki pages).

...

1. This WG will be looking at the use of personal external accountsexternal accounts; it will NOT be looking at situations at situations where an enterprise is using a social provider as their IDP, for access to enterprise apps outside of google.
2. Technical requirements for Interop/deployment profile for OpenID Connect (OIDC)
3. Recommendations on approaches for elevating an external account external account authentication event to LoA 2.
4. Identify and document pro's and con's of having students continue to use their social account to access campus business systems during their student days. Identify an interim step toward this milestone.

...