Overview of issues related to the use of external identities
Different types of external identities
Federated identities
Social identities
"Known assurance" identities
Different types of use cases
Short vs. long term
Low vs. high risk
Specific SPs vs. enterprise IdP
SP-specific IdPs and other gateways
Types of IDs
Internal SP Identity
Institutional Identity
Federated Identities
Social Identities
Known Assurance Identities
Use Case Dimensions
Longevity of identity
Length of association (one-shot vs. short term vs. etc.)
Identities that are tied to/dependent on existing Identities (e.g., Parent access to student’s grades or research partner access to local researcher’s project)
Associations that extend beyond traditional (local) IAM lifecycle (prospect, alum, ex-employees)
Sensitivity
Need for LoA
Need for MFA(?)
Other needs(?)
Level of linking to internal identities/environment/Level of Integration with IAM
Identities used to access a single SP
Linking external identifiers to (institutional) IAM entries (e.g., students using FB/Google as credential for campus account)
Creating new (institutional) IAM entries based on external IDs (e.g., VOs creating entities for external people)
Risks, Concerns and Issues of leveraging External IDs
Architectural Approaches for integrating external identities
Directly at the SP
With an invitation service
With an externalized authz service
Leveraging a gateway
Recommendations (do we need a separate section, or should these be in the previous sections?)
Specific Issues/Appendices (Items on the charge list not necessarily directly addressed above, or documents we've created to link to but not include directly)Specific issues addressed
Criteria for selecting external providers in a variety of usage scenarios
How a gateway would represent the properties of an external account to an application (?)