The Attributes for Collaboration and Federation Working Group has released its draft report, which is open for community feedback. The report includes the results of a survey conducted to help understand the slow uptake of the Research & Scholarship (R&S) Category of Service Providers. The working group was formed to examine the reasons for low participation in the R&S Category and develop some recommendations on how InCommon might substantially increase adoption.
The report and feedback submission form are on the wiki.
Links to all consultations can be found on the Trust and Identity Consultations page.
Three InCommon Working Group consultations are either in process or planned to open in the next week.
When a working group drafts a summary and recommendations as a result of its work, the community is invited to comment during a four-week consultation period. It so happens that three working groups have completed their work in a relatively close time frame.
- SAML V2.0 Interoperability Deployment Profile V1.0(also known as SAML2int) - The consultation period for this report opened on April 9 and will close next Monday, May 7. Deployment Profile Working Group Chair Keith Wessel provided a high-level summary of the proposed changes in a blog post. The working group report and feedback page are on the wiki.
- Streamlining Service Provider Onboarding Working Group - A four-week consultation on this working group's report opens Monday, April 30. This working group'scharter was to identity and document guidelines for service provider onboarding and operation in the InCommon Federation, to reduce variance in configuration and increase interoperability. Relevant documents and a link to the feedback page are on the wiki.
- Attributes for Collaboration and Federation Working Group - A four-week consultation on this group's report will open on Monday, May 7. This working group was created to explore the need for standard attribute release policies and some of the existing barriers to adoption. This working group will hold a feedback session at the Internet2 Global Summit on Monday, May 7 at noon.
Please review the information provided by these working groups and provide any comments on the consultation wiki pages. The Working Group chairs will keep you informed about the progress of these collaborations and provide reminders prior to the closing dates.
The Streamlining Service Provider Onboarding working group has completed its work and released a report for community feedback. The working group has produced a criteria document and a self-assessment questionnaire to help guide Service Providers along their path to becoming operational and interoperable members of the InCommon Federation. the consultation closes on May 28, 2018.
The working group was charged with identifying and documenting standards for Service Provider operation in the Federation. The group developed a criteria document to provide a set of consistent standards, as well as a self-assessment questionnaire that also provides guidance and recommendations.
Also, a reminder of other consultations:
- SAML2 Interoperabiity Profile (closing May 7)
- Attributes for Collaboration and Federation Working Group (opening May 7).
Links to all consultations can be found on the Trust and Identity Consultations page.
Managing Affiliate, Alumni, and Other Identities with COmanage
Wednesday, April 18, 2018
2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline
COmanage might be the most useful identity management tool that you have never used. COmanage Registry is an identity registry and lifecycle management system designed to track complex and typically transient affiliations. The registry maintains identity data, tracks groups and roles, and provisions to directories and other services.
Join us for the April IAM Online to hear two case studies for the use of COmanage:
- Lafayette College will discuss how COmanage filled operational gaps in their identity management system by becoming the source system for affiliates of the College such as auditors, contractors, and employees of outsourced services such as dining. COmanage is authoritative for identity data, tracks sponsors, provisions NetIDs in LDAP, and manages the identity lifecycle, including account renewals.
- Colorado State University has just launched COmanage as an entity registry and account linking system for alumni, as well as donors accessing the university’s Donor Connect system with external identities. This is the first phase of this project, which will soon include access to resources provided by the Registrar and parent/guardian access to student bills, class schedules, etc.
COmanage is one component in the TIER (Trust and Identity in Education and Research) suite, along with Shibboleth and Grouper.
Presenters
Jeff Ruch, Colorado State University
Janmarie Duh, Lafayette College
Moderator
Bill Thompson, Lafayette College
Connecting
We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.
About IAM Online
IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information Security Council (HEISC).
The InCommon Steering Committee has approved changes to the InCommon Participation Agreement and the InCommon Federation Policies and Practices (FOPP). The changes are part of the adoption of Baseline Expectations for Trust in Federation, which includes a new dispute resolution process, eliminates the requirement for organizations to post a Participant Operational Practices (POP) document in favor of requiring certain elements to be present in the InCommon trust registry (also known as “metadata”).
In keeping with the InCommon charter and bylaws, the revised Participation Agreement goes into effect on June 15, 2018, 90 days after notice was sent on March 15. Changes to the FOPP are effective as of the Steering Committee action on March 4.
The InCommon community’s work on Baseline Expectations now enters a transition phase as we collectively gear up to support this new program. Look for more on the new dispute resolution and consensus process development/refinement in the coming weeks.
Information about the Baseline Expectations program is available on the InCommon website. There is also a Baseline Expectations wiki space, which includes links to informational webinars, an implementation roadmap, and an FAQ.
InCommon Shibboleth Installation Workshop - May 22-23, 2018
The first of two Shibboleth workshops planned for 2018 will take place May 22-23 at the Unicon headquarters in suburban Phoenix, Arizona. The second workshop will take place at the University of Pittsburgh (tentative dates are July 10-11). Here are the details about the workshop in Arizona.
---------
Unicon Headquarters
1760 E. Pecos Rd., Suite 432
Gilbert, Arizona 85295 (suburban Phoenix)
May 22-23, 2018 (9 am - 5 pm PT both days)
Registration: www.incommon.org/shibtraining/
Details on the site: https://spaces.at.internet2.edu/x/moJyBw
Are you interested in learning how to install and configure the Shibboleth SAML SSO/Federation Software? Do you need to upgrade to IdPv3? Would you like to see how the containerized TIER version of the Shibboleth IdP can simplify your installation and configuration?
Join us for the InCommon Shibboleth Installation Workshop May 22-23, 2018 at the Unicon Headquarters in Gilbert, Arizona (suburban Phoenix). The registration deadline is May 11.
The two-day training covers both the Identity Provider and Service Provider software, as well as some integration issues. We will also introduce you to the TIER (Trust and Identity in Education and Research) version of the Shibboleth IdP, which is delivered via a Docker container and is pre-configured to work well with InCommon. The workshop focuses on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:
A two-day, directed self-paced workshop
Hands-on installation of the identity provider and service provider software
Experienced trainers providing overviews and one-on-one help
Discussions on configuration and suggested practices for federation
Attendance is limited to 40
The workshops will offer the chance to:
Install a prototype Shibboleth identity and service provider in a virtual machine environment
Gain experience with the Docker container version of the Shibboleth IdP (the TIER version)
Discuss how to configure and run the software in production
Learn about integration with other identity management components such as LDAP and selected service providers
Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:
System install, integration, and ongoing support staff
Campus technology architects
To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.
InCommon and REN-ISAC, alongside international partners, strongly urge federation participants to be ready to manage federation-related security incidents. Here’s how.
SIRTFI is an international framework for federated security incident response. It specifies a means to publish your readiness for incident response in federation metadata. This framework asks that each federation entity, ie, Identity and Service Providers, contain security contact information in its federation metadata; that normal security incident response procedures associated with it reasonably address the statements in the SIRTFI specification; and if so, that a SIRTFI tag is attached to the entity.
InCommon recently made self-management of the security contact and SIRTFI flag available in its Federation Manager portal. Participant Site Administrators can now manage SIRTFI status for all systems that are part of the Federation. Please ask them to ensure that your security contact information is correctly expressed in federation metadata and to set the SIRTFI flag if you believe that your security incident response procedures reasonably meet the statements in the SIRTFI specification. Step-by-step instructions are here.
Academic collaborations, cloud services, and other uses depend on sensitive resources, such as unique instruments, software, high performance data processing environments, and corpi of data, being accessible through global federation. Most InCommon participants are home to faculty, students, and staff that need to use these services to be successful in their endeavors. Please help them to succeed by being prepared to manage a federated security incident that could otherwise threaten valuable resources.
Kim Milford
Executive Director, REN-ISAC
Member, InCommon Technical Advisory Committee
Kevin Morooney
Vice President Trust & Identity Services, Internet2
IAM Online
Wednesday, December 13, 2017
2 pm ET | 1 pm CT | Noon MT | 11 am PT
Does your team spend time performing tasks that could/should be (or worse, are) self-service? Do you worry about disconnects between the intention and execution of your IAM policies?
Do your IAM tools require training?
Join us for the IAM Online webinar, “Identities are People, Too: IAM Tooling that Works.” The webinar will take place December 13, 2017, at 2pm ET, and will cover case studies of development efforts (and lessons learned) at Duke to progressively improve interfaces to IAM services, such as:
- Growing an alternate electronic credential service to 180,000 accounts that play nicely with NetID login (and aren't mutually exclusive)
- Delegating account admin and authorization functions to nontechnical staff via interfaces that don't leave room for misinterpretation
- Re-thinking self-service so end users can be partners in managing identity
- A guided registration system for service providers that takes the guesswork (and excuses!) out of Shibboleth integrations
We'll also discuss specific techniques for identifying where users are getting lost in a process, and developing metrics-informed solutions your community can get behind.
Presenter
Mary McKee, Senior IT Manager, Duke University
Connecting: At the time of the webinar, go to the Adobe Connect IAM Online page (slide sharing and audio). See the InCommon website for more details, including back-up phone bridge information.
About IAM Online
IAM Online is a monthly online education series brought to you by Internet2's Trust and Identity community and the EDUCAUSE Higher Education Information Security Council (HEISC).
The InCommon Assurance Advisory Committee (AAC) will hold a community assurance call to discuss the new Baseline Expectations and the potential shift in focus for the AAC. The call will take place Wednesday, October 4, 2017 at noon ET.
The Assurance Advisory Committee (AAC) was initially established to manage the US Government-approved assurance program to enable access to Federal services requiring 800-63-2 conforming credentials. However, uptake of that program has been primarily by schools interested in showing credential due diligence to their stakeholders, and the US Government services in InCommon currently don't require an assurance profile.
But the AAC has been active in finding ways to increase the trust across the InCommon community, including developing the MFA Interoperability Profile – which is now under the wing of the international federation operators (REFEDS) – and of course the InCommon Baseline Expectations program.
Come join us on how the AAC is evolving and provide input on where the group should go by attending the upcoming webinar Refocusing Community Guidance of InCommon's Trust Programs: Baseline and Bronze. The discussion will cover:
- Baseline Expectations and AAC responsibilities
- Membership changes needed in the AAC
- Survey results of InCommon Bronze members
- Adjustments to AAC charter and recruitment of new members
Host and Presenter
Brett Bieber, University of Nebraska and Chair of the InCommon Assurance Advisory Committee (AAC)
Connection Details
Slide sharing and audio (one-way) via Adobe Connect: http://internet2.adobeconnect.com/incommonassurancecall
eDial Connection Information (for participating in the conversation via phone vs. chat function):
+1-734-615-7474 (English I2, Please use if you do not pay for Long Distance)
+1-866-411-0013 (English I2, toll free US/Canada Only)
PIN: 0129048 #
Trust and Identity Update Webinar: InCommon, TIER, and Plans for the Future
Friday, September 29, 2017
2 pm ET / 1 pm CT / Noon MT / 11 am PT
The Trust and Identity Services division at Internet2 is heading towards its second birthday this January and a lot has transpired over the last two years. We started with several planning sessions last year and have been working to put those plans into action. There are a number of initiatives underway at InCommon (thanks in part to the dues increase this year), and we continue to develop and refine the TIER Program and its core software components. We’ll share that information, as well as provide a foreshadowing of what to expect at TechEx, which is just a couple of weeks away.
Please join InCommon Steering Chair Sean Reynolds and Trust and Identity Program Advisory Group Chair Klara Jelinkova in a recap of the last two years, a foreshadowing of what to expect at TechEx, and learn how you can participate in helping to set the course for Trust and Identity activities at Internet2 for the next couple of years.
Speakers
Klara Jelinkova (Rice Univ.), Chair, Trust and Identity Program Advisory Group
Sean Reynolds (Northwestern Univ.), Chair, InCommon Steering Committee
Kevin Morooney (Internet2), Vice President, Trust and Identity
Connecting
We will use Adobe Connect for the webinar, including slide sharing and audio: http://internet2.adobeconnect.com/trustandidentityupdate
Back-up phone bridge: (734) 615-7474 or (866) 411-0013. PIN: 0178270#
MCNC and InCommon have concluded a six-month proof of concept of the InCommon Steward Program, which allows K-12 school districts and community colleges to take advantage of federated identity. This is a summary of the findings; the full report is available on the wiki.
Under this program, the Steward (in this case MCNC) manages the onboarding of its K-12 and community college constituents, a role typically performed by InCommon staff. InCommon provides training for the Steward, as well as the infrastructure and operational experience of operating a national federation.
The proof of concept validated the virtual team approach and found no significant impacts on the trust model. The organizations found, however, that the mid-year start did not allow for full engagement of the K-12 school districts, and agreed to continue with a six-month business development phase.
MCNC and InCommon operated the proof of concept from December 2016 through June 2017 to develop and test the onboarding and operational processes. Key findings include:
- Operational issues were minimal and communication within the “virtual team” (InCommon and MCNC staff) that managed the onboarding and identity proofing worked well without over-taxing either organization’s resources. A two-day in-person training session involving InCommon and MCNC staff contributed significantly to successful operation.
- There were no significant impacts on InCommon’s trust model during the proof of concept, largely due to prior community outreach and consultation. In fact, the presence of a knowledgeable Steward has improved alignment with recommended operational practices. There was only one operational confusion related to trust that was quickly resolved; training for future Stewards will be improved in this area.
- In general, impacts (positive or negative) of the Steward Program on K-12 have been difficult to observe, due to the timing of the proof of concept late in the school year.
To address the last item above, InCommon and MCNC have initiated a six-month business development phase to further develop the program’s value for K-12 and community colleges, as well as to further develop the program’s business and legal model. MCNC and InCommon will also develop a case study of the Steward Program, including recommendations for other regional networks interested in participating.
InCommon Shibboleth Installation Workshop
November 7-8, 2017
9:00 am - 5:00 pm (ET)
National Institute of Allergy and Infectious Diseases
Conference Center
5601 Fishers Lane
North Bethesda, Maryland 20852
Register at www.incommon.org/shibtraining
Are you interested in learning how to install and configure the Shibboleth SAML SSO/Federation Software? Do you need to upgrade to IdPv3? Would you like to see how the containerized TIER version of the Shibboleth IdP can simplify your installation and configuration?
Join us for the InCommon Shibboleth Installation Workshop November 7-8 at the National Institute of Allergy and Infectious Diseases Conference Center in Bethesda, Maryland. The registration deadline is October 20.
The two-day training covers both the Identity Provider and Service Provider software, as well as some integration issues. We will also introduce you to the TIER (Trust and Identity in Education and Research) version of the Shibboleth IdP, which is delivered via a Docker container and is pre-configured to work well with InCommon. The workshop focuses on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:
• A two-day, directed self-paced workshop
• Hands-on installation of the identity provider and service provider software
• Experienced trainers providing overviews and one-on-one help
• Discussions on configuration and suggested practices for federation
• Attendance is limited to 40
The workshops will offer the chance to:
• Install a prototype Shibboleth identity and service provider in a virtual machine environment
• Gain experience with the Docker container version of the Shibboleth IdP (the TIER version)
• Discuss how to configure and run the software in production
• Learn about integration with other identity management components such as LDAP and selected service providers
Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:
• System install, integration, and ongoing support staff
• Campus technology architects
To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.
Members of the Kantara Initiative Federation Interoperability Working Group have recently approved the SAML V2.0 Implementation Profile for Federation Interoperability. The document described below now enters a 45-day public comment and IPR review period in preparation for a member ballot to consider its approval as Kantara Initiative Recommendation.
This document encompasses a set of software conformance requirements intended to facilitate interoperability within the context of full mesh identity federations, such as those found in the research and education sector. It attempts to address a number of common barriers to interoperability and details features that are necessary in order to use SAML metadata as a foundation for scalable trust fabrics. It supersedes the eGovernment Implementation Profile V2.0bis from June 2011.
This is an open invitation to comment. Kantara Initiative solicits feedback from potential users, developers and other interested parties, whether Kantara Initiative members or not, for the sake of improving the interoperability and quality of its technical work. The public review opened on June 14, 2017, and will close July 29, 2017, at 11:59 UTC.
To comment please email your comments to staff@kantarainitiative.org with the subject "FIWG COMMENT SUBMISSION".
InCommon Shibboleth Installation Workshop
July 19-20, 2017
Lafayette College
Easton, Pennsylvania
www.incommon.org/shibtraining
InCommon will hold a Shibboleth Installation Workshop July 19-20 at Lafayette College in Easton, PA. Registration is available at www.incommon.org/shibtraining and details on the location at Lafayette College are on the wiki.
The two-day training sessions cover both the Identity Provider and Service Provider software, as well as some integration issues. The workshops focus on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:
• A two-day, directed self-paced workshop
• Hands-on installation of the identity provider and service provider software
• Experienced trainers providing overviews and one-on-one help
• Discussions on configuration and suggested practices for federation
• Attendance is limited to 40
The workshops will offer the chance to:
• Install a prototype Shibboleth identity or service provider in a virtual machine environment
• Discuss how to configure and run the software in production
• Learn about integration with other identity management components such as LDAP and selected service providers
Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:
• System install, integration, and ongoing support staff
• Campus technology architects
A revised eduroam info sheet describes the features and benefits of the federated global wireless access service for research and education. It may be particularly useful in providing a high-level overview of the service to campus stakeholders.
Internet2 operates the U.S. node for eduroam, which allows individuals from a participating institution to use their home credentials for access. Eduroam is a worldwide federation of RADIUS servers allowing users to achieve seamless access when traveling to another participating institution. Some campuses have chosen to use eduroam as their default campus wireless network.
For more information about the eduroam service and how your campus can participate, visit www.incommon.org/eduroam.