InCommon Forum, Internet2 Spring Member Meeting, April 27, 2010

InCommon Update

John Krienke provided an programmatic update from InCommon.

InCommon @ the National Science Foundation

Ardoth Hassler from the NSF provided an update on the status of federating various applications.

InCommon Operations Update

In the works:

Attributes - User Consent

Luke Tracy from the University of Michigan reported on the use of uApprove for user consent to release attributes. Originally, a user would be presented with uApprove the first time he or she went to an SP, then subsequent visits would not include the prompt. There was a policy question, however, over what would happen if the data being released would change. Subsequently, users are presented with uApprove each time they visit an SP. UMich has implemented this with just a handful of SPs. The long-term goal is to not have users presented with uApprove every time they visit an SP.

Keith Hazelton reported that the University of Wisconsin-Madison will be implementing uApprove.

Attributes - Default Sets

Mike Grady (University of Illinois) reported that the CIC is looking at developing a pre-approved set of attributes able to be released. In many cases, the IdM people do not have the authority to make decisions about what to release and it can become cumbersome to gain approval for each SP. They are looking at pre-approved bundle of attributes to eliminate the ad hoc nature of this process. A group of CIC registrars and IdM folks will be meeting on this, and the set of attributes has not been developed, but would likely include EPPN, TargetedID, Affiliation (standard and scoped), entitlement, assurance, email, and several forms of name. It would still be expected that a service would ask for only what they need, not the whole bundle.

There is also discussion about extending the metadata to describe the service that is being provided; just having the entityID is not enough.

Bronze and Silver Identity Assurance Profiles

InCommon has submitted its Bronze and Silver identity assurance profiles to the U.S. General Services Administration's (GSA) ICAM (Identity Credentialing and Access Management) program to gain approval as a Trust Framework Provider. The requirements include such items as not releasing as few attributes as necessary (minimalism) and protecting personally identifiable information during the registration process. The submission has been through preliminary review and resubmitted after comment.

One next step will be a strategy to facilitate adoption of Silver among participants, including determining the drivers for Silver, engaging auditors, working out a process to fielding and answering questions - basically having a roadmap for this.

Tom Barton reported on the CIC work on Silver. The CIC has developed a three-phase approach to implementation: 1) impact/implementation with ordinary operations, 2) developing the credentialing process, and 3) understanding how the technology works.

The CIC has also committed to documenting these three phases to provide information for those future adopters.

The University of Washington has its own project going and has joined some of the conference calls. The CIC has also engaged some auditors.

Achieving silver does not mean that every authentication that occurs need meet the Silver specifications. The IdP can decide under which circumstances Silver is necessary. It may involve only a couple of hundred researchers, for example.

The University of California is also working on Silver, as is the University of Texas system. As a community, we need to start another cohort along the CIC three-phase process soon to keep the momentum going.

Federating at the NIH

Debbie Bucci from the National Institutes of Health reported that the NIH has been federating for about two years. A key driver has been the CTSA application, and people are also setting up communities on the wiki. There is a pilot underway for the eRA application - which would require Silver - involving Penn State, UC Davis and Johns Hopkins.


eduRoam is a federated wireless network access system that has widespread deployment in Europe, but is just making inroads in the U.S. This is another project that the CIC is involved with. Currently the effort is centered at the University of Tennessee (with an NSF grant), but there is interest in defining what role InCommon might play.