ABOUT THIS PAGE
The content below is intended to present two example formats for the guide for institutions recommended by the IdPaaS Working Group's proposed "Federation-Ready Identity Provider" program.
This guide is intended to help take the guesswork out of federation readiness for prospective customers, allowing them to easily identify IdPaaS solutions that will meet their architectural needs and allow them to fully participate in federation. Users of this guide should be able to quickly narrow their product search to options that will not limit their federation potential, and conduct their normal institutional process to help establish the most desirable offering based on more easily observable features.
An Adoption Assessment Guide for Home Institutions
Cloud-based Identity Provider services cover a range of goals and capabilities. The best solution for your campus will depend in part on whether you seek to complement the functionality of your existing infrastructure, or (partially or fully) replace it.
This document will help you identify what type of IdPaaS service will best address your institution’s needs, access information about (link to program info) Federation-Ready (/link) products in the desired category, and review considerations to keep in mind when selecting a vendor.
This option exposes the IdPaaS integration model table and "Federation-Ready" vendors for easy skimming.
The following chart summarizes four common models for IdPaaS usage, how responsibility is shared between an institution and vendor, and federation-ready products that accommodate the use case.
A glossary at the end of this document explains these business functions in greater detail.
Model | Institution Manages: | Vendor Provides: | Vendors |
Federation Adapter |
|
|
|
Full SAML SSO |
|
|
|
Identity Provider + Credential Store |
|
|
|
Identity and Access Management as a Service |
|
| Not currently in scope for evaluation |
When choosing between comparable products, the following considerations may inform the best choice for your institution:
Multi-factor/strong authentication: would you like the IdPaaS product to include support for multi-factor authentication, or integrate with an existing campus solution? If part of the IdPaaS product, is site-specific MFA policy supported?
Institutional branding: how can the product’s user interfaces be customized to reflect the institutional brand?
System/protocol integrations: does the product integrate with any desired protocols, such as CAS or OIDC?
User role/group management: would you like the IdPaaS product to integrate with an existing campus group/role management solution, or allow for management within the IdPaaS product?
Service Provider (SP) metadata and integration: how can institutional and third party sites be configured to integrate with the IdP product? Can non-InCommon vendors be integrated? What support does the vendor offer for challenging integrations?
Service Provider (SP) data release from Identity Provider: how can user attributes be approved for release to an integrated site (SP)? Can policies be site-specific? Are custom attributes supported?
Data Management Policies and Practices: are the IdPaaS provider’s attribute release mechanisms compatible with your institutional policies and data governance processes?
SIEM/Logging: what logging and security event tracking capabilities does the product offer?
Resiliency/availability: what assurances will the vendor make about availability of the service?
Enhanced Client or Proxy (ECP): does the Identity Provider support non-browser-based login?
Attribute release consent: does the product support user consent for personal information shared by the Identity Provider with integrated sites at the time of login?
Social-to-SAML: does the product support linking of personal accounts (such as Google or Facebook) for login where institutional credentials are not available? If so, how is registration handled?
Admin UI: what administrative capabilities does the service offer? Are granular or delegated permissions supported? How do these capabilities fit with institutional data governance processes?
Password reset: if the product manages user credentials, how is password reset handled?
Support: how much institutional staff time will be required to support functionality offered by the product? Can the product support delegation of management responsibilities if desired?
API access: Do you intend to build automation between the IdPaaS product and other campus infrastructure? If so, does the product feature an API or similar mechanism for such automation?
This option presents similar information, but in a more interactive survey format.
Does your institution have an existing strategic commitment to a particular vendor or IAM product that you must use for your enterprise IAM solution?
An identity registry is the source of identity information for all IAM purposes.
This includes creating usernames and storing associated password hashes.
Group tools can be integrated or external, and are most often used for permissions/authorization, management of entitlements, communications, and reporting.
Provisioning most often includes initiating user records in downstream systems, but can also include sourcing identity data from upstream systems of record.
This refers to the web-based user interface a user interacts with to log in to campus services. This is usually implemented at the Identity Provider level, but can be maintained externally to that infrastructure if desired.
You may prefer to have a product that integrates with a preferred MFA solution, or bundle this with the vendor.
<options>
<options>
Either option should include a glossary to cover any key terms:
To ensure clarity, we define several key terms referenced in this document. These terms have specific, commonly adopted meanings in the higher education identity management community that may differ subtly from other uses in commercial or other settings.
Federation adapter
A solution that allows campus Single Sign-On (SSO) that is not implemented with SAML to interoperate with InCommon and other eduGAIN member federations.
This is most useful for institutions committed to using a particular IAM product that does not natively support the ability for users to access Federation member sites with their institutional credentials.
Identity store/registry
An identity registry is an essential component of any identity and access management infrastructure. It is the authoritative source of a person’s digital identity in an organization.
Credential management
Responsibility that includes issuing, management, and revocation of institutional usernames and passwords or other electronic authentication credentials.
Provisioning
Tooling to support providing of user/identity information to downstream (dependent) systems.
User Authentication
Support for institutional login. This usually includes hosting the login page users use to authenticate.