IAM Online - Wednesday, March 9, 2011
3 p.m. EST / 2 p.m. CST / 1 p.m. MST / Noon PST
www.incommon.org/iamonline
**************
Joining InCommon: The POP is Your Friend
Are you looking to join InCommon, or have you recently joined but still need to get your policy and technical house in order? Join this IAM Online to learn how you can use the InCommon Participant Operating Practices (POP) document to guide you as you set the wheels in motion toward federated identity management.
Jacob Farmer will share his popular presentation from InCommon Day CAMPs, where he helps new and almost-new participants use the POP as their guide to reviewing their identity management practices in preparation for federating InCommon.
**************
Speaker
Jacob Farmer, Lead Systems Analyst/Programmer, Identity Management Systems, Indiana University
**************
Connecting
We use Adobe Connect for slide sharing and audio: http://internet2.acrobat.com/iam-online. For more details, see www.incommon.org/iamonline.
**************
About IAM Online
IAM Online is a monthly online education series including essentials of federated identity management, hot topics from the EDUCAUSE Identity and Access Management Working Group, and emerging topics in IAM. Experts provide overviews, answer questions and lead discussions. IAM is brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.
Have you decided to deploy a web single sign-on (SSO) system and leverage it to access resources and contracted services in the InCommon Federation? Do you need training on installation and support?
Registration is open for the latest in the Shibboleth Workshop Series, to be held March 14-15, 2011, in Amherst, Massachusetts. The workshops are available to those interested in installing and operating the Shibboleth Single Sign-on and Federating Software from institutions of higher education and their partner organizations. Only 28 seats are available for each workshop.
Consider attending one or both:
- Shibboleth Identity Provider Workshop on March 14, 2011
- Shibboleth Service Provider Workshop on March 15, 2011
The Shibboleth workshops will provide attendees with technical installation and configuration experience with Shibboleth Single Sign-on and Federating Software, version 2. Developed for organizations new to Shibboleth and those with existing implementations interested in upgrading to the v2 release, the workshops will offer the opportunity to:
- Install either a prototype Shibboleth identity or service provider in a virtual machine environment.
- Hear tips for configuring and running the software in production.
- Learn about integration with LDAP directories and selected packages.
The Identity Provider Workshop will be March 14, from 9 a.m. - 6 p.m. ($335 for InCommon Participants and Internet2 members; $350 for others). The Service Provider Workshop is March 15, 9 a.m. - 6 p.m. ($335 for InCommon Participants and Internet2 members; $350 for others). Please note there is separate registration and a separate fee for each workshop.
Organizations are encouraged to send up to two attendees who best represent these functions: system install, integration, and ongoing support staff; and/or campus technology architects. Details and registration information and links are available at the InCommon website.
Travel and lodging information is also on the website.
This Shibboleth Workshop Series is sponsored by InCommon, Five Colleges, Inc., the University of Massachusetts-Amherst, and Internet2.
Internet2 and InCommon are tenants of the University of Michigan MACC Data Center, which will undergo a scheduled power outage from February 18--20, 2011.
Some InCommon and Internet2 services will be unavailable between 6:00 p.m., Friday, February 18, and 4:00 p.m. Sunday, February 20, 2011, US/Eastern (UTC-0400).
Please note that the Discovery Service and metadata service WILL be available during the outage - we will cut over to our spare hot server.
Not available: InCommon site administration tools, mailing list distribution, and online meeting registration are among the services that will not be available.
Some limitations: The wiki is among services that will have some limitations.
Please see http://www.internet2.edu/outage/ for more information, and regular status reports throughout the outage.
InCommon has announced that several new services will soon become available to subscribers of the InCommon Certificate Service. Extended Validation SSL certificates and client (also called personal) certificates will both be available on March 3, 2011. Both are part of the base package for subscribers and will be available at no additional charge. Key escrow and private Certificate Authorities will also be available at an additional cost.
Extended Validation (EV) SSL Certificates
Extended Validation (EV) SSL certificates will be available at no additional charge beginning on March 3, 2011. EV certificates require stringent auditing and compliance, and therefore require a separate legal agreement between the university and Comodo. We will have a copy of this agreement available on the InCommon web site by the end of the month. EV certificates will be requested via the InCommon Certificate Services Manager (CSM) web interface, similar to domain-validated SSL certificates.
Client CPS and Client Certificates
Client certificates (also called personal certificates) will likewise be available at no additional charge beginning on March 3, 2011. Three types of client certificates will be offered: dual-use, encryption-only, and signing-only certificates. Our volunteer PKI subcommittee has been working hard on the Certification Practices Statement (CPS) for client certificates, balancing practical realities with future architectural concerns in both the CPS and the Certificate Profile. The InCommon TAC has also reviewed and discussed the draft CPS, which has been submitted to the InCommon Steering Committee, our PKI Policy Authority, for review. A final vote is expected on Feb 14th. Our thanks to them all, noted at the bottom of this email.
Key Escrow
When client certificates become available on March 3, escrow of private keys will be offered as an option (for an additional fee). If enabled at the organizational level, escrow itself may be enabled (or disabled) by administrators at the department level. Details regarding the technical and business requirements for the escrow of private keys will be available by the end of February.
Private CAs
Also for an additional fee, if your campus needs a hosted private CA – for issuing client certificates signed by a campus rather than InCommon as an intermediate CA – we now have the capability of offering this service. Until we get a web page up describing the details, contact me for more information.
Finally, a number of bug fixes and minor feature enhancements will be included in the March release of the CSM. We will publish a list of changes once that becomes available.
InCommon News - February 3, 2011
---------------
In This Issue:
- IAM Online February 9 – Group Provisioning for Federated Educational Applications
- WAYF Retired in Favor of Discovery Service
- Day CAMP: Getting Started with InCommon, February 15-16
- Advance CAMP: Identity Services Summit III, May 25-27
- InCommon Seeks Program Manager for Certificate Service
- Return on Investment for Federated IdM
- New Participants in January
---------------
IAM Online February 9 – Group Provisioning for Federated Educational Applications
The February IAM Online topic is group provisioning for higher education. Hear about work being done at the University of Washington on group provisioning, particularly as it relates to syncing campus groups with Google Apps for Education. Also hear about ongoing activity in federated provisioning, specifically within the area of SPML (Service Provisioning Markup Language). Details are at http://www.incommon.org/iamonline/
---------------
WAYF Retired in Favor of Discovery Service
As of February 2, InCommon has retired the WAYF (Where Are You From) in favor of the new InCommon Discovery Service, which will provide compatibility with SAML V2.0 and Shibboleth 2.x. A redirect will be in effect until July 6, 2011. You can see the full announcement at https://spaces.at.internet2.edu/x/OgBoAQ.
Visit the InCommon Discovery Service technical page (https://spaces.at.internet2.edu/x/FgEFAQ) for instructions how to configure your Service Provider software for the Discovery Service and SAML V2.0.
---------------
Day CAMP: Getting Started with InCommon – February 15-16, 2011
If your organization has joined InCommon but needs a jump-start on the next steps, consider attending Day CAMP: Getting Started with InCommon, February 15-16, in Providence, Rhode Island. The meeting will feature technical and management information for higher education institutions looking to run an identity provider to access federated services. Details and registration information are at www.incommon.org/camp. OSHEAN, NEREN, and Five Colleges, Inc., in cooperation with InCommon and Internet2, sponsor this Day CAMP. InCommon anticipates holding Day CAMPs in other parts of the country in 2011, as well.
---------------
Advance CAMP: Identity Services Summit III – May 25-27, 2011
Advance CAMP will take place May 25-27 in Westminster, Colo., and focus on better provisioning, access management and other identity-related problems. Participants will work with identity leaders and developers across higher education to help design the next generation architecture. Registration is now open at www.incommon.org/camp. Participants can come early and attend Jasig’s Spotlight on Open Source Conference (www.jasig.org/jasigs-spotlight-open-source) just prior to Advance CAMP at the same location.
---------------
InCommon Seeks Program Manager for Certificate Service
InCommon has posted the position of Program Manager for the Certificate Service, with responsibility for the technical components of the service and work as the primary liaison with our community advisory and collaboration groups focused on PKI deployments and related applications. This staff position is full-time, based in Ann Arbor, Michigan. If you know of any who might be interested, please have them visit http://www.internet2.edu/about/staff/careers for details.
---------------
Return on Investment for Federated IdM
The Swedish virtual organization SWAMI (Swedish Alliance for Middleware Infrastructure) has demonstrated how federated identity management can lower the costs of identity proofing. In addition to the write-up, SWAMI has provided a spreadsheet used to determine the per-student cost of identity proofing. You’ll find details and links at https://spaces.at.internet2.edu/x/3wBSAQ.
---------------
New Participants in January
Higher Education
- Texas Tech University
- Baylor College of Medicine
- Reed College
- Willamette University
- Loyola University, Maryland
- University of California, Santa Barbara
- Yale University
Sponsored Partners
- Oak Tree Systems
- NBC Learn
----------
About Oak Tree Systems
Oak Tree Systems (www.oaktree-systems.com) is a software development and consulting company specializing in management software solutions for businesses and non-profit organizations. We increase productivity and reduce costs through the intelligent application of technology. Our focus is on training and learning management systems, including the TrainingForce Learning Management System (www.trainingforce.com).
----------
About NBC Learn
NBC Learn (www.nbclearn.com) offers professors and students access to over 10,000 primary source videos and documents from NBC News and dating back to the Universal News Reels of the 1920s. These are aligned to 28 subject areas including Biology, Marketing, Journalism, History, Forensic Sciences, and more. NBC Learn is very interested in driving student engagement using relevant, real-world digital resources in the classroom. The company is particularly interested in supporting higher ed institutions in efforts to meet the increased demand for distance learning and access to electronic resources, and to support professors in extending the boundaries of their classroom in an easy, efficient manner. You can preview the NBC Learn resources at http://highered.nbclearn.com. In addition, NBC Learn is offering free pilots through the summer of 2011 for any InCommon participant. We hope that giving educators access to the resource for an extended period of time will allow them to experiment with integrating our resources into their curriculum, fully explore our vast archives, and give the NBC Learn team time to provide them with adequate technical, training support, and usage statistics. For information on the pilot, contact Michael Levin at Michael.Levin@nbcuni.com or sign up at www.pilots.nbclearn.com.
--------------------
InCommon News is published by the InCommon Federation (www.incommon.org) for its participants and other interested parties. InCommon is an LLC of Internet2. Send feedback or comments to incommon-info@incommonfederation.org.
This newsletter is sent to incommon-announce@incommonfederation.org. To subscribe or unsubscribe, send an email to sympa@incommonfederation.org with one of these messages in the subject: subscribe incommon-announce or unsubscribe incommon-announce. You can also subscribe to the InCommon RSS news feed, which includes this newsletter, by visiting www.incommon.org/contacts.cfm.
As previously announced (https://spaces.at.internet2.edu/x/3QA6AQ), we have installed a redirect from the InCommon WAYF to the InCommon Discovery Service. This redirect will remain in effect until July 6, 2011, at which time it will be removed. At that point, HTTP requests for WAYF services will fail, so if you haven't updated your software to point to the new Discovery Service, please do so as soon as possible.
Now that the venerable WAYF has been retired, we will focus our attention on the user interface of the Discovery Service. A number of bug reports and feature requests are outstanding, most notably a request for an incremental search interface. The current implementation (SWITCHwayf) does not support incremental search, so we will switch to a new platform that supports incremental search in a subsequent release.
For example, the Shibboleth Centralized Discovery Service supports incremental search, but since this is a new platform for us, we would need to deploy, test, and replicate the Shib CDS on our infrastructure. You can help by trying out this incremental search feature, and, if necessary, sending your comments to the participant list. Once we've received your comments, a refined testing and deployment schedule will be announced. For initial testing, an "out of the box" test instance of the Shib CDS is at http://bit.ly/f3y0uD.
InCommon Advance CAMP: Identity Services Summit 2011 to be held May 25-27 in Westminster, Colorado
ANN ARBOR, Mich. – February 3, 2011 - Research and education leaders in identity management, and open source project developers, will gather for the third Identity Services Summit, May 25-27, in the greater Denver area.
The Identity Services Summit, which is part of the InCommon Advance CAMP Workshop Series organized by Internet2, provides a place for identity management leaders, architects and developers to collaborate on common approaches to solving key identity-related problems. Attendees will also work to develop integration strategies for open source and commercially available software. This year’s program will build on the success of two previous Identity Services Summits and will immediately follow the Jasig Annual Conference, "Spotlight on Open Source," which highlights a variety of open source software projects for higher education.
The past two Identity Services Summits produced a list of 24 challenges that have been tackled by collaboration groups formed just for that purpose.
"The collaboration that occurs at these Identity Services Summits helps to reduce barriers to integrating new packages and services into the campus identity management infrastructure," explains R.L. "Bob" Morgan, co-chair of the program committee and Senior Technology Architect at the University of Washington.
As a result of last year's InCommon Advance CAMP, Tom Zeller, University of Memphis, is leading an initiative to explore approaches to federated provisioning, which entails moving identity, group, and access data between systems in different domains. By drawing identity, group and access information from a variety of sources, federated provisioning can allow groups of people from different institutions to have access to common files, databases, wikis and other tools.
In another project from the 2010 Advance CAMP, Scott Cantor of The Ohio State University is leading an effort to write a comprehensive best practices guide for developers of federated applications.
"The collaborative working team approach has allowed our community to make significant progress on these and other important initiatives over the last two years," says Tom Barton, co-chair of the program committee and Senior Director for Architecture, Integration & Security at the University of Chicago. "We plan to continue and extend these productive efforts this year, as well."
The meeting uses an "unconference" format in which participants pitch their challenges and possible solutions to the larger group, lead breakout sessions, and then identify the most common pressing needs and volunteer for the project teams that will work on these initiatives. In addition, the 2010 Advance CAMP program committee has continued to monitor the progress of projects that emerged from the meeting and provides periodic updates to those that attended.
For more information on the InCommon Advance CAMP, Identity Services Summits, visit www.incommon.org/camp.
InCommon Advance CAMP Identity Services Summit is supported by Internet2, InCommon, Jasig, the Kuali Foundation and the Internet Society.
About Internet2
Internet2 is an advanced networking consortium led by the research and education community. An exceptional partnership spanning U.S. and international institutions who are leaders in the worlds of research, academia, industry and government, Internet2 is developing breakthrough cyberinfrastructure technologies that support the most exacting applications of today---and spark the most essential innovations of tomorrow. http://www.internet2.edu.
About InCommon
The InCommon Federation (www.incommon.org), operated by Internet2, provides a privacy-preserving, secure method for higher education institutions and their partners to offer single sign-on convenience to their faculty, researchers, students and staff. Through InCommon, individuals no longer need to maintain multiple passwords and usernames and online service providers no longer need to maintain user accounts. The educational institution manages the level of privacy and security for its constituents. InCommon also offers the InCommon Cert Service, providing unlimited SSL and, soon, personal certificates to colleges and universities at one low annual fee.
About Jasig
Jasig is a global consortium of educational institutions and commercial affiliates sponsoring free and open source software projects for higher education. Jasig is a member supported, non-profit 501(c)3 corporation aiming to attract, advance, and sustain communities developing enterprise-level, open source software that helps institutions fulfill their goals. Jasig connects people, provides infrastructure, and sponsors events that foster innovation and collaboration. Jasig's flagship projects include uPortal, an enterprise portal; CAS, the Central Authentication Service used for single sign-on and secure, proxied authentication; and Bedework, an enterprise calendar used for public events and personal and group calendaring. Jasig also manages a Project Incubator designed to mentor new open source projects in building community, increasing collaboration, and becoming self-sustaining. For more information, visit the Jasig website at www.jasig.org
Contact:
Lauren Rotman
Internet2
202-331-5345
lauren@internet2.edu