The Shibboleth project has released two important announcements that warrant replication throughout the InCommon federation. Consider joining the Shibboleth email lists below if you haven't received notice.
The Shibboleth Project issued a critical security advisory on Monday, July 25, with the discovery of a vulnerability in the project’s OpenSAML software. Any software dependent on OpenSAML is affected. In particular, Shibboleth itself is vulnerable.
The vulnerability affects both the Identity Provider and Service Provider deployments and is rated as "critical" for the Service Provider and "important" for the Identity Provider. If you have Shibboleth deployed, you should take immediate steps to apply the updates. The security advisory includes details on the vulnerability, specific recommendations for upgrading the OpenSAML software, and information on mitigating the attacks in an IdP.
The complete security advisory, including the information on upgrades and mitigation, are available at:http://shibboleth.internet2.edu/secadv/secadv_20110725.txt
Since the announcement yesterday, discussion on the Shib Users list contains helpful links and commands:http://bit.ly/oL8UNH
If you rely on scripts outside the Shibboleth software itself that use xmlsectool to verify the signature on InCommon metadata, you need to upgrade xmlsectool as well:http://bit.ly/nm77Jo
If you manage Shibboleth, you should be on the Announce list. You may also consider the more the highly-trafficked Users list.http://shibboleth.internet2.edu/lists.html
PASSHE and InCommon Develop Standard Agreement that Increases Collaboration Opportunities
Managing collaboration, security and privacy has just become easier for the 14 Pennsylvania State System of Higher Education (PASSHE) universities. PASSHE has developed a standard agreement with InCommon, the federation that provides for shared management of access to online resources for the U.S. research and education communities.
InCommon, operated by Internet2, allows researchers, students, faculty and staff to use their university usernames and passwords to access online resources – both on-campus and those offered by third-party providers. Identity providers control the release of user information, and service providers manage the authorization for access to their online resources. The result is a secure and privacy-protecting method for providing individuals with single sign-on access to protected or licensed online resources.
PASSHE joins other state university systems in California, Texas, and Maryland that have established system-wide agreements with InCommon.
“The InCommon federation and trust services are increasingly seen as a foundation for system-wide initiatives and resource sharing designed to save money and increase collaboration,” states Jack Suess, chair of the InCommon Steering Committee and VP of IT at UMBC. InCommon welcomes the opportunity to work with the PASSHE member institutions and their service providers.”
The template agreement between PASSHE and InCommon allows all PASSHE members to join InCommon under the same terms and conditions, simplifying the process for both parties by ensuring that the legal and policy issues are addressed consistently for PASSHE institutions.
“It is clear that the future of higher education is about collaboration and academic partnerships. Executing this agreement gives our institutions the ability to more effectively connect with our partners and simplify technology access for our employees and students”, said Dr. John C. Cavanaugh, Chancellor of PASSHE.
PASSHE member institutions can visit www.incommon.org/passhe for specific information, including how to join, or can email email@example.com. InCommon now serves more than 300 higher education institutions, research organizations, and sponsored partners.
InCommon, operated by Internet2, serves the U.S. education and research communities, supporting a common framework of trust services and operating the InCommon Federation and the community-driven InCommon Certificate Service. The InCommon Federation, the U.S. trust federation for research and education, enables scalable, trusted collaborations among its community of participants. The InCommon Certificate Service offers unlimited security certificates to the U.S. higher education community for one fixed annual fee. For more information, see www.incommon.org.
The Pennsylvania State System of Higher Education is the largest provider of higher education in the Commonwealth, with nearly 120,000 students. The 14 PASSHE universities offer degree and certificate programs in more than 120 areas of study. About 500,000 PASSHE alumni live and work in Pennsylvania.
The PASSHE universities are Bloomsburg, California, Cheyney, Clarion, East Stroudsburg, Edinboro, Indiana, Kutztown, Lock Haven, Mansfield, Millersville, Shippensburg, Slippery Rock and West Chester Universities of Pennsylvania. PASSHE also operates branch campuses in Clearfield, Freeport, Oil City and Punxsutawney and several regional centers, including the Dixon University Center in Harrisburg.
Joe St Sauver has joined InCommon to manage the InCommon Certificate Service and support the development of additional trust services.
In Making the announcement, InCommon Chief Operating Officer John Krienke said, "Joe brings a deep passion and history of security leadership to the program as we expand our trust service offerings, support our community in the deployment of the certificate program, and develop effective practices that leverage some of the unique certificate offerings we provide, such as client certificates."
In Joe's role as Certificate Program manager he will continue to be involved in Internet2's security efforts, including being a liaison to the EDUCAUSE HEISC Effective Practices working group, REN-ISAC, and Internet2 SALSA working group.
Joe can be reached at either firstname.lastname@example.org or email@example.com.
National Science Foundation (NSF) grantee institutions that are participants of InCommon can now provide their faculty and staff with the ability to log into Research.gov using their university-issued user ID and password. Once logged into Research.gov using university credentials, PIs and co-PIs can connect seamlessly to FastLane's Principal Investigator (PI/co-PI) services without having to log in again.
The Research.gov/InCommon integration will help reduce the administrative burden associated with maintaining multiple user IDs and passwords, while providing for the secure exchange of information and access to NSF's online resources. Streamlined access to federal research systems through a single user ID and password is a priority that has long been expressed by the research community. The NSF and InCommon are excited to offer grantee institutions this capability, which leverages federated identity management technology developed under an NSF grant.
"NSF is a key partner for InCommon and federated access to Research.gov and FastLane services is a significant benefit to the research and education community," said Jack Suess, Chair of the InCommon Steering Committee and Vice President of Information Technology and the Chief Information Officer at University of Maryland Baltimore County. "By enabling federated access to NSF services, InCommon will help provide convenient and secure access for researchers and research administrators across the country."
"We are pleased to have this new collaboration with InCommon," said Alan Blatecky, who heads NSF's Office of Cyberinfrastructure. "Working through Research.gov, the research and education community has gained a more effective and efficient way of accessing NSF resources."
To request to participate in the Research.gov/InCommon integration service, interested institutions should email firstname.lastname@example.org.
Research.gov is an exciting initiative led by the National Science Foundation which provides a portal of information and services for research grantees. Research.gov also provides transparent and open access for the public to information on federally-funded research projects and how the outcomes of those projects benefit society.
In This Issue:
- Legacy WAYF Decommissioned
- July 13 IAM Online: ECAR’s 2011 Study of Identity Management in Higher Ed.
- Shibboleth Installation Workshops July 21-22 in Milwaukee
- Certificate Service Introduces Code Signing Certificates
- Maryland Consortium Provides Template for Joining InCommon
- Email List Added for Assurance Discussions
- InCommon Expands to Include Research Organizations
- New Participants in June
- Featured Affiliate: Gluu
Legacy WAYF Decommissioned
As of July 6, InCommon has discontinued the legacy WAYF and has removed the redirect that led users to the Discovery Service. Users reaching the legacy WAYF will now view an error message with a link to the DS. See the original WAYF retirement announcement at https://spaces.internet2.edu/x/OgBoAQ.
July 13 IAM Online: ECAR’s 2011 Study of Identity Management in Higher Ed.
In the next IAM Online (Weds., July 13, 3 p.m. EDT), Mark Sheehan, senior research analyst at the EDUCAUSE Center for Applied Research (ECAR), will discuss the findings of the 2011 study of identity management in higher education, which includes responses from more than 300 institutions and builds on ECAR’s 2006 study. For more details and information on how to connect, go to www.incommon.org/iamonline.
Shibboleth Installation Workshops July 21-22 in Milwaukee
Need training on Shibboleth installation and support? Register now for the Shibboleth Workshop Series in Milwaukee, Wisconsin, July 21 for the IdP and July 22 for the SP. Leave the Shibboleth Workshops with an installed instance of the identity provider and/or the service provider software. www.incommon.org/educate/shibboleth
Certificate Service Introduces Code Signing Certificates
InCommon has announced that Code Signing Certificates are now available to all subscribers of the InCommon Certificate Service. The InCommon Certificate Service, serving colleges and universities in the U.S., allows subscribers to issue unlimited certificates, including SSL, Extended Validation, client (personal), and code signing certificates for all of the domains they own – including .edu, .org, .net, .com, and others. More information is at www.incommon.org/cert.
Maryland Consortium Provides Template for Joining InCommon
MEEC (the Maryland Education Enterprise Consortium) has entered into an agreement with InCommon, developing template agreements for MEEC members - both private and public - for joining InCommon. These template participation agreements have already been vetted by attorneys and have been approved by both MEEC and InCommon. See the details at https://spaces.internet2.edu/x/8pCKAQ.
Email List Added for Assurance Discussions
InCommon has added a new discussion list for those interested in the InCommon Assurance Program (also known as Bronze and Silver Identity Assurance Profiles). For details, and information on subscribing, go to https://spaces.internet2.edu/x/fo_KAQ.
InCommon Expands to Include Research Organizations
Research organizations, including government labs and virtual organizations, can now join InCommon and take advantage of federated identity management for shared services, scientific collaborations, and other online applications. See the full story at https://spaces.internet2.edu/x/G4_KAQ.
New Participants in June
- Lehigh University (www.lehigh.edu)
- University of Kansas (www.ku.edu)
- SLAC National Accelerator Laboratory (www.slac.stanford.edu)
About SLAC National Accelerator Laboratory
Located in Menlo Park, California, SLAC National Accelerator Laboratory is home to some of the world's most cutting-edge technologies, used by researchers worldwide to uncover scientific mysteries on the smallest and largest scales--from the workings of the atom to the mysteries of the cosmos. SLAC is a multi-program laboratory exploring frontier questions in photon science, astrophysics, particle physics and accelerator research. SLAC is operated by Stanford University for the U.S. Department of Energy Office of Science.
Featured InCommon Affiliate: Gluu
Gluu (www.gluu.org) makes it easier for organizations to implement federated identity. Gluu’s Federated Identity Appliance, based on Shibboleth and identity virtualization, is an on-premise solution monitored 24×7 and supported by Gluu. Once deployed, federating with new service providers (relying parties) can be accomplished using Gluu’s web-based dashboard. The Federated Identity Appliance, by mapping identity data from existing data stores, can be deployed quickly, and addresses all the installation and operational issues of an organizational federated identity service at a predictable annual cost. The Federated Identity Appliance can be deployed as on-premise hardware or a cloud VM instance.
InCommon News is published for InCommon participants and other interested parties. InCommon is an LLC of Internet2. Send feedback or comments to email@example.com.
This newsletter is sent to firstname.lastname@example.org. To subscribe or unsubscribe, send an email to email@example.com with one of these messages in the subject: subscribe incommon-announce or unsubscribe incommon-announce. You can also subscribe to the InCommon RSS news feed, which includes this newsletter, by visiting www.incommon.org.
3 p.m. ET / 2 p.m. CT / 1 p.m. MT / Noon PT
ECAR's 2011 Study of Identity Management in Higher Education
Where are you in your implementation of identity management strategies and where do you stand relative to your peer institutions? The EDUCAUSE Center for Applied Research (ECAR) has just released the findings of its 2011 study of identity management in higher education, which illuminates the state of IdM practices at over 300 institutions. The study builds upon ECAR’s 2006 IdM study and focuses on issues related to authentication, enterprise directory, reduced or single sign-on, automated role- or privilege-based authorization, and federated identity.
Join us to discuss the study’s findings with its principal investigator, Mark Sheehan, senior research analyst at ECAR.
Speaker: Mark Sheehan, Senior Research Analyst, EDUCAUSE Center for Applied Research
Moderator: Rodney Petersen, Senior Government Relations Officer & Managing Director of Washington Office, EDUCAUSE
ABOUT IAM Online
IAM Online is a monthly online education series including essentials of federated identity management, hot topics from the EDUCAUSE Identity and Access Management Working Group, and emerging topics in IAM. Experts provide overviews, answer questions and lead discussions. IAM is brought to you by InCommon in cooperation with Internet2 and the EDUCAUSE Identity and Access Management Working Group.
InCommon has announced that Code Signing Certificates are now available to all subscribers of the InCommon Certificate Service. There are no additional sign-up processes or fees. RAOs of all subscribing organizations can now issue Code Signing Certificates and also determine whether to make such certificates available at the department level.
Here are a few links that will be useful:
- General and policy information: http://www.incommon.org/cert/code_signing.html
- Activation for Departments: https://spaces.internet2.edu/display/InCCollaborate/Code+Signing+Certs
- Code Signing CPS: http://www.incommon.org/cert/repository/cps_code_signing.pdf
Note: All code signing certificates, their issuance and use, are governed by this CPS. Subscribers are required to comply with its provisions.
- Code Signing CPS DIFF (showing the changes from the original SSL CPS): http://www.incommon.org/cert/repository/cps_code_signing_DIFF_2011_06_07.pdf
The InCommon Certificate Service, serving colleges and universities in the U.S., allows subscribers to issue unlimited certificates, including SSL, Extended Validation, client (personal), and code signing certificates for all of the domains they own – including .edu, .org, .net, .com, and others. More information is at www.incommon.org/cert.
MEEC (the Maryland Education Enterprise Consortium) has entered into an agreement with InCommon, developing template agreements for MEEC members - both private and public - for joining InCommon. These template participation agreements have already been vetted by attorneys and have been approved by both MEEC and InCommon.
MEEC member institutions can visit www.incommon.org/MEEC for specific information, including how to join, or can email firstname.lastname@example.org.
InCommon (www.incommon.org), operated by Internet2, provides for shared management of access to online resource for the U.S. education and research communities. All participants have common policies and technology, allowing identity providers to control the release of user information, and service providers to manage the authorization for their online resources. The result is a secure and privacy-protecting method for providing individuals with single sign-on access to protected or licensed online resources.
In addition, the InCommon Certificate Service offers unlimited server and personal certificates to higher education participants for one low annual fee.
InCommon now serves almost 300 higher education institutions, research organizations, and sponsored partners.