Versions Compared

Old Version 2

changes.mady.by.user Eric Goodman (ucop.edu)

Saved on

compared with

New Version Current

changes.mady.by.user David Walker

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 (Final Release Candidate DRAFT 1, 5/427/2015)

Table of Contents

Table of Contents
 

 

...

Executive Summary

Integration of External Identities into internal systems, either single Service Providers or institutional identity and access management systems, can afford multiple benefits, for example:

...

The next section addresses architectural patterns and infrastructure elements required for various uses of external identities, before we close with a list of business and technical criteria to be considered when selecting an External Identity Provider.

 

...

Defining Some Terms

Identity

...

A Relying Party is a network service that receives identity information from an Identity Provider. An Relying Party may be a Service Provider, an Identity Provider or both (in the case of “gateway” implementations).

 

...

Characterizing External Identity Use Cases

...

We leave such cases and the trust relationships that must exist between the Identity Provider and the Relying Party for future study.

 

...

Trustworthiness of External Identities

...

  • Does the institution trust the External Identity’s Attributes sufficiently to perform its own local “identity proofing” or “External Identity re-linking” against the asserted Attributes as part of an account recovery process?

  • If not, what additional user verification must the Institution manage locally for purposes of allowing future account recovery?

 

...

Architectural Patterns for Integrating External Identities

...

The invitation use case is in contrast to the “Just In Time” or “front-channel” provisioning model, where a system is configured to create an Internal Identity on-the-fly using the Identifier and identity Attributes provided in an authentication assertion. It also contrasts with “back end provisioning”, where provisioning is done out of band and is typically driven by independent business rules.

 

...

Criteria for Evaluating Identity Providers

...

  • Is there any identity proofing done by the external provider that would allow a campus to trust Attributes other than Ext ID-sourced IDs (like "Account Name" and "email")

  • Related to ID Proofing, what Attributes are collected and how are they proofed.

  • Are identities re-vetted periodically?

  • Stability of the External ID and Attributes over time

...

  • Mission of the company, including:

    • Importance of and motivation for providing quality identities
    • Commercial vs. non-commercial
      • Private vs. public

    • Privacy focus

  • Certifications maintained by the company

    • InCommon or FICAM assuranceLevels of Assurance (LoA)

    • Industry standard audits

  • Stability of the vendor and the service that the vendor offers

    • Likely this is not directly measurable, and would be more along the lines of

    • "how long in business"

    • "how long service has been operational"

    • "how many users using their IDs"

...

  • Are there terms the External provider applies that are potentially in conflict with general campus policies?

  • Is there a cost to the user or the organization to leverage the IDs?

  • What 3rd party certifications or audits are available to confirm function of service?

  • API limitations (number of allowed authentication per unit time)

 

...

Conclusion

Integration of External Identities into internal systems can afford multiple benefits. These benefits do not come without a cost, however: The trustworthiness and other aspects of External Identity Providers’ operations must be assessed, and the External Identity Provider’s technology must be integrated into the local system.