The Incommon Federation wiki has moved.

Please visit the new InCommon Federation Library wiki for updated content. Remember to update your bookmarks.

Click in the link above if you are not automatically redirected in 15 seconds.



You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

This document provides a description of the process that ensue, starting with the time that your institution signs the InCommon Participation Agreement. This process will likely raise issues for various areas of your institution, potentially affecting technology, policy, and operations. None of these are particularly onerous; your institution has probably already addressed most of them. Here's a 10,000 foot view of the process:

The remainder of this document provides additional detail.



Join InCommon

The InCommon Federation

The InCommon Federation is the U.S. education and research identity federation, providing a common framework for trusted shared management of access to online resources.” - InCommon Federation

InCommon's "common framework" creates multilateral trust among all federation participants, facilitated by the Federation Operator, to exchange identity information in a secure manner. Service Providers trust Identity Providers to provide accurate information, and Identity Providers trust Service Provides not to misuse the information they receive. Community Members trust both Identity Providers and Service Providers to respect their privacy, making use of their identity information only as needed, according to legal and institutional policy. Trusted Relationships for Access Management: The InCommon Model provides a comprehensive introduction to this framework, including definitions of many of the terms used in this document.

By signing the Participation Agreement, your institution agrees to participate in the framework by complying with multiple aspects of that multilateral trust, including:

  • Deployment of conformant software
  • Use of common syntax and semantics for Identity Assertions
  • Provision of accurate information for the Trust Registry
  • Provision of accurate contact information
  • Respect for intellectual property rights
  • Respect for privacy of identity information
  • Adherence to Baseline Expectations for the mature, secure, and privacy-protecting operation of your institution's IdPs and SPs, and that those IdPs and SPs are duly registered with InCommon.

Baseline Expectations also establishes requirements for the Federation Operator, among them being that "Good practices are followed to ensure accuracy and authenticity of metadata to enable secure and trustworthy federated transactions." The first of these practices is to validate that your institution is what it claims to be. Upon receipt of a signed Participation Agreement, the Federation Operator will reference publicly-available information sources, such as those listed in Accrediting Agencies Recognized by InCommon, to verify this.

Delegate Organizational Contacts

The Federation Operator's second task is to the establish identities of the people who will have the authority to perform various functions on behalf of your institution. These are:

  • Executive Contact. This is the person who is authorized to speak on behalf of your institution for issues relating to its contractural agreement with InCommon. This is typically the CIO or similar institution-level officer who signed the Participation Agreement, but that may vary, depending on your institution's organizational structure.
  • Site Administrator. Designated by the Executive Contact, this is the person who approves metadata submissions for all of your institution's IdPs and SPs. This person is also InCommon's primary contact for operational, technical, and security issues relating to your institution's IdPs and SPs and its participation in InCommon overall. For business continuity reasons, institutions are strongly encouraged to designate two Site Administrators.
  • Delegated Administrator. Designated by the Site Administrator, this is a person who has responsibility for one or more of the institution's SPs. This person perpares metadata submissions for their SPs, subject to approval by the Site Administrator. Any number of Delegated Administrators may be designated.
  • Billing Contact. This is the person who will receive billing invoices from InCommon.

After validating the identity of your institution, the Federation Operator will arrange a telephone call with your Executive Contact to issue their login credentials for InCommon's site administration tools, and to establish the identities and phone numbers of the institution's Site Administrators. The Federation Operator then arranges phone calls with each of the Site Administrators to issue their credentials for InCommon's site administration tools.

Deploy Software

It is strongly recommended that you utilize software produced by Internet2's Trust and Identity in Education and Research (TIER) initiative in your service offerrings. This standards-based software has been configured for optimal use in InCommon and has been used successfully by many of its participants.

Acknowledging that there are many reasons why the use of TIER software components is not always practical, however, there are multiple resources to help you, including:

Register Federation Metadata

Federation metadata is the trusted registry of IdPs and SPs operated by participants for use within the federation. It no only provides technical information to enable interoperation, links to support contacts and document, etc., it also includes information to enhance mutual trust, such as responsible parties and certifications achieved.

Getting your metadata right will make your life much easier. Time spent now will pay you back over the lifetime of your IdPs and SPs; don't skimp on this task. See Metadata Administration for all the details.

Next Steps

Congratulations! You and your user community are now reaping the benefit of federation. Here are some additional things you should consider doing.

Keeping Current

The InC-Ops-Notifications@incommon.org mailing list is used by InCommon Operations to send important notifications about modifications to the metadata generation system, service interruptions, and any other important technical announcements as they occur. All official InCommon Site Administrators are automatically subscribed to this list as a requirement to participation in InCommon services. Any other technical contacts may also subscribe; it is expected that Site Administrators will coordinate with others in the institution to ensure that these announcements get to the right people.. 

Participants@incommon.org is also highly recommended for anyone who should be kept abreast of general announcements related to InCommon. See InCommon Mailing Lists for how to subscribe, as well as other lists covering general announcements, as well as discussions of collaboration, implementation, and technology related to InCommon.

Internet2 convenes two conferences, each on a yearly basis. They are great ways to meet your peers and to learn first-hand about current activities related to InCommon.

  • Internet2 Global Summit, held in the Spring, is a leading forum to support and drive the advancement of research and education, spur next-generation innovation and accelerate global discovery. The Summit convenes CIOs and other leaders from institutions around the world in an environment of open engagement, free exchange, partnership and collaboration.
  • Internet2 Technology Exchange, held in the Fall, is a premier technical event in the global R&E community, convening the community’s technology visionaries—including chief technologists, scientists, engineers, architects, operators and students from around the U.S. and the globe.

Recommended Certifications

Certifications facilitate trust and streamline access decisions by adding tags to the federation metadata for IdPs and SPs that have complied with specific criteria. The following certifications will likely be valuable for many of your IdPs and SPs.

  • The Research and Scholarship (R&S) Entity Category streamlines access to the growing list of federated resources that support research and scholarship by faculty, students, and others have need for those resources. R&S-certified Service Providers comply with speicfic standards for privacy protection and operational maturity, and request only low-risk identity attributes from IdPs.  R&S-self-certified Identity Providers are configured to release those low-risk identity attributes to R&S-certified SPs without further institutional approval. If your institution operates such an SP, obtaining R&S certification will facilitate access for its users worldwide, and asserting R&S certification for your IdP will allow R&S-certified SPs to streamline access for members of your community. See How to Apply for the Research and Scholarship (R&S) Entity Category for more information.
  • The Security Incident Response Trust Framework for Federated Identity (SIRTFI) is an international standard to enable the coordination of incident response across federated organizations. SIRTFI provides a framework for effective incident response collaboration among federation and interfederation participants. One compromised account can create a security problem for a multitude of services across the interfederation community. When an organization complies with the SIRTFI framework, it agrees to participate in a federated incident response process.  SIRTFI stipulates high-level practices and procedures, and identifies organizations that are capable of participating in a federated incident handling process. Federation participants that comply with SIRTFI are marked in the federation’s metadata, raising the bar for operational security across federations. See Asserting SIRTFI for more information.

Community Involvement

Get involved! InCommon is operated "by and for" its community, so there are many opportunities to participate at various levels of commitment in the creation of InCommon's future.

  • Working groups are generally the best place to start; participation is usually open to all interested parties. Many of InCommon's governance and advisory groups rely on time-bounded working groups to address various issues of current interest. Your time commitment is generally an hour-long conference call every week or two, plus whatever additional time you choose to contribute according to your specific interests. See Trust and Identity Working Groups List for current working groups; new groups are announced to the participants@incommon.org mailing list. 
  • InCommon has standing advisory groups with more formal membership criteria and processes. Solicitations for new members are generally announced on the participants@incommon.org mailing list. See the advisory groups' web sites for more information:
  • REFEDS (the Research and Education FEDerations group) is the voice that articulates the mutual needs of research and education identity federations worldwide. The group represents the requirements of research and education in the ever-growing space of access and identity management, working with and influencing the direction of other organisations on behalf of our participants.REFEDS participants are from a wide range of backgrounds, but all share an interest in developing access and identity management technology, policies and processes. Many participants represent national identity federations and many come from National Research and Education Networks (‘NRENS’).


#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels