spaces.internet2.edu has been upgraded to Confluence 6.5.0. If you have any questions and/or concerns, please contact us at websupport@internet2.edu
Blog

Blog

IAM Online
Wednesday, December 13, 2017
2 pm ET | 1 pm CT | Noon MT | 11 am PT

Does your team spend time performing tasks that could/should be (or worse, are) self-service?  Do you worry about disconnects between the intention and execution of your IAM policies?

Do your IAM tools require training?

Join us for the IAM Online webinar, “Identities are People, Too: IAM Tooling that Works.” The webinar will take place December 13, 2017, at 2pm ET, and will cover case studies of development efforts (and lessons learned) at Duke to progressively improve interfaces to IAM services, such as:

  • Growing an alternate electronic credential service to 180,000 accounts that play nicely with NetID login (and aren't mutually exclusive)

  • Delegating account admin and authorization functions to nontechnical staff via interfaces that don't leave room for misinterpretation

  • Re-thinking self-service so end users can be partners in managing identity

  • A guided registration system for service providers that takes the guesswork (and excuses!) out of Shibboleth integrations


We'll also discuss specific techniques for identifying where users are getting lost in a process, and developing metrics-informed solutions your community can get behind.



Presenter

Mary McKee, Senior IT Manager, Duke University



Connecting: At the time of the webinar, go to the Adobe Connect IAM Online page (slide sharing and audio). See the InCommon website for more details, including back-up phone bridge information.



About IAM Online

IAM Online is a monthly online education series brought to you by Internet2's Trust and Identity community and the EDUCAUSE Higher Education Information Security Council (HEISC).

 

 

The InCommon Assurance Advisory Committee (AAC) will hold a community assurance call to discuss the new Baseline Expectations and the potential shift in focus for the AAC. The call will take place Wednesday, October 4, 2017 at noon ET.

The Assurance Advisory Committee (AAC) was initially established to manage the US Government-approved assurance program to enable access to Federal services requiring 800-63-2 conforming credentials. However, uptake of that program has been primarily by schools interested in showing credential due diligence to their stakeholders, and the US Government services in InCommon currently don't require an assurance profile.

But the AAC has been active in finding ways to increase the trust across the InCommon community, including developing the MFA Interoperability Profile – which is now under the wing of the international federation operators (REFEDS) – and of course the InCommon Baseline Expectations program.

Come join us on how the AAC is evolving and provide input on where the group should go by attending the upcoming webinar Refocusing Community Guidance of InCommon's Trust Programs: Baseline and Bronze. The discussion will cover:

  • Baseline Expectations and AAC responsibilities
  • Membership changes needed in the AAC
  • Survey results of InCommon Bronze members
  • Adjustments to AAC charter and recruitment of new members

Host and Presenter
Brett Bieber, University of Nebraska and Chair of the InCommon Assurance Advisory Committee (AAC)

Connection Details

Slide sharing and audio (one-way) via Adobe Connect: http://internet2.adobeconnect.com/incommonassurancecall

eDial Connection Information (for participating in the conversation via phone vs. chat function):

+1-734-615-7474 (English I2, Please use if you do not pay for Long Distance)
+1-866-411-0013 (English I2, toll free US/Canada Only)
PIN: 0129048 #

Trust and Identity Update Webinar: InCommon, TIER, and Plans for the Future
Friday, September 29, 2017
2 pm ET / 1 pm CT / Noon MT / 11 am PT

The Trust and Identity Services division at Internet2 is heading towards its second birthday this January and a lot has transpired over the last two years. We started with several planning sessions last year and have been working to put those plans into action. There are a number of initiatives underway at InCommon (thanks in part to the dues increase this year), and we continue to develop and refine the TIER Program and its core software components. We’ll share that information, as well as provide a foreshadowing of what to expect at TechEx, which is just a couple of weeks away.

Please join InCommon Steering Chair Sean Reynolds and Trust and Identity Program Advisory Group Chair Klara Jelinkova in a recap of the last two years, a foreshadowing of what to expect at TechEx, and learn how you can participate in helping to set the course for Trust and Identity activities at Internet2 for the next couple of years.

Speakers

Klara Jelinkova (Rice Univ.), Chair, Trust and Identity Program Advisory Group
Sean Reynolds (Northwestern Univ.), Chair, InCommon Steering Committee
Kevin Morooney (Internet2), Vice President, Trust and Identity

Connecting

We will use Adobe Connect for the webinar, including slide sharing and audio: http://internet2.adobeconnect.com/trustandidentityupdate

Back-up phone bridge: (734) 615-7474 or (866) 411-0013. PIN: 0178270#

MCNC and InCommon have concluded a six-month proof of concept of the InCommon Steward Program, which allows K-12 school districts and community colleges to take advantage of federated identity. This is a summary of the findings; the full report is available on the wiki.

Under this program, the Steward (in this case MCNC) manages the onboarding of its K-12 and community college constituents, a role typically performed by InCommon staff. InCommon provides training for the Steward, as well as the infrastructure and operational experience of operating a national federation.

The proof of concept validated the virtual team approach and found no significant impacts on the trust model. The organizations found, however, that the mid-year start did not allow for full engagement of the K-12 school districts, and agreed to continue with a six-month business development phase.

MCNC and InCommon operated the proof of concept from December 2016 through June 2017 to develop and test the onboarding and operational processes. Key findings include:

  • Operational issues were minimal and communication within the “virtual team” (InCommon and MCNC staff) that managed the onboarding and identity proofing worked well without over-taxing either organization’s resources. A two-day in-person training session involving InCommon and MCNC staff contributed significantly to successful operation.

  • There were no significant impacts on InCommon’s trust model during the proof of concept, largely due to prior community outreach and consultation. In fact, the presence of a knowledgeable Steward has improved alignment with recommended operational practices. There was only one operational confusion related to trust that was quickly resolved; training for future Stewards will be improved in this area.

  • In general, impacts (positive or negative) of the Steward Program on K-12 have been difficult to observe, due to the timing of the proof of concept late in the school year.  


To address the last item above, InCommon and MCNC have initiated a six-month business development phase to further develop the program’s value for K-12 and community colleges, as well as to further develop the program’s business and legal model. MCNC and InCommon will also develop a case study of the Steward Program, including recommendations for other regional networks interested in participating.

 

 

InCommon Shibboleth Installation Workshop
November 7-8, 2017
9:00 am - 5:00 pm (ET)

National Institute of Allergy and Infectious Diseases

Conference Center

5601 Fishers Lane

North Bethesda, Maryland 20852

Register at www.incommon.org/shibtraining

Are you interested in learning how to install and configure the Shibboleth SAML SSO/Federation Software? Do you need to upgrade to IdPv3? Would you like to see how the containerized TIER version of the Shibboleth IdP can simplify your installation and configuration?

Join us for the InCommon Shibboleth Installation Workshop November 7-8 at the National Institute of Allergy and Infectious Diseases Conference Center in Bethesda, Maryland. The registration deadline is October 20.

The two-day training covers both the Identity Provider and Service Provider software, as well as some integration issues. We will also introduce you to the TIER (Trust and Identity in Education and Research) version of the Shibboleth IdP, which is delivered via a Docker container and is pre-configured to work well with InCommon. The workshop focuses on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:

    •    A two-day, directed self-paced workshop

    •    Hands-on installation of the identity provider and service provider software

    •    Experienced trainers providing overviews and one-on-one help 

    •    Discussions on configuration and suggested practices for federation

    •    Attendance is limited to 40


The workshops will offer the chance to:
    •    Install a prototype Shibboleth identity and service provider in a virtual machine environment

    •    Gain experience with the Docker container version of the Shibboleth IdP (the TIER version)

    •    Discuss how to configure and run the software in production

    •    Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

    •    System install, integration, and ongoing support staff

    •    Campus technology architects


To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

Members of the Kantara Initiative Federation Interoperability Working Group have recently approved the SAML V2.0 Implementation Profile for Federation Interoperability. The document described below now enters a 45-day public comment and IPR review period in preparation for a member ballot to consider its approval as Kantara Initiative Recommendation.

This document encompasses a set of software conformance requirements intended to facilitate interoperability within the context of full mesh identity federations, such as those found in the research and education sector. It attempts to address a number of common barriers to interoperability and details features that are necessary in order to use SAML metadata as a foundation for scalable trust fabrics. It supersedes the eGovernment Implementation Profile V2.0bis from June 2011.

This is an open invitation to comment. Kantara Initiative solicits feedback from potential users, developers and other interested parties, whether Kantara Initiative members or not, for the sake of improving the interoperability and quality of its technical work. The public review opened on June 14, 2017, and will close July 29, 2017, at 11:59 UTC.

To comment please email your comments to staff@kantarainitiative.org with the subject "FIWG COMMENT SUBMISSION".


InCommon Shibboleth Installation Workshop
July 19-20, 2017
Lafayette College
Easton, Pennsylvania

www.incommon.org/shibtraining

InCommon will hold a Shibboleth Installation Workshop July 19-20 at Lafayette College in Easton, PA. Registration is available at www.incommon.org/shibtraining and details on the location at Lafayette College are on the wiki.

The two-day training sessions cover both the Identity Provider and Service Provider software, as well as some integration issues. The workshops focus on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:

    •    A two-day, directed self-paced workshop

    •    Hands-on installation of the identity provider and service provider software

    •    Experienced trainers providing overviews and one-on-one help 

    •    Discussions on configuration and suggested practices for federation

    •    Attendance is limited to 40


The workshops will offer the chance to:
    •    Install a prototype Shibboleth identity or service provider in a virtual machine environment

    •    Discuss how to configure and run the software in production

    •    Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

    •    System install, integration, and ongoing support staff

    •    Campus technology architects



A revised eduroam info sheet describes the features and benefits of the federated global wireless access service for research and education. It may be particularly useful in providing a high-level overview of the service to campus stakeholders.

Internet2 operates the U.S. node for eduroam, which allows individuals from a participating institution to use their home credentials for access. Eduroam is a worldwide federation of RADIUS servers allowing users to achieve seamless access when traveling to another participating institution. Some campuses have chosen to use eduroam as their default campus wireless network.

For more information about the eduroam service and how your campus can participate, visit www.incommon.org/eduroam.

The Network Startup Resource Center (NSRC) has developed a series of videos that will take you through the policies and technologies of identity management on a local level, as well as how identity federations like InCommon are of value. There are 10 videos that cover the topics below. You will find background information at the NSRC's website. The NSRC produced the videos in partnership with GEANT (the pan-European network and a fundamental part of Europe's e-infrastructure).

Here is a list (and links) of the videos.

Campus Identity

Federated Identity

Identity and Business Models

Internet2 has started deployment of a new service desk, ServiceNow. As of March 27, all email sent to our support address (admin@incommon.org) will create a ticket in ServiceNow, which will generate an automated email response The same set of InCommon/Internet2 people will respond to requests through the new service desk system. We will continue to use admin@incommon.org for support requests from participants and certificate service subscribers.
 
Over the last three years, we have seen significant increases in the volume of mail to admin@incommon.org. ServiceNow will help us organize and respond to your requests in a more efficient and timely manner. We hope you find this change helpful, and we're always open to your feedback (email admin@incommon.org). Increased maturity in both service delivery and operations are among InCommon’s main work areas for 2017, and this move to ServiceNow is critical to achieving those goals.

March 22 TAC Work Plan Webinar

Wednesday, March 22, 2017
2 pm ET | 1 pm CT | Noon MT | 11 am PT
https://internet2.adobeconnect.com/iam-online

The InCommon Technical Advisory Committee (TAC) will present its draft 2017 work plan during this webinar, March 22, at 2 pm ET. The TAC provides recommendations related to the technical operation and management of InCommon. The work plan outlines the proposed technical priorities, particularly for the InCommon Federation.

This webinar is intended to gather community feedback on the work plan. This year’s draft plan includes these topics (among others):

  • Support for OAuth/OpenID Connect

  • Improving IdP discovery (Discovery 2.0)

  • Less restrictive attribute release policies

  • Improve Service Provider onboarding processes


Please plan to join us to learn about the 2017 plans and provide feedback and suggestions.

The OpenID Connect Survey Working Group, chartered by the InCommon Technical Advisory Committee (TAC), recently conducted a study to understand the community’s interest and use of OIDC/OAuth protocols. The survey also asked how InCommon and Internet2 may help campuses in the adoption of these protocols.

The results are in. The survey working group has compiled a report summarizing the survey findings and the working group's recommendations. You are invited to review the report and provide feedback. The deadline for comments is March 24, 2017.

Shibboleth Installation Workshop - June 13-14, 2017 - Denver, Colorado

InCommon Shibboleth Installation Workshop
June 13-14, 2017
University of Denver
Denver, Colorado

Registration: www.incommon.org/shibtraining

Denver details: https://spaces.internet2.edu/x/rIKTBg

Registration is open for the an InCommon Shibboleth Installation Workshop June 13-14, at the University of Denver. The two-day training sessions cover both the Identity Provider and Service Provider software, as well as some integration issues. The workshops focus on installing and deploying IdPv3 and the Shibboleth Service Provider. Here is what you can expect:

    •    A two-day, directed self-paced workshop

    •    Hands-on installation of the identity provider and service provider software

    •    Experienced trainers providing overviews and one-on-one help 

    •    Discussions on configuration and suggested practices for federation

    •    Attendance is limited to 40


The workshops will offer the chance to:
    •    Install a prototype Shibboleth identity or service provider in a virtual machine environment

    •    Discuss how to configure and running the software in production

    •    Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

    •    System install, integration, and ongoing support staff

    •    Campus technology architects


To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

InCommon Shibboleth Installation Workshop
April 4-5, 2017

University of Michigan (Arbor Lakes Dome)
Ann Arbor, Michigan
www.incommon.org/shibtraining

Registration is open for the first InCommon Shibboleth Installation Workshop of 2017, April 4-5, at the University of Michigan in Ann Arbor. This two-day training session covers both the Identity Provider and Service Provider software, as well as some integration issues. The IdP portion of the workshop is based on IdPv3.

We will focus the training sessions on people who wish to learn about and deploy IdPv3. Here is what you can expect:

  • A two-day, directed self-paced workshop
  • Hands-on installation of the identity provider and service provider software
  • Experienced trainers providing overviews and one-on-one help
  • Discussions on configuration and suggested practices for federation
  • Attendance is limited to 40
  • Registration closes March 17

The workshops will offer the chance to:

  • Install a prototype Shibboleth identity or service provider in a virtual machine environment
  • Discuss how to configure and running the software in production
  • Learn about integration with other identity management components such as LDAP and selected service providers

Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

  • System install, integration, and ongoing support staff
  • Campus technology architects


For more information and a link to register, go to https://spaces.internet2.edu/x/9wJ-Bg

To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

Nominations are open for the instantiation of CACTI, the Community Architecture Committee for Trust and Identity. This new committee will provide technical guidance and inform the strategic direction for Internet2's Trust and Identity (T&I) services. CACTI membership must comprise and connect a range of perspectives and experiences, established and rising community technical leaders, and national and international backgrounds.

Nominations for membership, including self-nominations, may be made using this nomination form. Nominations will be accepted through midnight (EST), March 8, 2017. The goal is for the first meeting of CACTI to occur online shortly before the upcoming Internet2 Global Summit, April 23-26 in Washington DC.

CACTI's charter describes its duties, membership, and other details, and its role in the ecosystem of T&I related Internet2-sponsored community guidance is described in https://internet2.box.com/v/commarchguideI2TI.

Over the years, the Internet2 community together with national and international partners has helped to shape the research and education identity and trust landscape. Going forward, CACTI will play a large part in continuing this important work.