InCommon needs enthusiastic volunteers to bring their unique expertise to the InCommon Technical Advisory Committee (TAC), an advisory body to the InCommon Steering Committee. We invite you to nominate such people for membership on the InCommon TAC, including self nomination.

TAC works best when its members span a variety of perspectives, including (but not limited to):

  • universities and colleges of all sorts and sizes
  • research organizations, traditional and virtual
  • regional R&E network providers
  • sponsored partners
  • trust and identity solution providers
  • international partners

TAC supports InCommon’s mission "to create and support a common framework for trustworthy shared management of access to online resources." Specific duties include: 

  • review and advise on InCommon's operations, technology choices, and the impact of policies on technical concerns
  • review and advise on InCommon service offerings, and make recommendations for new service development and service retirement
  • work with InCommon staff to ensure secure, robust, and reliable operation of InCommon services
  • engage with the trust and identity community to ensure that InCommon technology meets the needs of the participants
  • attend biweekly conference calls and the face-to-face meeting at the annual Internet2 Technology Exchange

The InCommon Steering Committee appoints TAC members to three-year terms. Individuals should have the necessary technical expertise, experience in the education and research community, and a track record of participation in that community.

Please send TAC member nominations to nominations@incommon.org by Tuesday, October 11, 2016. Self-nominations are welcome. Please include some information describing the strengths and experience the individual would bring to the TAC, and the constituencies they are familiar with. Please distribute this invitation to all interested parties.

See http://www.incommon.org/docs/policies/TACcharter.html for the TAC charter (revised December 2015); see http://www.incommon.org/about.html for the current TAC membership. New members would assume their membership in early February. Send questions and comments to Steven Carmody (steven_carmody AT brown.edu), InCommon TAC Chair.

InCommon is conducting a proof of concept for SIRTFI (Security Incident Response Trust Framework for Federated Identity). This is the first step toward supporting a global incident response system for research and education trust federations.

With the ever-increasing and evolving cybersecurity threats, and our increasingly interconnectedness through eduGAIN, federation operators need a way to quickly collaborate in the face of a security incident. One compromised account at an institution can provide access to a multitude of service around the world. SIRTFI provides a framework for an effective coordinated response in the event of an incident.

SIRTFI stipulates preventative measures and identifies organizations that are capable of participating in a coordinated incident response. Federation participants that comply with SIRTFI are marked in the federation’s metadata, raising the bar in operational security across the federation. A very good explanation is available at https://refeds.org/wp-content/uploads/2016/02/Why_Sirtfi.pdf .

InCommon’s proof of concept involves three participants (University of Chicago, LIGO, and the National Center for Supercomputing Applications) that agree to the SIRTFI framework and have the entity attribute added to their metadata. But there are also more than 100 identity providers from other federations with the SIRTFI attribute, and InCommon participants will also see these in metadata.

Once the proof of concept has been evaluated, we anticipate encouraging all InCommon participants to adopt the SIRTFI framework. In the future, we expect this will become a requirement for federation participation.

What can you do right now? One SIRTFI requirement is to have security contacts in metadata. It is a simple process, with your site administrator logging into the Federation manager and adding a security contact. This is useful information to include, independent of the adoption of SIRTFI. 

This blog post is from Klara Jelinkova, VP and CIO at Rice University and chair of the InCommon Steering Committee

To the InCommon Community:

Over the summer, Internet2 Vice President for Trust and Identity Kevin Morooney convened several small leadership groups to discuss the two significant services in his portfolio -- InCommon and TIER (Trust and Identity in Education and Research). These “paths forward” meetings identified the top priority areas and associated costs for both InCommon and TIER, and resulted in a set of strategic recommendations. 

Before moving to the specifics about InCommon, I want to briefly touch on the relationship of InCommon and TIER. TIER has been established to integrate, modernize and professionalize the trust and identity software stack, with Shibboleth, Grouper, and COmanage as the three main components. Just as important as the software, TIER will also work to standardize campus practices in key areas of trust and identity. One example is committing to always operating with supported versions of the software. Another is to adopt the recommendations of community working groups as they are rolled into TIER (such as baseline practices currently under development).

In our discussions about InCommon, it became clear that the InCommon Federation has become critical infrastructure for our campuses and is increasingly important for national and global research collaborations. Many campuses rely on federated identity management to support integration with mission-critical cloud services. The capacity for urgency, responsiveness, and quick action on the part of the Federation operator has become an absolute necessity.

Of the many areas we discussed, two priorities related to InCommon stand out:

  1. Assure the continued maintenance of software, focusing on shoring up components that either support existing services we rely on (such as the InCommon Federation) or software broadly deployed on campuses.
  2. Address risks to Federation operations. The InCommon Federation does not currently have the resources to operate at the quality and security levels required and expected by those who rely on this critical service.

For InCommon, the key shoring up of software means support for Shibboleth. Approximately 90 percent of InCommon participants rely on Shibboleth, but development of the software is severely underfunded. Internet2 is a key member of the Shibboleth Consortium; we and our partners in the Consortium must develop a model that provides the necessary resources to sustain and evolve the software, including such significant enhancements as support for OpenID Connect.

We also identified a number of risks to the federation; most fit in the category of hardening and sustaining operations. We need to achieve an acceptable risk profile reflective of participant dependency on the federation, including disaster recovery, business continuity, an up-to-date support ticketing system, software quality assurance processes, and scheduled security reviews. 

We must also scale the Federation operations and infrastructure for the future to address critical items such as metadata exchange and delivery and adoption of campus requested services such as OpenID Connect. Adding services requested by the community also puts a strain on Federation operations (such as integration with the eduGAIN global interfederation service, the Steward Program for K-14, and support for other initiatives). All of this must be factored in to our planning (and, frankly, to our fee structure).

Another risk, as we aim for scalability and growth, is the need for participants to adhere to standards of interoperability, security, and trust practices. The value for vendors decreases when research and education participants don’t all support common baseline standards. Likewise, when vendors fail to fully support standards, the value for education and research participants decreases. As we approach 1,000 participants, common standards and practices becomes paramount.

What does all of this mean for you as an InCommon participant? One is that the InCommon Federation operator must commit to (and be funded for) establishing business and technical operations that ensure superior service, support, and enhancements. The other is that, as InCommon participants, we must commit to common interoperability, security, and trust practices. And finally, we all need to understand the costs of providing a mission-critical service, and how the fee structure will need to change to support such a service.

In two weeks at the 2016 Internet2 Technology Exchange, the InCommon Steering Committee will continue the discussion about the gaps between expectations and resources, and how the fee structure might change to provide the necessary support. We will report back to you about those discussions and plans for community conversations and feedback.

If you are new to federated identity management and plan to attend the Technology Exchange in Miami (Sept. 25-29), consider registering for Base CAMP (Sunday afternoon, Sept. 25). Base CAMP will:

  • Provide an overview of the InCommon Federation and the identity and access management professional field
  • Cover the basics of federation, including the trust framework, metadata, attribute release, and international interfederation
  • Introduce software and supporting technologies, including Shibboleth and TIER (Trust and Identity in Education and Research)
  • Include information on related and emerging issues (like multifactor authentication and alternative IdPs)

You will then be ready to dive into the rest of the Technology Exchange, including a day-and-a-half of track sessions (CAMP), an afternoon of working group meetings, and the unconference Advance CAMP (ACAMP), including discussions of community-wide issues and proposed solutions. ACAMP concludes Thursday (Sept. 29) at noon. You will find the full schedule for the 2016 Technology Exchange, along with registration and hotel information, at https://meetings.internet2.edu/2016-technology-exchange/

With InCommon interconnected to the global federation community, participants now have the opportunity to take part in and support policies and standards being developed internationally. One of the most promising collaborations in this area is the Security Incident Response Trust Framework for Federated Identity (Sirtfi). Developed by a working group comprising international research, campus, and federation operator community members, this framework and related entity tags for IdPs and SPs serves as a first iteration of a global federated incident response approach.

Very shortly, InCommon will begin a proof of concept to support the federation role of the Sirtfi framework for three InCommon identity providers (and a few SPs to be identified) to enable international experimentation with and further refinement of the Sirtfi framework and to continue the community’s work to increase trust within and across our federations. This proof of concept will affect our trust registry/metadata aggregate, but should have no impact on any operations. 

This proof of concept will include very scoped support for Sirtfi including:

  • Importing the Sirtfi entity attribute for those international IdPs and SPs that have chosen to adhere to the specification along with importing the REFEDS Security Contact metadata into InCommon metadata from eduGAIN.
  • Adding to the InCommon aggregate and exporting to eduGAIN the REFEDS security contact and the Sirtfi entity attribute on the entity descriptors of the following IdPs:
    • NCSA
    • LIGO
    • The University of Chicago
  • Adding the Sirtif tag to several LIGO SPs

Given the Sirtfi federation operator obligations have not been finalized, InCommon is working to confirm with these IdP operators and their executive contacts that they comply with the framework by having them self assert to the requirements.

InCommon Shibboleth Installation Workshop
October 27-28, 2016

California State University Office of the Chancellor
Long Beach, California
www.incommon.org/shibtraining

Registration is open for the final InCommon Shibboleth Installation Workshop of 2016. This two-day training session covers both the Identity Provider and Service Provider software, as well as some integration issues. The IdP portion of the workshop is based on IdPv3.

We will focus the training sessions on people who wish to learn about and deploy IdPv3. Those interested in upgrading from v2.x will also find value, but we will mainly cover IdPv3 as an independent topic to ensure we deliver the clearest content possible. Here is what you can expect:

  • A two-day, directed self-paced workshop
  • Hands-on installation of the identity provider and service provider software
  • Experienced trainers providing overviews and one-on-one help
  • Discussions on configuration and suggested practices for federation
  • Attendance is limited to 35
  • Registration closes October 10

The workshops will offer the chance to:

  • Install a prototype Shibboleth identity or service provider in a virtual machine environment
  • Discuss how to configure and running the software in production
  • Learn about integration with other identity management components such as LDAP and selected service providers

Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions: 

  • System install, integration, and ongoing support staff
  • Campus technology architects

For more information and a link to register, go to https://spaces.internet2.edu/x/p4AQBg

To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

Community Update - InCommon TAC (Technical Advisory Committee)
Wednesday, August 24, 2016
2 pm ET | 1 pm CT | Noon MT | 11 am PT

http://internet2.adobeconnect.com/incforum

The InCommon TAC will provide one of the regular updates of its work plan and discuss some of the projects that are currently underway. This one-hour session will include a general overview, plus information about several specific areas in which groups have either continued work, or are starting to work. There will be opportunity for your feedback, discussion, and suggestions.

The webinar will include an overview of the TAC 2016 work plan, plus information about current working groups:

  • Per-entity Metadata Working Group
  • Deployment Profile Working Group
  • OIDC/OAuth2 Survey Working Group
  • and a number of other topics

We will use Adobe Connect for slide-sharing and audio.  http://internet2.adobeconnect.com/incforum

Discussion will take place in the Adobe chat window, but to participate by voice, you will need to join the conference bridge:

734-615-7474 (please use if you don't pay for long distance)

866-411-0013 (toll-free US/Canada)

PIN: 0101010#

IAM Online – Wednesday, July 13, 2016
2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline

Paving the Way for Research Collaboration

Plan to attend the August IAM Online to hear about research collaborations and what you can do to help (or hinder) people on your campus as they seek access. Our speakers will discuss the services they offer, the need for collaboration, and what happens when a researcher or scholar hits a roadblock.

 Speakers include:

  • Chris Whalen, from the National Institute of Allergy and Infectious Diseases, which is part of the National Institutes of Health. He is the International Program Director for the Office of CyberInfrastructure and Computational Biology and will discuss a massive re-engineering of the identity management operation and how it will impact identity providers.
  • Kathleen Fitzpatrick, from the Modern Language Association, will discuss the MLA (and associated societies) project, Humanities Commons, which envisions using federated identities as the linchpin for access.
  • Scott Koranda, of the LIGO project, on the impact of eduGAIN, external IdPs, and why researchers make the choices they do when it comes to access. 

Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research and a member of the InCommon Steering Committee, will moderate this session and provide his perspective on the needs of researchers in an era of global services and interaction.  

Presenters

  • Kathleen Fitzpatrick, Associate Executive Director and Director of Scholarly Communication, Modern Language Association
  •  Scott Koranda, Senior Scientist at the University of Wisconsin-Milwaukee and the identity management architect supporting the LIGO project and the Leonard Parker Center for Gravitation, Cosmology, and Astrophysics
  • Chris Whalen, International Program Director, Office of CyberInfrastructure and Computational Biology, National Institute of Allergy and Infectious Diseases, NIH
  • Von Welch, Director, Indiana University Center for Applied Cybersecurity Research

Connecting

We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.

About IAM Online

IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information Security Council (HEISC). 

Once again, the Internet2 Technology Exchange features a full slate of sessions for trust and identity. Here is the general schedule – of special note is that the Advance CAMP will continue through Thursday noon. For registration and details, see https://meetings.internet2.edu/2016-technology-exchange/

 

Sunday, September 25
All DayREFEDSMeeting of federation operators from around the world
All DayTutorialsSeveral tutorials on specific topics, including ORCID and COmanage
1 - 5 pmBase CAMPIntroduction to InCommon participation
   
Monday, September 26
All DayCAMPTwo tracks of CAMP, the trust/identity track featuring track sessions based on community proposals
   
Tuesday, September 27
MorningCAMPTwo tracks of CAMP, the trust/identity track featuring track sessions based on community proposals
AfternoonWorking Groups and BoFsBecause of last year's demand for working group and birds of a feather (BoF) sessions, we're devoting Tuesday afternoon to these meetings
   
Weds., September 28
All DayAdvance CAMPThe Advance CAMP (ACAMP) unconference takes place all day Weds plus Thursday afternoon. ACAMP includes conversations about problems and solutions of interest to the trust and identity community. We build the agenda on-site.
   
Thurs, September 29
MorningAdvance CAMPAdvance CAMP continues through noon.
Noon - 3 pmTIER Developers and Working Group Members MeetingMeeting of the TIER Developers and Working Group Members.
Note: If you will attend this meeting, please sign up here.

IAM Online – Wednesday, July 13, 2016
2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline

Three Campuses Discuss Grouper Implementations

Interested in a group and access management system? Want to hear about different reasons organizations use Grouper? Join us Wednesday, July 13 (2 pm EDT) for an IAM Online featuring three campuses and their Grouper implementations, including:

  • Georgia Tech’s plans to integrate Grouper with an enterprise directory/person repository, API Infrastructure and S2 Security door-control system

  • Lafayette College’s focus on access policy, reference groups, and use of scripts with Grouper

  • New York University’s integration of Grouper with Sakai and with Google Groups.


Chris Hyzer, project lead for the Grouper team, will provide an overview and discuss some of the newer features of the Grouper Enterprise Access Management software.

Presenters

Bert Bee-Lindgren, Georgia Tech
John Bryson, Georgia Tech
Madan Dorairaj, New York University
Chris Hyzer, University of  Pennsylvania
Julio Macavilca, New York University
Carl Waldbieser, Lafayette College

Connecting

We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.

About IAM Online

IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information Security Council (HEISC).

Two members of InCommon's Shibboleth installation training team will hold "office hours" July 7 and July 12 to answer questions about version 3 of the Shibboleth Identity Provider. They will entertain both general and technical questions. End of life for Version 2 of the Identity Provider software is scheduled for July 31, 2016. These office hours are intended to help those who have not yet planned their upgrade. InCommon participants can drop in any time during the hour. Questions will be take by the Adobe Connect chat function or over the phone. Adobe Connect also will also allow the trainers to share any resources that might be helpful. No need to attend for the whole time - think of the faculty "office hours" during your college days.

Schedule:

Thursday, July 7, 2016 - 3:15 pm - 4:15 pm ET

Tuesday, July 12, 2016 - 11:30 am - 12:30 pm ET

How to Connect:

Connection information for both days:

Adobe Connect URL: http://internet2.adobeconnect.com/shibbolethupgradeofficehours

To join by phone:

  1. Dial 734-615-7474 or 866-411-0013 (toll-free in the U.S. and Canada
  2. Use the PIN 0193311#

 

June 23-24, 2016
Rochester Institute of Technology
www.incommon.org/shibtraining

Registration is open for the final InCommon Shibboleth Installation Workshop prior to the July 31 end-of-life date of the Identity Provider v2. This two-day training session covers both the Identity Provider and Service Provider software, as well as some integration issues. The IdP portion of the workshop is based on IdPv3.

We will focus the training sessions on people who wish to learn about and deploy IdPv3. Those interested in upgrading from v2.x will also find value, but we will mainly cover IdPv3 as an independent topic to ensure we deliver the clearest content possible. Here is what you can expect:

  • A two-day, directed self-paced workshop

  • Hands-on installation of the identity provider and service provider software

  • Experienced trainers providing overviews and one-on-one help 

  • Discussions on configuration and suggested practices for federation

  • Attendance is limited to 40


The workshops will offer the chance to:

  • Install a prototype Shibboleth identity or service provider in a virtual machine environment

  • Discuss how to configure and running the software in production

  • Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

  • System install, integration, and ongoing support staff

  • Campus technology architects


For more information and a link to register, go to https://spaces.internet2.edu/x/NYC0BQ

To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.

IAM Online – Wednesday, May 11, 2016
2 pm ET / 1 pm CT / Noon MT / 11 am PT

www.incommon.org/iamonline

We’re looking for your input and comments! The InCommon Technical Advisory Committee (TAC) continues to develop its work plan, including technical priorities for InCommon. The TAC plans to finalize the plan at its meeting during the Internet2 Global Summit (May 19). This IAM Online will provide a timely opportunity to provide feedback.

Some of the initiatives include a working group to examine the use of per-entity metadata, exploring options for resource-constrained campuses, technical cookbooks, and raising the bar on interoperability and security. Here’s your chance for a preview, to see how this might affect your operations, and to provide comments and feedback. Join us during the May 11 IAM Online to learn about the draft plans.

Presenters

Steve Carmody, Brown University, InCommon TAC Chair
Members of the InCommon TAC

Connecting

We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.

About IAM Online

IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information Security Council (HEISC).

IAM Online – Wednesday, April 13, 2016
2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline

Free the Attributes! Attribute Release, Scalable Consent, and User Convenience

When did you last take a look at your attribute release policies? How can you meet the requirements of data stewards and the benefits of relaxed attribute release? What is on the horizon with scalable consent and how will that help?

We’ll touch these and other questions in the next IAM Online, “Free the Attributes! Attribute Release, Scalable Consent, and User Convenience,” Wednesday, April 13, 2016, at 2 pm ET. Our speakers will discuss their journeys toward relaxed policies that allow for the release of a small set to some applications, including the Research and Scholarship category of service providers. We’ll also discuss the scalable consent project, with the aim of providing informed, revocable consent, attribute-by-attribute.

Presenters

Rob Carter, Duke University
Ken Klingenstein, Internet2
Keith Wessel, University of Illinois, Champaign-Urbana

Moderator

Tom Barton, University of Chicago

Connecting

We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.

About IAM Online

IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information Security Council (HEISC).

InCommon has scheduled two Shibboleth Installation Workshops for May and June, 2016. We have front-loaded the schedule this year because of the end-of-life of Shib IdPv2, July 31, 2016.

Registration is open for these workshops:
    •    May 19-20, 2016, at the University of Chicago in Chicago

    •    June 23-24, 2016, at the Rochester Institute of Technology in Rochester, NY


For details on the training sessions and links to register, please go to www.incommon.org/shibtraining

These two-day training sessions cover both the Identity Provider and Service Provider software, as well as some integration issues. We will focus the training sessions on people who wish to learn about and eventually deploy IdPv3. Those interested in upgrading from v2.x will also find value, but we will mainly cover IdPv3 as an independent topic to ensure we deliver the clearest content possible. Here is what you can expect:

  • A two-day, directed self-paced workshop

  • Hands-on installation of the identity provider and service provider software

  • Experienced trainers providing overviews and one-on-one help 

  • Discussions on configuration and suggested practices for federation

  • Attendance is limited to 40


The workshops will offer the chance to:

  • Install a prototype Shibboleth identity or service provider in a virtual machine environment

  • Discuss how to configure and running the software in production

  • Learn about integration with other identity management components such as LDAP and selected service providers


Knowledge of identity management concepts and related implementation experience is strongly recommended. Organizations are encouraged to send one or two attendees who best represent the following functions:

  • System install, integration, and ongoing support staff

  • Campus technology architects


For more information and a link to register, go to www.incommon.org/shibtraining.

To learn more about Shibboleth, see the Shibboleth wiki (wiki.shibboleth.net). More information on federated identity can be found at www.incommon.org.