IAM Online – Wednesday, March 11, 2015

2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline

Features and Functionality of Version 3, Shibboleth Identity Provider

Have you read about the recently released version 3 of the Shibboleth Identity Provider software? Are you curious about the improvements and changes? Join the March 11, 2015, IAM Online when members of the Shibboleth development team will discuss the new features and functionality of the new version of the Shibboleth Identity Provider. Scott Cantor is a long-time lead developer for Shibboleth and will talk about such features as user notification and support for CAS. In addition, the InCommon Technical Advisory Committee will provide an overview of discussions about baseline practices and deploying Shib 3.

Join us on Wednesday, March 11, at 2 pm ET and bring your questions!

Speakers:
Members of the Shibboleth Development Team

Moderator:
Tom Barton, University of Chicago

Connecting
We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline

About IAM Online
IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information and Security Council.

InCommon has three positions posted. Two of these are newly created to help move the federation forward:
  1. Director of Technology and Strategy (http://goo.gl/yuDRRs)
  2. Program Manager, Community Trust and Practices (responsible for Assurance and Certificate programs) (http://goo.gl/jNY3eO)
  3. And a position in the Ann Arbor office to help with business operations and the registration authority (http://goo.gl/1VHzv2)

New major release of free open source federated identity solution adds user consent capability and support for Central Authentication Service protocol

BRISTOL, England, Feb. 20, 2015—The research and education (R&E) community is set to benefit from an upgrade to a free open source software system that will help them better deliver access and identity management services.

The Shibboleth Consortium—a collaborative group of international R&E organizations—has released version 3 of the Shibboleth Identity Provider, the latest version of its free open source software that enables secure web single sign-on. Institutions are able to use the software to enable researchers to safely access library resources, databases and collaboration tools using only one login, doing away with the need to set up new accounts as they move between locations.

Read the entire release.

The February issue of the InCommon Update is now available.

Topics include:

  1. February IAM Online: Working Groups Report - Making Federation Easier
  2. Registration Open for Internet2 Global Summit
  3. InCommon Adding MD-RPI Element to Metadata
  4. InCommon Staff Leadership Transition
  5. GENI, OGF Meeting Coming in March
  6. New Certificate Subscriber
  7. New InCommon Participants

IAM Online – Wednesday, February 11, 2015

2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline

Working Groups Report: Making Federation Easier

This IAM Online is all about identities and identity providers, with the broad theme of making it easier for both campuses and individuals to participate in the InCommon Federation. You will hear from the following InCommon TAC work groups:

Alternative IdPs Working Group - This group has assessed in-house and outsourced strategies for deploying an IdP (including a helpful decision tree) and recommendations for future InCommon work as it strives to make things easier for campus deployers. For more information, see https://spaces.internet2.edu/x/oQLkAg 

External Identities Working Group - This group is exploring how to make external identities (e.g., from Google, Microsoft, or UnitedID) useful and sufficiently trusted, as well as the potential to link an external identity with a campus identity. They have looked at types of identities, use cases, and issues to consider for those needing some sort of external identity. See https://spaces.internet2.edu/x/-gTkAg 

IdP of Last Resort Working Group - This group is exploring options for those who are not represented by a campus IdP or whose IdP will not release the necessary attributes. This group is documenting the requirements for any potential IdP of Last Resort, develop case studies, and explore tradeoffs between this concept and the use of external identities. For more information: https://spaces.internet2.edu/x/iwvkAg 

New Entities Working Group - This group is preparing for InCommon’s participation with eduGAIN and interfederation. Operationalization of eduGAIN will add IdPs and SPs that are members of other federations, and some regional network operators would like to add new types of entities (such as K-12) to the metadata. This group is exploring the policies and practices needed in an interfederated world. More info: https://spaces.internet2.edu/x/mwvkAg

Speakers:

Janemarie Duh, Lafayette College
Eric Goodman, University of California Office of the President
Keith Hazelton, University of Wisconsin - Madison
Jim Jokl, University of Virginia
David Walker, Internet2

Moderator:

Steven Carmody, Brown University

Connecting

We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.

About IAM Online

IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information and Security Council.

IAM Primer Slated for ACUTA Winter Seminar

Our University of Wisconsin-Madison colleague Steve Devoti will lead a primer on identity and access management at the upcoming ACUTA Winter Seminar, January 25-28 in Anaheim. (Association for College and University Technology Advancement. More details about the seminar and ACUTA at www.acuta.org/ws15.

George Washington University Certified for Bronze

The George Washington University has become certified for the InCommon Bronze Identity Assurance Profile under the InCommon Assurance Program. GW used the representation of conformance method for qualifying for Bronze certification. This simplified approach requires no audit; the identity provider attests to compliance by signing the assurance addendum to the InCommon participation agreement.

"GW has had a formal Identity and Access Management (IAM) Program since 2010, with a vision to provide simplified, timely, secure, and consistent access to necessary IT resources for our constituents throughout their lifecycle,” said Asif Hafiz, director of identity and access management services at the university. “Identity Assurance is key component of GW’s IAM program. It helps determine, with some level of certainty, that electronic credentials representing an identity can be trusted to belong to the entity. At GW, we feel that the InCommon assurance program provides an identity assurance assessment framework suitable for the higher education environment."

InCommon currently has two identity assurance profiles that have been approved by the U.S. government: InCommon Bronze and Silver. Bronze is comparable to the National Institute of Standards and Technology (NIST) Level of Assurance 1. Silver, comparable to NIST’s Level of Assurance 2, requires proof of identity and has security appropriate for higher-risk transactions.

The InCommon Assurance Program supports InCommon’s mission to provide secure and privacy-preserving trust services for its participants. Enabling higher-value, higher-risk services requires increased trust by the organizations that run the identity and cloud services. The Assurance Program allows Identity Providers to demonstrate security and trust through the use of standards-based identity practices.

For more information about the Assurance Program please visit assurance.incommon.org. Campuses interested in the InCommon Assurance Program are invited to join the monthly Assurance calls, which are announced on the Assurance email list. To join this list, send email to sympa@incommon.org with the subject line: subscribe assurance.

The December 2014 issue of the InCommon Update is available. Highlights include:

  • Are Passwords Passe? Deployment Strategies for MFA
  • InCommon Reaches 700 Participants and Other Milestones
  • Technology Exchange Highlights
  • Harvard University Achieves Bronze
  • nanoHUB New Research & Scholarship SP
  • Grouper Releases Version 2.2.1
  • Email lists, minutes, new participants, and more

Harvard University Certified for Bronze Assurance

Harvard University has become certified for the InCommon Bronze Identity Assurance Profile under the InCommon Assurance Program. The Assurance Program allows Identity Providers to demonstrate security and trust through the use of standards-based identity practices.

Harvard used the representation of conformance method for qualifying for Bronze certification. This simplified approach requires no audit; the identity provider attests to compliance by signing the assurance addendum to the InCommon participation agreement.

“InCommon participation and certification addresses several of our key tenets – simplifying the user experience, enabling research and collaboration, and protecting university resources,” said Scott Badner, senior technology consultant at Harvard. “This makes good on our vision goals of providing secure, easy access to applications via solutions requiring fewer login credentials, enabling collaboration across and beyond Harvard.”

InCommon developed the assurance program as part of its mission to provide secure and privacy-preserving trust services for its participants. Enabling higher-value, higher-risk services requires increased trust by the organizations that run the identity and cloud services.

InCommon currently has two identity assurance profiles that have been approved by the U.S. government: InCommon Bronze and Silver. Bronze, comparable to the National Institute of Standards and Technology (NIST) Assurance 1 level, has credential security associated with basic Internet interactions. Silver, comparable to NIST’s level of Assurance 2, requires proof of identity and has security appropriate for higher-risk transactions.

More information about the assurance program is at assurance.incommon.org.

IAM Online – Wednesday, December 10, 2014

2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline

Are Passwords Passé? Deployment Strategies for Multi-Factor Authentication - Director's Cut

You may have heard them at the EDUCAUSE Annual Meeting, but David Walker and Mike Grady return on Wednesday, December 10 (2 pm ET) for a special appearance at IAM Online.

Increasingly, passwords alone cannot continue to protect online systems. A Cohortium or more than 40 institutions evaluating multifactor authentication alternatives (phone, certificates, and hardware-based tokens) to mitigate risks and increase security. In this talk, we will outline the issues an institution should consider when selecting and deploying a strategy for multi-factor authentication, including business drivers, policy concerns, and technical factors.

Speakers
Mike Grady, Unicon
David Walker, Internet2

Moderator
Chris Misra, University of Massachusetts

Connecting

We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.

About IAM Online

IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information and Security Council.

Per-Entity Metadata Pilot Study Opens

The InCommon Technical Advisory Committee seeks your participation in the Per-Entity Metadata Pilot Study. This six-month pilot is intended to "explore the utility of signed, per-entity metadata as an alternative to metadata aggregates."

Email list participants will discuss the feasibility of distributing metadata on a per-entity basis, rather than the batch-oriented model currently used. As the federation grows, and larger numbers of SPs and IdPs are introduced into InCommon metadata, the batch-oriented distribution model will become strained. While it is believed that the current distribution mechanisms will remain viable in the short to medium term, there has been progress on multiple fronts with respect to per-entity metadata.

The goal of this pilot study is to examine and experiment with these new techniques while mapping a strategy for metadata distribution that will carry us well into the future.

More information is available in the wiki. All discussion will take place on the email list. Please join us!

Internet2’s InCommon Community Welcomes its 200th Sponsored Partner

DocuSign joins trust federation for U.S. research and education community

Internet2 is proud to announce that InCommon—the trust federation for U.S. education and research institutions—has welcomed its 200th Sponsored Partner. DocuSign, the nation’s leading electronic transaction management company, has joined InCommon. DocuSign is welcomed to a community of 461 higher education institutions, 33 government and non-profit research centers and agencies, and 200 corporate and non-profit Sponsored Partners.

DocuSign’s digital transaction management platform helps organizations keep processes 100 percent digital from start to finish and allows for the secure electronic sending and signing of documents. In addition to joining InCommon, the company is also participating in the Internet2 NET+ program, where it is moving through the service validation phase.

“This year marks the 10th anniversary of InCommon whose significant growth continues to accelerate,” said Shelton Waggener, senior vice president of Internet2. “Hundreds of universities, institutions and companies have seen the benefit of a collaborative trusted, scalable approach to identity and access management. I invite all of the research and education community, and the commercial partners who serve them, to join this community-led approach to trust services.”

For more information on InCommon and a full list of participants, visit www.incommon.org

InCommon Affiliate Webinar Series: Aegis Identity

Wednesday, November 19, 2014
2 pm ET | 1 pm CT | Noon MT | 11 am PT
Join via Adobe Connect (slides and audio): http://internet2.adobeconnect.com/affiliate

Case Study in Just in Time Provisioning and ID Proxy Management

This webinar will look at technology developed in conjunction with a K-12 consortium to provide for a multi-tenancy proxy IdP with real-time provisioning for a common Shibboleth assertion. Coupled with the Federation Registry, which allows for tenant self-service on-boarding and SP request and approval, the consortium is setting their stage for intrastate K-12 federation.

Presenters:

Jim Faut, Director of Software Development, Aegis Identity Software, Inc.
Ames Fowler, Solution Engineering Manager, Aegis Identity Software, Inc.

Connnecting

Slides and audio will be available via Adobe Connect:
http://internet2.adobeconnect.com/affiliate

Dial-in back-up:
734-615-7474, or 866-411-0013
PIN: 0105266#

About Aegis Identity

Aegis Identity Software has multiple goals: (1) to provide contemporary identity management solutions, (2) align with open source identity management technologies (such as Shibboleth, CAS, Grouper), and (3) using the EDUCAUSE model of “collaborative sourcing” to deploy IdM solutions quickly and without incurring a large professional service expense to the university.

Designed specifically for higher education, TridentHE, provides an identity management platform to automate provisioning/de-provisioning, identity synchronization, password management and user self-service. Unlike legacy “full solution” suites, TridentHE is an IdM software solution designed with contemporary technology and SOA based open standard provisioning engines resulting in a solution with a focus on cost savings, compliance and optimal risk management.

About the InCommon Affiliate Webinar Series

InCommon Affiliates offer software, support, integration, and consulting related to identity and access management, and other trust services. This webinar series provides an opportunity for affiliates to share ideas and solutions with the community. You can learn more about the affiliates at www.incommon.org/affiliates.

IAM Online – Wednesday, November 12, 2014

2 pm ET / 1 pm CT / Noon MT / 11 am PT
www.incommon.org/iamonline

Turning Off NTLMv1 or How to Approach Turning Off Legacy Technology

Do you have legacy technologies that you would like to abandon . . . or at least turn off? How can you identify the potential impacts? And what does all of this have to do with an Active Directory Cookbook?

Nick Roy will introduce you to the Active Directory Silver Cookbook and Brian Arkills will discuss how the University of Washington successfully turned off NT LAN Manager - specifically NTLMv1 - and the strategies employed to avoid undesirable impacts and rollback hell. Brian will also note how other IT service managers might successfully approach turning off (or discouraging) legacy technology using similar strategies.

Brian suggests a portion of the the Active Directory Silver Cookbook, developed by members of the InCommon community, would make useful background reading (http://goo.gl/AuJjbI). This link takes you to the “Ensure IdP Authentication Secrets are Protected in Transit” section and the suggested configuration changes including turning off NTLMv1.

Speaker: Brian Arkills, University of Washington
Moderator: Nick Roy, Penn State

Connecting

We use Adobe Connect for slide sharing and audio: http://internet2.adobeconnect.com/iam-online. For more details, including back-up phone bridge information, see www.incommon.org/iamonline.

About IAM Online

IAM Online is a monthly online education series brought to you by Internet2’s InCommon community and the EDUCAUSE Higher Education Information and Security Council.

InCommon Seeks Nominees for Steering Committee

InCommon is seeking nominees to serve three-year terms on its Steering Committee beginning January 2015. InCommon operates the U.S. identity federation for higher education and its sponsored partners, and operates successful certificate and multifactor authentication services.

The Steering Committee is responsible for overseeing and advising Internet 2 on InCommon's identity services, activities and initiatives. InCommon Steering coordinates its work within the TIER (Trust and Identity in Education and Research) and has representation on the TIER Oversight Committee. Members are selected to represent the broadest community of higher education institutions and its many partners. For a current list of members, please see http://www.incommon.org/about.

InCommon meets once a month via teleconference and twice a year during Internet 2 conferences. Members also serve on one of two subcommittees (Program Subcommittee and External Relations and Governance Subcommittee). Subcommittees meet as needed, on average once or twice a month. Steering Committee meeting notes are posted at: https://spaces.internet2.edu/x/SAhOAg

To nominate an individual, including yourself, please send your recommendation to nominations@incommon.org by November 15th. The Steering Committee will consider a broad roster of the highest caliber of candidates for its open seats.

Please distribute this message to your colleagues as appropriate.

Thank you for taking the time to consider the future of your InCommon.