The largest and arguably most successful identity federation in the world is the network used by higher education institutions. Academics, faculty and their partners have enjoyed the benefits of single sign-on, secure wireless access and identity sharing since 2003. Interest has recently spiked in consumer login and citizen identity federation, so it is worth looking at how academia has tackled Federated ID.
There are national identity federations currently operating in over 30 countries, involving thousands of post-secondary institutions. In the UK Access Management Federation alone there are over 900 members and approximately 250 service providers. In the US, the InCommon federation boasts over 5,000,000 users.
In each of these federations, schools and service providers trust each other via a central body (hub), based on rules that are formally established for participation.
Higher education federations are focused on ‘circles of trust’. A circle of trust is a collection of organizations that, typically, operate in the same business sphere and have common traits and ambitions. For example, the Canadian Access Federation (CAF) is made up of over 50 Canadian universities and colleges, plus a growing number of cloud service providers that are involved with student services. The CAF circle doesn’t include banks, insurance companies or telcos, or for that matter, social media operators.
Higher education federations work because of these well-defined circles of trust. Participants can release and consume identity information, including a privacy-enhancing, opaque and unique identifier, because the relying parties (schools and cloud service providers) trust the identity providers (schools). And, most importantly, the users of the federation – the students, faculty, administrators and alumni – are comfortable trusting all the parties in the federation.
The identity information available in the CAF includes name, email address, institution, and ‘scoped affiliation’ (aka role, such as student, faculty, staff, etc.) This relatively rich claim-set allows a relying party to make access decisions, at least at a course-grained level of authorization.
(Note that some relying parties will still want to have enrolment processes in place to handle access to specific applications or data. These sites will need to perform additional verification steps to authorize access to services.)
The CAF standard claim-set of identity attributes is based on the eduPerson Object Class. This specification allows many sites and web applications to provide automatic access without further ‘interrogation’ of the user. As examples:
- The eduPersonOrgDN claim represents the institution or organization of a researcher. It can be used by the RP to give a researcher access to a collaboration folder specific to that institution, plus a common collaboration folder that all researchers can use.
- The eduPersonPrincipalName claim can be used by the RP as a key to link a faculty member to a specific record, or to a set of permissions within a web application. This in turn allows for automated provisioning to take place, with the other identity attributes used to populate the user profile maintained by the RP.
- The eduPersonScopeAffiliation attribute – let’s say it is set to ‘alum’ – can act as a general course-grained entitlement, used to tailor a portal to the specific needs of alumni. For example, the portal could offer alumni special offers or encourage donations.
It is within this relatively rich framework of trusted identity claims that higher-ed federations have a distinct advantage over social media-based identity networks. Social media identities are fine for low-value transactions (personal blogs, commenting on news articles, etc.), but are nowhere near strong enough for academic and business transactions. Only within a trusted federation, where the rules of participation are clear and binding, can identity information be appropriately shared.
The CAF and its international counterparts allow for new connections and new services to be established based on trust and collaborative service delivery. It is a proven model that aspiring identity federations can learn from when planning the next generation of access networks.
Mike
