Key Moments
Internet Scale Identity, Collaboration, and Higher Education
Want to know something specific about what's covered?
We've already dissected every moment. Ask and we will deliver (with timestamps).
Key Moments
Google's Med-Gemini outperforms doctors at diagnosis, raising the question of whether AI should be deployed even when we can't explain its reasoning.
Key Insights
Internet2's 'InCommon' federation serves approximately 2 million users across 44 major US higher education institutions, enabling federated access to various resources.
Shibboleth, Internet2's primary middleware software, has seen over 1,000 sites globally adopt it, with an Apache-licensed library component (OpenSAML) integrated into numerous other products.
The EduPerson standard, developed for inter-organizational identity sharing in higher education, has been widely adopted both in the US and internationally.
Federal government initiatives have driven the need for defined Levels of Assurance (LOA) in identity management, with four standard levels now in use.
While OpenID is gaining traction for many use cases, the presentation suggests it may not be suitable for high-assurance scenarios, unlike federated identity systems.
The 'CoManage' project by Internet2 aims to integrate group and privilege management tools with collaboration suites to enhance the management of access to resources for virtual organizations.
The rise of federated identity in higher education
The presentation introduces Internet2, a consortium of over 250 universities, and its middleware initiative focusing on identity and access management. A significant area of development is federated identity, which allows users to leverage their institutional credentials to access external services. This approach is crucial for higher education institutions, enabling seamless access to resources like Google Apps for Education, library content (e.g., ScienceDirect), and other academic services. The 'InCommon' federation, operated by Internet2, currently serves approximately 2 million users across 44 major US higher education institutions. This initiative aims to create a community around identity providers (universities) and service providers, establishing common arrangements and policies for secure access. While bilateral arrangements are common in the corporate world, InCommon focuses on multilateral federations, creating a community fabric for shared identity management. This enables institutions to manage access collectively rather than establishing individual agreements with each service provider, streamlining the process and fostering collaboration.
Shibboleth and the common framework for federated access
Shibboleth is highlighted as Internet2's primary software project for federated access, with over 1,000 sites globally deploying it. Its open-source nature and widespread adoption, coupled with its core component OpenSAML being an Apache-licensed library, have led to its integration into numerous other open-source and commercial SAML products. The project's focus on SAML 2.0 aims to provide robust interoperability. A key aspect is the development and promotion of common policies and technical standards within the federation. This includes standardizing attributes through the widely adopted EduPerson schema, which defines a common vocabulary for inter-organizational identity information in higher education. Furthermore, the concept of Levels of Assurance (LOA) is critical, driven by requirements from entities like the US federal government, ensuring that different levels of identity verification are available for varying risk scenarios. InCommon provides a framework for these policies and standards, enabling member institutions to participate in the federation without needing to establish separate agreements with each service provider.
User-centric identity and the role of InfoCard
The discussion also touches upon user-centric identity, where individuals have more control over their digital identity rather than it being solely tied to specific applications or organizations. Key aspects of user-centric identity include the notion of 'owning' one's identity and controlling information flow. While OpenID is mentioned as a popular user-centric approach, its suitability for high-assurance use cases is questioned. Internet2, though supporting OpenID for certain scenarios, is particularly enthusiastic about InfoCard, a technology that allows for 'smart software' in browsers to manage sign-ons and attribute exchange. They intend to integrate InfoCard support into Shibboleth, aiming to replace or supplement current browser-based redirection flows with an InfoCard-based approach, leveraging the existing federated infrastructure. This approach is seen as a promising way to advance internet identity by enabling more intelligent and controlled interactions.
International adoption and diverse federation models
Federations are not limited to the US; significant growth is observed internationally. While the US approach via InCommon focuses on a more distributed, per-campus model, European national research and education networks (like Switch in Switzerland) have often achieved broader coverage through centralized national support structures. Despite these differences in implementation and software (e.g., Norway using a commercial Sun product), international interoperability is a key goal. This is facilitated by shared standards and common challenges, such as serving licensed library content and integrating with providers like Elsevier. The presentation shows examples of national federations in countries like Switzerland achieving near-complete coverage in their higher education sectors, demonstrating the potential of federated identity to simplify access to critical resources.
Levels of assurance and evolving identity requirements
The importance of 'Levels of Assurance' (LOA) is repeatedly emphasized. The US federal government's requirements have been a significant driver in defining these standards. For example, the need to support users with disabilities led to the inclusion of specific attributes in the EduPerson schema, such as disability classifications, enabling information to be presented in accessible formats (e.g., braille, vocal readers). InCommon plans to define LOA terms and a certification program to accredit sites for specific levels of assurance. This is crucial for applications that require higher security, such as managing medical records or federal grant information. The structure provided by LOA allows applications to understand the reliability of an identity assertion and manage access accordingly, bridging the gap between casual online interactions and sensitive data management.
Collaboration tools and group management
The presentation shifts to collaboration, observing that higher education collaborations often involve a complex mix of tools like wikis, mailing lists, chat, and video conferencing. Managing access to these disparate tools for virtual organizations supporting collaborative activities can be a significant burden. Internet2's 'CoManage' project aims to address this by integrating group and privilege management tools, enabling richer access control for collaborative resources. The goal is to demonstrate how this can improve management of access, support virtual organizations, and integrate with services like Google Apps for Education, allowing users from different institutions to collaborate seamlessly. The challenge lies in ensuring applications can understand and function within this federated environment, moving beyond simple identity assertion to managing privileges and access within complex collaboration scenarios, as exemplified by issues encountered when integrating federated identity with desktop applications like SharePoint.
Bridging the gap between federated and open identity models
While robust federations are being built for high-assurance use cases, the need for more promiscuous interactions in research and education is acknowledged. This involves connecting researchers and educators globally based on shared interests, often requiring simpler, less contract-heavy mechanisms than traditional federations. The challenge is to bridge the gap between these elaborate, high-value federations and the need for loose, collegial collaboration. The speakers note that while OpenID may serve some initial use cases, its security and scalability for certain academic activities, like protecting research data, are questioned. They suggest that a hybrid approach, potentially integrating OpenID with federated identity or other management systems, might offer a path forward, allowing for flexible yet secure interactions across different contexts.
The future of identity and collaboration
The session concludes by emphasizing the evolving landscape of identity management and the potential for innovative integrations. The conversation between federated identity, user-centric approaches, and the broader internet application space is ongoing. The speakers highlight the importance of universities acting as authoritative sources for certain attributes, such as 'studentness,' which is crucial for services catering to students and managing requests efficiently and securely. The regulatory environment (HIPAA, GLBA, SOX) also underscores the need for an infrastructure that supports robust identity management while remaining flexible enough for social networking contexts. The long-term vision involves diverse identity tools working together, possibly under a common veneer, to support a wide range of interactions, from sensitive governmental applications to open academic collaborations. Google's interest in this space, particularly their work with Internet2 and Microsoft, signals a significant push towards developing and leveraging this identity infrastructure.
Mentioned in This Episode
●Software & Apps
●Companies
●Organizations
●Concepts
●People Referenced
Internet Scale Identity: Key Considerations
Practical takeaways from this episode
Do This
Avoid This
Common Questions
Internet 2 is a consortium of universities that facilitates high-speed networking and research. Within it, the Middleware Initiative focuses on promoting best practices and new approaches for identity and access management for universities and partners.
Topics
Mentioned in this video
A platform for educational institutions that uses federated access, with Google being a financial sponsor of the Shibboleth project due to its use.
Internet2's main middleware software project for identity and access management, implementing SAML for federated access, with a 2.0 beta release discussed.
An initiative by the Cal State system to reach a broader community, which will involve 22 universities.
A wiki software whose instance at Internet2 is federation-enabled, used as a demonstration of federation capabilities.
A project by Internet2 aimed at bringing together group and privilege management tools for collaboration.
A federation formed by the University of California system, with member schools also participating in InCommon.
A US government agency that uses Shibboleth for secrecy preservation and sharing information between agencies.
An organization that runs an identity management list, mentioned as a good venue for discussing identity management.
The primary focus of the discussion, as they are major users and providers of identity management services in higher education and research.
An organization involved in identity standards and federations, noted for its strong interest in multilateral federations.
An open identity provider where anyone can sign up, used as an example of an identity provider within a federation, with a significant portion of users.
A US government agency that uses Shibboleth for secrecy preservation and sharing information between agencies.
A system for managing digital identity and security, presented as a potentially strong bet for moving internet identity forward, with support planned in Shibboleth.
A standardized attribute vocabulary for representing people's information in higher education, widely adopted both in the US and internationally.
A decentralized identity system that allows users to log in to different websites using a single identity, often discussed as a user-centric approach.
An object class developed as part of interactions with the federal government, designed to be parsimonious but importantly including a disability class.
US federal guidelines for identity proofing and authentication, serving as common ground for international federations.
Health Insurance Portability and Accountability Act, a US regulation that creates a 'regulatory life' and economics associated with identity management, particularly for medical applications.
A US regulation that creates a 'regulatory life' and economics associated with identity management, particularly for financial applications.
A US regulation that creates a 'regulatory life' and economics associated with identity management, particularly for financial applications.
A company whose application in software distribution will be joining the InCommon federation soon and is seen as a valuable partner.
A corporate partner member of Internet 2 and a financial sponsor of the Shibboleth software project.
A bank that is deeply involved in fostering citizen identity solutions.
Discussed as a potential competitor or parallel service in identity management for universities, though generally not used for direct academic sign-ins. Its role in asserting 'studentness' is highlighted.
A commercial identity vendor whose CEO noted that their installations are primarily bilateral, suggesting multilateral is the future.
More from GoogleTalksArchive
View all 79 summaries
58 minEverything is Miscellaneous
54 minStatistical Aspects of Data Mining (Stats 202) Day 7
45 minKey Phrase Indexing With Controlled Vocabularies
63 minMysteries of the Human Genome
Ask anything from this episode.
Save it, chat with it, and connect it to Claude or ChatGPT. Get cited answers from the actual content — and build your own knowledge base of every podcast and video you care about.
Get Started Free