Key Moments

Internet Scale Identity, Collaboration, and Higher Education

Google TalksGoogle Talks
Education6 min read62 min video
Aug 22, 2012|154 views|3
Save to Pod

Want to know something specific about what's covered?

We've already dissected every moment. Ask and we will deliver (with timestamps).

TL;DR

Google's Med-Gemini outperforms doctors at diagnosis, raising the question of whether AI should be deployed even when we can't explain its reasoning.

Key Insights

1

Internet2's 'InCommon' federation serves approximately 2 million users across 44 major US higher education institutions, enabling federated access to various resources.

2

Shibboleth, Internet2's primary middleware software, has seen over 1,000 sites globally adopt it, with an Apache-licensed library component (OpenSAML) integrated into numerous other products.

3

The EduPerson standard, developed for inter-organizational identity sharing in higher education, has been widely adopted both in the US and internationally.

4

Federal government initiatives have driven the need for defined Levels of Assurance (LOA) in identity management, with four standard levels now in use.

5

While OpenID is gaining traction for many use cases, the presentation suggests it may not be suitable for high-assurance scenarios, unlike federated identity systems.

6

The 'CoManage' project by Internet2 aims to integrate group and privilege management tools with collaboration suites to enhance the management of access to resources for virtual organizations.

The rise of federated identity in higher education

The presentation introduces Internet2, a consortium of over 250 universities, and its middleware initiative focusing on identity and access management. A significant area of development is federated identity, which allows users to leverage their institutional credentials to access external services. This approach is crucial for higher education institutions, enabling seamless access to resources like Google Apps for Education, library content (e.g., ScienceDirect), and other academic services. The 'InCommon' federation, operated by Internet2, currently serves approximately 2 million users across 44 major US higher education institutions. This initiative aims to create a community around identity providers (universities) and service providers, establishing common arrangements and policies for secure access. While bilateral arrangements are common in the corporate world, InCommon focuses on multilateral federations, creating a community fabric for shared identity management. This enables institutions to manage access collectively rather than establishing individual agreements with each service provider, streamlining the process and fostering collaboration.

Shibboleth and the common framework for federated access

Shibboleth is highlighted as Internet2's primary software project for federated access, with over 1,000 sites globally deploying it. Its open-source nature and widespread adoption, coupled with its core component OpenSAML being an Apache-licensed library, have led to its integration into numerous other open-source and commercial SAML products. The project's focus on SAML 2.0 aims to provide robust interoperability. A key aspect is the development and promotion of common policies and technical standards within the federation. This includes standardizing attributes through the widely adopted EduPerson schema, which defines a common vocabulary for inter-organizational identity information in higher education. Furthermore, the concept of Levels of Assurance (LOA) is critical, driven by requirements from entities like the US federal government, ensuring that different levels of identity verification are available for varying risk scenarios. InCommon provides a framework for these policies and standards, enabling member institutions to participate in the federation without needing to establish separate agreements with each service provider.

User-centric identity and the role of InfoCard

The discussion also touches upon user-centric identity, where individuals have more control over their digital identity rather than it being solely tied to specific applications or organizations. Key aspects of user-centric identity include the notion of 'owning' one's identity and controlling information flow. While OpenID is mentioned as a popular user-centric approach, its suitability for high-assurance use cases is questioned. Internet2, though supporting OpenID for certain scenarios, is particularly enthusiastic about InfoCard, a technology that allows for 'smart software' in browsers to manage sign-ons and attribute exchange. They intend to integrate InfoCard support into Shibboleth, aiming to replace or supplement current browser-based redirection flows with an InfoCard-based approach, leveraging the existing federated infrastructure. This approach is seen as a promising way to advance internet identity by enabling more intelligent and controlled interactions.

International adoption and diverse federation models

Federations are not limited to the US; significant growth is observed internationally. While the US approach via InCommon focuses on a more distributed, per-campus model, European national research and education networks (like Switch in Switzerland) have often achieved broader coverage through centralized national support structures. Despite these differences in implementation and software (e.g., Norway using a commercial Sun product), international interoperability is a key goal. This is facilitated by shared standards and common challenges, such as serving licensed library content and integrating with providers like Elsevier. The presentation shows examples of national federations in countries like Switzerland achieving near-complete coverage in their higher education sectors, demonstrating the potential of federated identity to simplify access to critical resources.

Levels of assurance and evolving identity requirements

The importance of 'Levels of Assurance' (LOA) is repeatedly emphasized. The US federal government's requirements have been a significant driver in defining these standards. For example, the need to support users with disabilities led to the inclusion of specific attributes in the EduPerson schema, such as disability classifications, enabling information to be presented in accessible formats (e.g., braille, vocal readers). InCommon plans to define LOA terms and a certification program to accredit sites for specific levels of assurance. This is crucial for applications that require higher security, such as managing medical records or federal grant information. The structure provided by LOA allows applications to understand the reliability of an identity assertion and manage access accordingly, bridging the gap between casual online interactions and sensitive data management.

Collaboration tools and group management

The presentation shifts to collaboration, observing that higher education collaborations often involve a complex mix of tools like wikis, mailing lists, chat, and video conferencing. Managing access to these disparate tools for virtual organizations supporting collaborative activities can be a significant burden. Internet2's 'CoManage' project aims to address this by integrating group and privilege management tools, enabling richer access control for collaborative resources. The goal is to demonstrate how this can improve management of access, support virtual organizations, and integrate with services like Google Apps for Education, allowing users from different institutions to collaborate seamlessly. The challenge lies in ensuring applications can understand and function within this federated environment, moving beyond simple identity assertion to managing privileges and access within complex collaboration scenarios, as exemplified by issues encountered when integrating federated identity with desktop applications like SharePoint.

Bridging the gap between federated and open identity models

While robust federations are being built for high-assurance use cases, the need for more promiscuous interactions in research and education is acknowledged. This involves connecting researchers and educators globally based on shared interests, often requiring simpler, less contract-heavy mechanisms than traditional federations. The challenge is to bridge the gap between these elaborate, high-value federations and the need for loose, collegial collaboration. The speakers note that while OpenID may serve some initial use cases, its security and scalability for certain academic activities, like protecting research data, are questioned. They suggest that a hybrid approach, potentially integrating OpenID with federated identity or other management systems, might offer a path forward, allowing for flexible yet secure interactions across different contexts.

The future of identity and collaboration

The session concludes by emphasizing the evolving landscape of identity management and the potential for innovative integrations. The conversation between federated identity, user-centric approaches, and the broader internet application space is ongoing. The speakers highlight the importance of universities acting as authoritative sources for certain attributes, such as 'studentness,' which is crucial for services catering to students and managing requests efficiently and securely. The regulatory environment (HIPAA, GLBA, SOX) also underscores the need for an infrastructure that supports robust identity management while remaining flexible enough for social networking contexts. The long-term vision involves diverse identity tools working together, possibly under a common veneer, to support a wide range of interactions, from sensitive governmental applications to open academic collaborations. Google's interest in this space, particularly their work with Internet2 and Microsoft, signals a significant push towards developing and leveraging this identity infrastructure.

Internet Scale Identity: Key Considerations

Practical takeaways from this episode

Do This

Embrace multilateral federations for community-wide identity management.
Support user-centric identity models focusing on ownership and information flow control.
Address varying levels of assurance (LoA) for different applications and user groups.
Standardize attributes like 'EduPerson' for interoperability across institutions.
Externalize identity management within applications to function in a federated world.
Consider how to integrate different identity protocols like OpenID and federated identity.
Leverage universities' established reputation for building trust in online activities.
Develop infrastructure that supports collaboration tools by managing groups and privileges.

Avoid This

Rely solely on bilateral commercial identity federation services for long-term solutions.
Assume a one-size-fits-all identity scheme will work for diverse university populations (alumni, faculty, researchers).
Neglect the importance of policy and legal arrangements in federation setup.
Overload email as an identity mechanism; prefer mechanisms like URLs or dedicated identity protocols.
Underestimate the value of university affiliation in establishing online reputation and expertise.
Ignore regulatory requirements like HIPAA and Sarbanes-Oxley when designing identity infrastructure.

Common Questions

Internet 2 is a consortium of universities that facilitates high-speed networking and research. Within it, the Middleware Initiative focuses on promoting best practices and new approaches for identity and access management for universities and partners.

Topics

Mentioned in this video

More from GoogleTalksArchive

View all 79 summaries

Ask anything from this episode.

Save it, chat with it, and connect it to Claude or ChatGPT. Get cited answers from the actual content — and build your own knowledge base of every podcast and video you care about.

Get Started Free