Ready The Pipes
Experts say the future of federated identity management lies in the integration of academic and consumer apps—and now is the time to get the infrastructure in place for convergence
- By Katherine Grayson
- 03/01/10
IF THERE’S ANYONE IN THE ACADEMIC IT ARENA
taking seriously the possibility that campus identity management
(IdM) may one day meld with consumer apps, it’s Nate Klingenstein,
one of the founding members of the Shibboleth Project (the open
source project providing architecture and policy structures for managing
single sign-on access to resources).
Such convergence means students and faculty accessing next-gen
applications with single sign-on—which, now more than ever, has
become a user expectation. “I see a world where a student accesses a social
application using his Facebook identity, and that ID is connected to the
university, using federated identity as ‘plumbing,’” Klingenstein explains.
“That way, the student can use the social app as a recognized member of
the university, and, in the process, provide the institution with information
about his progress in his coursework.”
Yet, he stresses, a vital question is: Which entities will have control over
users’ personal data (otherwise known as attributes or credentials), and how
much information is the campus willing to let other entities—possibly commercial
vendors—share? (See “Sharing Data With Social Apps” on page 26.)
Undoubtedly, that question is one of the snags holding up campus/consumer
federated IdM convergence. Meanwhile, though, students are moving quickly
to access myriad resources—social or otherwise—in their quest to share
information with peers, and they don’t like grappling with dozens of IDs and
passwords. What’s more, it’s often impossible to separate their access needs
into personal, social, or academic categories because the lines are frequently
blurred, even within a single communication. For instance, new tools such as
Google Wave (which enables real-time communication and collaboration via
instant message, document sharing, and other services) have the potential to
bridge academic and consumer worlds—making it that much more important
for campus IT shops to prepare for convergence.
Convergence Ahead
In fact, a recent Chronicle of Higher Education
blog post (www.chronicle.com/
blogPost/could-google-wave-replacec/
8354) posited that Google Wave could
replace the traditional course management
system (CMS). While that’s not
likely to happen anytime soon, now is the
time for campuses to get the identity management
infrastructure in place for the
converged future that Klingenstein considers
inevitable. The key link between
the university and the social or consumer
application is a strong campus federated
IdM system, he stresses. “Those attribute
pipes need to be in place on campuses,”
he says. “If we don’t build the pipes, we
face two unsavory alternatives:
“One, the new tools [that kids want to
use] can’t be available in the campus
learning environment.” (That is,
because the campus will not allow its
constituents’ personal data to end up in
the hands of third-party services.)
“Or, two, the quality of student information
and the ability of the university to
manage things like grades and the student
base will erode.” (This, if the campus
does permit the integration of third-party
applications, yet surrenders personal data
control because it lacks its own robust
capability to manage that information.)
Simply put, says Klingenstein, “If we
don’t build the pipes, we end up with a
bad learning environment or bad ID
management—one or the other.”
Sharing Data with Social Apps
IN INTERNET GURU Nate Klingenstein’s vision of campus/consumer federated identity management
(IdM) convergence, a student will be able to use his favorite social applications as a recognized
member of his university, and, in the process, provide the institution with vital information
about how he is progressing in his studies. Converged federated IdM, Klingenstein asserts, will
enable a two-way conduit of essential information. Here’s how he describes that vision:
In this kind of setup, the university hands off to the identity management entity authoritative
information (credentials or attributes) about the student and, in return, the institution can fulfill its
mandate more effectively: It can get a timely, ongoing snapshot of just how well that student is
doing in his college studies as he shares, collaborates, and makes use of third-party learning
applications and other resources to further his coursework.
That, of course, is the dream. Yet there’s a vendor dream too, Klingenstein points out: All those
third-party social application providers, such as Facebook, Yahoo!, Google, and Twitter, would love
to get their hands on student (and faculty/staff) information. After all, there’s money in them thar
attributes, and commercial vendors can do a lot with the personal data handed to them.
In addition, watching the vendors’ movement toward federated identity management certainly
is a smart thing to do, he advises, especially as consumer interfaces converge with each other.
For instance, Yahoo!’s Project Rushmore is integrating the company’s many properties (e-mail,
Flickr photo sharing, etc.) with Facebook Connect, a move that will allow Yahoo! users to view
their Facebook feeds on the site (and vice versa). And as vendor sign-ons become more and
more federated for users, students’ “one-button sign-on” expectations will only become more
pronounced. After all, “We don’t get first crack at students,” he notes. “They show up on campus
with accounts in Facebook, Yahoo!, iTunes, Google, and the like.”
Klingenstein concedes that there are a lot of privacy and trust questions involved in such
campus/consumer convergence (including issues around FERPA [the Family Educational Rights
and Privacy Act], which confers to students and parents certain rights regarding students’ education
records), but he also points out that many of those trust issues already have fallen by the
wayside as campuses provide exciting new tools for students and faculty. And, the availability of
highly attractive tools and services grows exponentially each year.
“If we want to preserve both student privacy and traditional academic liberties, we need to
understand and shape our relationship with the social applications now,” he warns. There’s no
ideal, he admits, but academic technology innovation marches on, and so does student expectation.
“The best thing we can do? Form intelligent partnerships.”
UNC: ‘Future Proofed’
One institution with strong tech leadership
in identity management is the
University of North Carolina system.
From his Chapel Hill base, Director of
Online Services Steven Hopper explains,
“Authentication is the baseline for any
application anyone ever writes. You
always need to validate that the individual
user is who he says he is.”
But it wasn’t long ago that the UNC IT
folks were facing the same authentication
challenge over and over again, each
time a constituent school started using a
new application or vendor. “Every vendor
was a brand-new situation, solved
again and again, and all the solutions
were different,” recalls Hopper. All of
the customization time was astoundingly
cost- and labor-intensive, he admits.
“We realized that if we standardized on
the [identity management] technology,
we would have all the pipes built.”
He goes on to explain that ever since
UNC’s attribute pipes were constructed
on the Shibboleth SAML2 (security and
assertion markup language) standardized
platform, there’s been no need to reinvent
the wheel and rewrite code for every new
third-party application that comes along.
“The pipes are in place, and we just fill
them with water. Adding on new services
is now simply incremental, not from the
ground up each and every time.”
So, what about the convergence with
consumer Web 2.0 apps? “Moving [our
identity management] out to Google and
the rest is now easy,” claims Hopper.
“All of those providers are using the
exact same technology, and the power of
that makes everything we do, going forward,
much more standard and much
more supportable.” He notes that many
of the UNC system campuses have chosen
the Microsoft Windows Live higher
ed services, plus Google Mail and Apps.
In those situations, he maintains, academic
and consumer federated IdM convergence
simply makes sense.
“Our UNC vision is to interoperate
among our 16 constituent schools and
our third-party providers, government
applications, and library resources. And
it all boils down to having Shibboleth
SAML2,” says Hopper.
For the layperson, he explains that federated
IdM via SAML2 is light years
beyond LDAP (lightweight directory
access protocol), the previously existing
means for accessing information directories
such as organizations, individuals,
phone numbers, and addresses. For universities,
he points out, there have been
real problems maintaining ownership of
credentials via LDAP.
Before SAML2, “If a campus wanted
to implement LDAP, it would have to
open its firewalls to each and every
third-party vendor, creating major holes
in those firewalls. When a student supplied
credentials, the third-party service
provider would read those attributes and
pass them on.” The danger, says Hopper,
is that no one would have any way of
knowing what that provider would do
with those attributes. “There wasn’t
even control to audit the credentials and
see what was going on. Sure, you could
set up auditing and security measures,
but that was very cumbersome.”
Now, standardized on Shibboleth
SAML2, the setup is just the opposite,
he says. “Instead of the user giving his
credentials to, say, Google, he gives his
credentials to the campus that issued
them—there’s no third-party provider
handling those attributes.” (For more
info on how Shibboleth works, see
“Mutual Trust,” CT February 2008;
www.campustechnology.com/articles/
2008/02/mutual-trust.aspx.)
Hopper is quick to confess that cost
savings and an urgent need to streamline
a spinning-out-of-control authenticationwriting
process were behind UNC’s
move to federated IdM. The man-hours
saved for development and solution customization
have been “incalculable,” he
confides, and have greatly outweighed
the Shibboleth software (and any associated
hardware) expenditure.
Yet there was an equally important
motivation: “Sure, we did this to make
things easier and save money,” Hopper
says, “but we also did it to ‘futureproof’
ourselves. Federated IdM sets us
up to quickly respond to new offerings
in the marketplace, and even gain a
competitive edge. Mostly, we’re putting
ourselves in the best possible strategic
position. Whatever comes along, we can
meet it in a more efficient way.”
UNC has made a strong commitment
to keeping the federated IdM infrastructure
going, notes Hopper: “We’re now
using federated IdM as part of our RFP
[request for proposal] process with vendors.”
This means that when UNC’s larger
campuses make major application
buys, other constituent schools will be
able to make use of those apps via the single
sign-on capability that runs across all
16 campuses in the UNC system. All in
all, UNC’s Shibboleth-enabled federated
IdM system has been so successful that
the UNC systemwide security committee
is formally recommending that going forward,
all third-party apps be required to
be Shibboleth-compliant.
Hopper offers the following advice to
other campus tech leaders grappling
with their own federated IdM initiatives
(or considering such a prospect):
Get over the hump to do something.
Most schools won’t move full-throttle
into federated IdM until a champion is
found and internal marketing takes off.
Find someone who understands the
technology but can handle the political
piece, as well. Then put together a solid
strategic plan and nail down the right
deployment approach.
Standardize on the technology to
authenticate. Don’t create authentication
over and over again for every new app or
for every new constituent-school need.
Use open-standards federated IdM technology
to solve that challenge once, and
every new challenge will be incremental.
Set policy before releasing credentials,
and make sure you audit it. For
example, says Hopper, “As part of our
policy framework, every user’s attributes
are passed through the user’s web
browser. If a student wants to access a
third-party resource and that resource
requests a particular attribute, because
of the user’s web browser setup we can
send him a message: allow or disallow?
That way, the student has the control
over his own privacy.”
Find the critical application that has
to happen—then use it as a catalyst to
launch the federated IdM initiative. “My
first weeks on the job, the CIO discussed
federated IdM but nothing happened for
four years; it was an abstraction that no
one saw as urgent.” Then, says Hopper,
an inter-institutional registration system
came along (enabling students to take
courses at other UNC campuses) and “we
had to verify that UNC students were who
they said they were. This finally gave me
the leverage to say, ‘We’re going to do it!’”
USC: It’s All About Trust
At the University of Southern California,
converged federated identity management
is a strategic goal—one that’s
being approached with caution. Identity
Services Architect Brendan Bellina
describes the institution’s efforts to
move its seven-year-old identity and access management (IAM) system
toward federated IdM: “Our IAM works
toward the vision of a single master
identity record for each person.”
Many departments are involved in the
move to federated IdM, he says, and each
year the number of new services offered
to students, faculty, and staff—some
internal, some external, and all requiring
robust identity management—has
exceeded that of the prior year. USC has
been at the forefront of schools enriching
their technology offerings with external
services such as iTunes U and Google
Apps, and as a result federated IdM can
be “daunting,” Bellina admits.
“In light of the growing use of consumer
and user-centric IDs, one challenge
will be determining what roles these
[external] identities that are presented to
the university will play,” he says.
“In today’s USC environment,” he
explains, “members of the community are
assigned identifiers that are scoped to the
institution. A student has a USC-scoped
e-mail address, for example. That address
is assigned by the university and can be
trusted by faculty, staff, and other students.
There are ways to ascertain the
validity of such addresses and ways to
track their use, and these identifiers often
are how students are known within the
electronic services they use.” In contrast,
consumer e-mail addresses, commonly
used as identifiers to access external
applications, lack that institutional validation.
“Though the use of consumer
identities to access valuable applications
can certainly enrich the learning process,
there is the issue of trust,” Bellina points
out. Any system mistrust of identity
would block access to the needed app,
and “that would lead to restrictions in services,
and adversely affect the academic
experience,” he suggests.
Still, “Students coming into the universities
today use their engagement in
online communities as support systems,
knowledge bases, and sounding boards,”
he acknowledges, conceding the new
learning impact of what once were seen
as strictly social or consumer applications.
“At USC we’re investigating how
communities like these can be leveraged
in the educational setting. We’ve looked
at wikis, blogs, and virtual reality
engines.” And Bellina’s team is carefully
assessing the identity management issues
inherent in their use across the university.
Sharing the management of personal student
data with third-party providers presents
a real issue for USC.
Learn More
TO HELP YOU in your move to federated identity
management (IdM), Greg Monaco, Great Plains
Network (GPN) director for research and cyberinfrastructure,
offers the following advice and
resources. GPN is a consortium of 23 colleges
and universities in the Great Plains states,
whose initial mission has been to provide highperformance
network services to institutions in
the region. Topping GPN’s to-do list: the enhancement
of inter-university network infrastructure,
including federated IdM.
- Take advantage of Shibboleth training
(contact [email protected] for details). “The
Shibboleth team provides excellent education and
makes it possible for you to come away with working
models,” says Monaco. Then, designate your
own trainers to spread the word internally.
- Use a wiki as proof of concept. The GPN wiki
(collaboration.greatplains.net), which allows consortium
members to share info about the latest GPN
projects and resources, also provides a way for users
to experience how federated IdM really works: GPN
schools have the option of logging on to the site via
Shibboleth. Says Monaco, “Federated IdM is not the
same when you have to describe it. Once GPN members
see it working, they say, ‘Wow!’” If you’re trying to
market your own federated IdM pilot internally, consider
this kind of hands-on tool.
- Watch the demo. See Shibboleth in action! Go
to shibboleth.internet2.edu/demo/shib_demo.html.
“Before any institution is comfortable
allowing established social networks to
extend into its space,” Bellina asserts,
“each has to be investigated as an isolated
instance. If a trust model can be established
between the consumer identity
provider and a university such that sensitive
information no longer needs to be
shared in order to establish identity, then
that will be a win for everyone.” However,
he says, there will remain many reasons
why sensitive information must be
available to a university, and many reasons
why someone—a researcher, for
instance—won’t want to share that information
with a consumer identity provider.
Bellina, for one, is a staunch proponent
of a strong campus IAM system—with or
without federation. Yet he also sees the
advantages of federated identity management,
with or without allowing commercial
identities to access the institution’s
services. But, “Transitioning institutions
away from [their own identity records]
to reliance upon commercial identity
sources is going to be disruptive to some
degree,” he maintains, adding, “It’s reasonable
that an institution might even fear
long-lasting impacts of doing so.”
Bellina suggests that schools hesitant
to commit to campus/consumer federated
IdM—or schools and systems looking for
help federating identity management
across an entire system or campus—consider
jump-starting such initiatives with a
strategic “policy-plus-federations” plan.
“For schools considering a federated
identity management initiative, the use of
federations such as InCommon to provide
services has proven to be very beneficial.
And I strongly recommend establishing
an identity and access management governance
function. This will help to ensure
that as you move forward, the technology
implementation will not determine policy,
and that the appropriate policymakers
at the institution are fully engaged. Make
this the foundation upon which you build,
and—whether you eventually move
toward the convergence of campus and
consumer identity management or not—
you will be more likely to succeed.”