This panel session discussed Federated Identity Management and Sharing Resources. The slides are here as a PDF
I was the moderator for the session. The panelists were:
- Kevin Morooney, PSU, Senior Director, Academic Services
- Kenneth Forstmeier, PSU, Director Office of Research Information Systems
- Mike Grady, UIUC, Sr. Technology Architect & Strategist
- Phyllis Davidson, IU, Interim Assistant Dean for Digital and I.T. Services
Below are the highlights that I took away from the panel.
Penn State University (PSU) has moved along way down the identity management roadmap. They have two levels of internal authentication with their WebAccess for most applications and SecureID for higher level of assurance applications. They are using Shibboleth to handle federated IdM with several outside service providers.
Kevin lists many of the Web2.0 applications (like Flickr, Wikis et al) as an interesting case that we need to think about. Much of our students and faculty are using these applications. Should the University provide a federated IdM process for their faculty and students to access these applications? Which ones should be brought in house?
Researchers interacting with the federal government need to manage dozens of user accounts and passwords. Each of the applications that they use have their own username/password pair and their own policies regarding password change policies. The researcher cannot synchronize their usernames across these systems. Federation would help with part of this problem but the solution must include a method for researchers to maintain their account information when they change institutions. The researcher must be able to remap their identity with the government to a new set of credentials.
UIUC started looking at using Shibboleth for library content – specifically content providers like Elsevier et al. The contracts with the content providers are often based on a fixed set of IP addresses and they are often for multiple years. The change to federation would allow UIUC to move groups to new IP ranges. The change to a federated system would cause users to log in to resources which they were used to accessing automatically (because they were in the IP address range).
UIUC also uses federation intra-institutional. Federation technology (like Shibboleth) can be used inside the institution to federate between separate identity management systems.
Phyllis presented several interesting use cases for federated identity management. One of which is “Chat Reference”. The library provides reference support via chat 24 hours a day. They would like to be able to share the resources with other libraries. Each library would provide some hours of support but be able to reduce their overall cost. Other use cases involve Digitized Collections which could be hosted at various institutions but shared amongst the whole.
IP based access does not let you control levels of access based on Roles. This is another thing that would come with federated identity and access management.
The Q and A
Where do Help Desk Questions go? When a user can’t log in to a resource, who do they call? How do they know who to call? This is negotiated in the SLA between the Service Provider and the Identity Provider. Scott Cantor states that it must be the Service Provider first.
The legal agreements between the Service Provider and Service Consumer need to include agreements about how help desk issues will be dealt with. This agreement then needs to be communicated to the end users so they know who to call.
JimPhelps, ITArchitect, IT-Architecture, IdM, IdentityManagment,