IAM Online

Watch the Video
What would it take to rid the world of passwords? This question has been asked for many years and led to standards like U2F, UAF, FIDO2, and WebAuthn. We’re now in 2022, adoption is still low, and 2FA phishing is on the rise. As an industry, we have all the pieces and plumbing, so how do we enable strong, phishing-resistant authentication for the masses who don’t have security keys?

We’ll look at the evolving landscape for strong, phishing-resistant authentication and take a deep dive on passkey—the experiences it enables and the standards that are making it possible. We’ll also have an open discussion on what this means for the education community.

Speaker: Tim Cappalli, Identity Standards Architect, Microsoft Identity

Moderator: Heather Flanagan, Technical Liaison for SeamlessAccess and Principal at Spherical Cow Consulting

Watch the Video
Identity and Access Management (IAM) is a core component of an institution’s technical infrastructure. However, the journey of determining your path toward successful IAM implementation can be overwhelming at times. That’s where the Collaboration Success Program (CSP) comes in to help. Whether you are just starting to brainstorm your lAM roadmap or you’re ready to move your implementation plans forward, we have you covered with the CSP. Our presenters shared their experiences with how the program is helping them to achieve their IAM goals.

Watch the video

In an ever-changing higher education landscape, trust and identity are vital components for managing how researchers, students, librarians, staff, and others are identified, authenticated, and authorized to access tools and resources vital to their jobs. At the helm, those in information technology leadership positions are posed with an immense question – how do I make that happen at my institution? This in-depth webinar was held with chief information officers who have implemented identity and access management (IAM) solutions for strategic connections and collaboration across their campuses and beyond. They discussed how their IAM journey started, innovative solutions implemented by their teams, and what the future holds in the realm of identity.

Moderator: Kevin Morooney, vice president for Trust and Identity Services & NET+, Internet2

Panelists*:

Bernard Gulachek, vice president and chief information officer, University of Minnesota

Dave Robinson, chief information officer, Grinnell College

Watch the video

This month’s IAM Online event consisted of Higher Education Community Vendor Assessment Toolkit (HECVAT), which is an outstanding example of “community good.” Begun in 2016 as the EDUCAUSE Shared Assessments Working Group, the HECVAT has morphed into the go-to toolkit for third-party, cloud, on-prem, and supply chain risk assessments in higher education. This year, 2021, is a transformational year for the HECVAT. The HECVAT team partnered with InCommon TAC on updating the HECVAT questions in 2021. IAM Online this month went over HECVAT, the IAM questions, and how the InCommon Community can engage with their campuses on the cloud.

Speakers: Jon Allen, Associate Vice President CIO & CISO – Baylor University;
Josh Callahan, Information Security Officer – Humboldt State University;
Charlie Escue, Manager, Extended Information Security – Indiana University;
Brian Kelly, Cybersecurity Program Director – EDUCAUSE;
Nick Lewis, Program Manager, NET+ Cloud Services – Security and Identity – Internet2;
Mary McKee, Director, Identity Management and Security Services – Duke University.

View the presentation | Watch the video

Over the last few years, we have all observed how browsers have stepped up to support user privacy. Unfortunately, that is coming at a significant cost for things like Single Sign-on and Federated Identity. In this session, we talked about the latest changes, timelines, and how individuals and organizations can learn more and prepare their services for the changing landscape.

Speaker: Heather Flanagan, Technical Liaison for SeamlessAccess; Principal at Spherical Cow Consulting

For this month’s IAM Online, we provided sessions from from CAMP WEEK held Oct. 4-8, 2021. These videos were available for viewing in lieu of live programming:

Hosted Solutions, Federation Adapters, Evaluating Cloud Solutions

NIH and You: MFA, Identity Assurance, and Coming Requirements

View the recording | Download the slides

Are you wondering how some of the decisions are made for the products and services coming out of InCommon? Would you like to get more involved or just learn about upcoming plans and how to provide input? In this IAM Online, that’s exactly what you’ll learn about. Presenters sthe work plans and upcoming projects from each of the InCommon working groups and ways that you can be part of the action.

View the recording | Download the slides

Trust and security are what we live and breathe in our community. Many will recall the SolarWinds incident from late 2020, and the discussion of “golden tickets” and other downstream impacts that permeated the cybersecurity world. Members of the Internet2 Community Architecture Committee for Trust and Identity (CACTI) held an R&E community-focused discussion on impacts and paths forward, including what the community can do to help itself prevent these types of attacks against our own software, infrastructure, and deployments.

View the recording | Download the slides

In this IAM Online session, Jim Basney and Scott Koranda from the CILogon project at the University of Illinois provided an introduction to the current CILogon open source IAM-as-a-Service platform (using COmanage, Grouper, pyFF, SATOSA, and Shibboleth) and described CILogon’s multiple cloud provider integrations for NSF CloudBank and CILogon’s Gen3/GA4GH integrations for Australian BioCommons, in collaboration with the Australian Access Federation.

• Download the slides
• View the recording

This online event featured IAM super trio Tommy Doan of Southern Methodist University; Lacey Vickery of the University of North Carolina-Charlotte; and Keith Wessel of the University of Illinois-Urbana-Champaign. They shared how the Collaboration Success Program helped them to make headway on their recent projects and roadmaps.

• Download the slides
• View the recording

Wednesday, May 12, 2021

The National Institutes of Health (NIH) has publicized new requirements (MFA and Research & Scholarship attributes) for accessing its electronic Research Administration modules, but has also signaled coming changes to identity proofing and assurance for other applications; specifically using the REFEDS Assurance Framework (RAF v1) (https://refeds.org/assurance).

As a result, the InCommon Assured Access Working Group (AAWG) has developed guidance for US higher-ed institutions on meeting the REFEDS Assurance Framework. The May IAM Online provided a summary of the recommendations so you can begin working on your own campus on increasing your identity assurance and meeting new requirements from NIH programs and services.

Presenters

Brett Bieber, University of Nebraska; chair, InCommon Assured Access Working Group
Tom Barton, University of Chicago and Internet2

Download the slides

View the recording (YouTube)

The April IAM Online features a discussion of new and ongoing requirements for federating with the National Institutes of Health, and a look at an InCommon working group developing related guidance on identity proofing and authentication requirements.

1. Use multi-factor authentication – NIH has announced a requirement to use multi-factor authentication for its electronic Research Administration module, effective September 15, 2021. Speakers will address why it is important to implement MFA and allow your faculty and researchers to use their federated home credentials with this and other NIH applications.
2. Adopt the Research and Scholarship Category – While required by NIH for a year, learn why adopting the Research and Scholarship category and releasing three directory information data elements will help with both NIH and other research services.
3. Demonstrate level of identity proofing and assurance – While there is no deadline set yet, NIH has signaled that some applications will require identity providers to demonstrate a certain level of identity proofing and assurance.The InCommon Assured Access Working Group is developing guidance to help academic institutions implement the REFEDS Assurance Framework, which NIH has chosen to support their identity-proofing and authentication requirements.
   

• View the video (YouTube)

The March IAM Online webinar featured an overview and discussion of the newly minted eduroam (US) Best Practices Guide, produced by the eduroam-US Advisory Committee. The guide examines tools and strategies for deploying and running eduroam in an interoperable and scalable way. Authors of the guide discusseds the origins, development, and content of the guide.

Presenters
Andrew Buker, University of Nebraska
Jeff Egly, Utah Education and Telehealth Network
Rob Gorrell, University of North Carolina at Greensboro
Neil Johnson, University of Iowa
Kim Owen, North Dakota State University
Mike Zawacki, Internet2, moderator

• Slide deck (PDF)
• Recorded session (links to YouTube)

Are you considering reorganizing, reorienting, or expanding your IAM team? Or would you like to make that case?

Tune in to the February IAM Online and hear how and why the University of Minnesota expanded its Identity and Access Management team from three to eighteen and counting. From CIO Bernie Gulechek to the IAM boots on the ground, you’ll hear about the organizational journey and experience the highs and lows of our evolving structure. Even if you aren’t thinking about this right now, the webinar could spark ideas on how your campus team could be organized.

Presenters
Christopher Bongaarts, Identity and Access Management, University of Minnesota
KT Cragg, Product Owner, Access & Active Directory Teams, University of Minnesota
Bernard Gulechek, VP and CIO, University of Minnesota
Kevin Morooney, Internet2 (moderator)

• Download the slides
• View the recording

The National Science Foundation has announced another Campus Cyberinfrastructure funding program and it again includes InCommon Federation requirements. Are you planning to respond to the National Science Foundation Campus Cyberinfrastructure (CC*) solicitation? Looking to better support inter-institutional academic collaboration? Would you like information on including federation capabilities to your cyberinfrastructure plans?

If you answer “yes” or even “maybe” to any of these questions, join us for a webinar to learn more about developing Campus Cyberinfrastrcture (CI) plans and how to support the InCommon Federation requirements. Three organizations will share their previously funded CI plans.

Presenters

Tom Barton, University of Chicago and Internet2
Klara Jelinkova, Vice President for International Operations and IT, Rice University
Marc Wallman, Vice President for Information Technology, North Dakota State University

Download the slides (PDF)
View the recording (YouTube)

Everyone has wrestled with the various aspects of COVID-19, including reopening of campuses and businesses and the resulting need for testing and tracing, and related concerns such as building access and monitoring. The University of Illinois built the Safer Illinois application to support the university community during COVID-19. The app features personalized testing locations and results, verification of building access, and optional alerts to notify an individual of possible exposures.

Presenters

Edward Delaporte, Manager, Cybersecurity Software Development & Assurance, University of Illinois
Isaac Galvan, Senior Application Developer, University of Illinois
Keith Wessel, IAM Architect, University of Illinois

View the recording (YouTube)

In our new virtual world created by COVID, we have webinars and Zoom calls and virtual conferences, but we don’t have those hallway spaces for people to tell their individual stories on how they got involved in the community and how you can, too.

This IAM Online will focus on the origin stories of our community members: why they got involved and the benefits of working together to solve common issues and challenges. You will also hear about how the IAM community organizes itself through InCommon to explore issues and solutions.

Presenters

Judith Bush, OCLC
Rob Carter, Duke University
Tommy Doan, Southern Methodist University
Rob Gorrell, University of North Carolina at Greensboro
Jon Miner, University of Wisconsin-Madison
Laura Paglione, Spherical Cow Group
Jessica Fink, InCommon/Internet2 (moderator)

• Download the slides (PDF)
• View the recording (You Tube)

How do we hire for Identity and Access Management? The work requires a wide and diverse skillset and the qualified people already have jobs. Additionally, the COVID-19 pandemic has brought new IAM and budget challenges to higher education, so existing employees are being asked to retrain in these areas.

This webinar will dive into hiring people with the right skills to adapt and learn from the CIO perspective, the core skills to get folks started in IAM from the hiring manager perspective, as well as education and training options to bring new hires up to speed.

Presenters

Kirk Kelly, Vice President for Information Technology and CIO, Portland State University
Erica Lomax, Director of Identity and Access, Oregon State University
Jessica Fink, InCommon Advocacy Program Manager
Heather Flanagan, IDPro
Kevin Morooney, Vice President for Trust and Identity and NET+, Internet2 (Moderator)

• Download the slides (PDF)
• View the archived webinar (YouTube)

Wi-Fi access has become critical for universities all over the world. Many research and education organizations have turned to eduroam – the global roaming WiFi service – to help students, faculty, staff, and visitors participate in online learning, research, working, and socializing.

This special edition of IAM Online provides a look at how three organizations have leveraged eduroam to meet these new and emerging needs.

• The Utah Education and Telehealth Network (UETN) recently completed a pilot to provide eduroam at K-12 school districts – a pilot that is now paying dividends
• The University of Florida has deployed eduroam in some public locations to serve its constituents
• The University of Delaware is developing ways to provide enhanced mapping of eduroam hotspots to their community

Attend this IAM Online and learn how these organizations are creatively expanding the use and deployment of eduroam.

Moderator
Mike Zawacki, Internet2

Presenters
Saira Hasnain, University of Florida
Sharon Pitt, University of Delaware
Jeff Egly, UETN

May 13, 2020

• View the slides (PDF)
• View the recording (YouTube) (note – the slides freeze partway through, but audio is available throughout)

Federated access to scholarly content and services for campus users is more important than ever. Campus stakeholders have vested interested in seeing this done well, but often use different language and focus on different aspects of the technology. This webinar will highlight how different groups on campus are approaching support for users and how the scholarly communications industry is using federated technology like SeamlessAccess and GetFTR to enable access.

Moderator
Heather Flanagan

Speakers:
Lisa Hinchliffe – Professor/Coordinator for Information Literacy Services and Instruction in the University Library, University of Illinois at Urbana-Champaign.

Ralph Youngen – In his current role at the American Chemical Society, Ralph focuses both on internal technology strategy and external partnerships for the benefit of ACS Publications and the broader research community.

April 8, 2020

• Download the slides (PDF)
• View the recorded session (YouTube)

Two-factor authentication provides a straightforward way to increase the security of online systems and resources. Implementation may not be as straightforward. Join this IAM Online to hear about the implementation challenges and successes, including adopting the technology, by three community members.

The webinar builds on a recent paper developed by a number of community members through the EDUCAUSE Higher Education Information Security Council, and provides an interactive platform to engage with the authors.

Moderator
Tom Barton, University of Chicago and Internet2

Presenters
Lorrie Burroughs, Georgia Institute of Technology
Hank Foss, Sacred Heart University
Moeen Taj, Montgomery College

March 11, 2020

• View the recorded webinar (YouTube – approximately 36 minutes)
• Download the slides (PDF)

Are you interested in how community-built software and services can solve your identity and access management challenges — such as lifecycle management or easing provisioning and deprovisioning concerns? Learn how organizations are solving these and other challenges in this IAM Online. We’ll bring you three case studies from schools participating in InCommon’s 2020 Collaboration Success Program (CSP).

These organizations have access to training, software experts and (most important) one-another as they work through adoption and implementation. They are using the InCommon Trusted Access Platform, the community-developed identity and access management suite.

You’ll hear about:

• an identity and lifecycle management project and how midPoint will play an integral part
• an access management use case and how Grouper is saving the day
• demonstrating how the software can contribute to the development of a long-term IAM roadmap

Presenters

Tommy Doan, Southern Methodist University
Ethan Kromhout, University of North Carolina – Chapel Hill
Lacey Vickery, University of North Carolina – Charlotte

Moderator

Keith Hazelton, Internet2

February 12, 2020

Download the slides (PDF)
View the archived webinar (YouTube)

Do you wonder where the next set of identity and access management priorities and features come from? Would you like to know what’s in the works for 2020?

Key InCommon advisory groups develop work plans each year, inviting  comments and suggestions from community members. Join us for this IAM Online to hear about the service enhancements that might be coming down the pike.

• The InCommon Technical Advisory Committee (TAC) provides recommendations relating to the operation and management of InCommon Federation with respect to technical issues
• The InCommon Community Trust and Assurance Board (CTAB) represents the InCommon community in trust and assurance related programs and initiatives
• The Community Architecture Committee for Trust and Identity (CACTI) is an  architecture strategy group of community members representing a broad range of education and research.

The chairs of each of these key advisory groups will discuss work plans for 2020 and how those might impact InCommon and the broad identity and access management community.
—–
Moderator
Kevin Morooney, Vice President for Trust and Identity Services and NET+, Internet2

Presenters
David Bantz, University of Alaska (CTAB)
Janemarie Duh, Lafayette College (TAC)
Tom Jordan, University of Wisconsin-Madison (CACTI)

January 15, 2020

• Download the slides (PDF)
• View the recording (YouTube)

Our first IAM Online of 2020 will provide another method of passwordless authentication; this one developed by Duke University.

Duke has integrated its Shibboleth Identity Provider with WebAuthn to allow one-step, passwordless multi-factor authentication. In this session we’ll discuss the evolution of this pilot, including:

• Initial drivers
• Proof of concept
• Early release
• Iterations, the feedback they generated, and resulting changes

For each of these phases, we’ll discuss challenges, lessons learned, and policy decisions that helped us move forward. We’ll wrap up with recommendations about how to make passwordless authentication a reality at your institution, including some thoughts about technical and political challenges and strategies for moving through those issues.

December 4, 2019

• Download the slides
• View the recording

Earlier this year, InCommon participants reached 100% adherence to Baseline Expectations for Trust in Federation, a community-driven effort to raise the trust in the InCommon Federation by requiring certain practices and elements in metadata.

The InCommon Community Trust and Assurance Board (CTAB) has begun plans for the second round of Baseline Expectations. After surveying the community and extensive discussions, CTAB is ready to propose Baseline version 2. Join us to hear about the process and the potential requirements.

Presenters
David Bantz, University of Alaska

Albert Wu, InCommon Federation Service Manager

November 13, 2019

• Download the slides
• View the recording (YouTube)

Capping a multi-year effort to move away from passwords, Stanford University has deployed the final component: client certificates that strongly authenticate both the user and the device. This process is integrated with the university’s Shibboleth identity provider and also requires a two-factor login once every 90 days.

Michael Duff, chief information security officer at Stanford, will describe why the university took this approach and lessons learned during the journey. He will also discuss the underlying systems and key design decisions mode over the six-year project. Join us to hear this story of “safer and simpler computing,” which dramatically improves security and the user experience.

Presenters

Michael Duff, Stanford University
Tom Barton (moderator), University of Chicago and Internet2

October 9, 2019

Download the slides (PDF)
View the recording

What is all the fuss about Docker and containers, anyhow? What are the advantages of using containerized versions of Shibboleth and Grouper provided by the InCommon Trusted Access Platform? Why might you want to “Dockerize” other in-house applications and services? How can you get started?

Learn how the University of Maryland Baltimore County (UMBC) streamlined operations and reduced downtime by moving the Shibboleth Identity Provider from standalone VMs to Docker containers. We’ll discuss what motivated this, how UMBC introduced Docker to its existing environment, how they ultimately transitioned to a container-only deployment, and what’s ahead. Hear about UMBC’s initial roll-out of Grouper using the InCommon Trusted Access Platform and plans to migrate the campus ERP software (PeopleSoft) to containers.

Download the slides (PDF)
View the recording (YouTube)

September 11, 2019

Are you considering moving some or all of your identity management infrastructure to the cloud? Want to know more about using containerized software?

Learn how Illinois chose their path to leverage “the cloud” and their “cloud-first” strategy. The implementation team at the University of Illinois at Urbana-Champaign will share their path to deployment of access management software in the cloud. What started as a Grouper product evaluation led to adapting the InCommon Trusted Access Platform into a continuous integration and continuous development “DevOps” process using low- or no-cost open-source tools.

Hear about the successful deployment of Grouper and planned migration of the  Shibboleth IdP infrastructure to Docker containers in AWS using the Elastic Container Service “Fargate.” This presentation revisits our popular presentation and demo at the 2018 Internet2 Global Summit as an update of sorts with our current state of affairs.

Presenters

Erik Coleman, University of Illinois at Urbana-Champaign
Keith Wessel, University of Illinois at Urbana-Champaign

July 9, 2019

InCommon moves its new metadata service into production on July 9 (as a release candidate for early adoption). This new service – called per-entity metadata or metadata query (MDQ) – will significantly reduce resource utilization on participants’ federation deployments by providing a new way to retrieve metadata.

Download the slides (PDF)

Recording not available

Wednesday, April 10, 2019

• View the recording (YouTube)
• Download the slides

The Shibboleth Consortium is an international non-profit consortium that is responsible for the development, support, maintenance, and strategic direction of the Shibboleth software, which is prevalent in InCommon and federations worldwide.

In the two years since the Consortium was last presented at IAM Online, its membership has grown significantly, largely from US institutions joining. The growth in membership has placed the Consortium on a stronger financial footing, and enabled expansion in the development team.

As we move into the second quarter of 2019, this webinar will provide a short update on the status of the Consortium before moving to present the Shibboleth development roadmap for the next 12 months, seeking feedback from the community of users.

Presenters

• Scott Cantor (Ohio State), Shibboleth Developer and Board Member
• Justin Knight (Jisc), Shibboleth Consortium Manager

March 20, 2019

• View the recording (YouTube)

Are you interested in exploring ways that federation and identity management can be easier for research projects, virtual organizations, and other collaborations? Join us to learn about two new services: CILogon’s subscription federated identity platform, and GÉANT’s eduTEAMS service for managing user membership and access rights.

CILogon’s new subscription service offers a hosted federated identity and collaboration management platform for research projects on campus. Developed under funding from the National Science Foundation and the Department of Energy, CILogon’s open source software-as-a-service platform builds on the Shibboleth and COmanage software.

Leveraging the ubiquitous presence of eduGAIN federated identities, eduTEAMS – a service provided by GÉANT – enables communities to securely access and share common resources and services. Implementing the AARC Blueprint Architecture, eduTEAMS provides a central point for communities to manage user membership and access rights, connect services and identity providers and centrally apply access policies.

Presenters

• Tom Barton, Moderator, University of Chicago and Internet2
• Jim Basney, Senior Research Scientist, National Center for Supercomputing Applications, University of Illinois at Urbana-Champaign
• Christos Kanellopoulos, Senior Trust and Identity Manager, GÉANT

December 12, 2018

• View the recording (YouTube)
• Download the slides

How are trust and identity initiatives shaping the adoption of OpenID Connect (OIDC) and OAuth 2.0 technologies within and for the research and education community? How can home organizations and research projects ensure these technologies deliver what we need for use cases involving multiple institutions? Llearn how InCommon, REFEDS, GÉANT, and others are coordinating efforts to influence the evolution of these technologies, including the creation of a R&E working group within the OpenID Foundation. Attendees will learn practical ways to navigate this landscape, with recommended actions to plan for in 2019.

Presenters

• Rachana Ananthakrishnan, Globus
• Roland Hedberg, Catalogix
• David Vaghetti, Consortium GARR
• Albert Wu, InCommon/Internet2

Moderator

• Nathan Dors, University of Washington

September 12, 2018

• View the recording (YouTube)
• Download the slides

Interested in the Internet2 IAM software suite (a.k.a. TIER)? Planning on deploying or upgrading Grouper? Join us for the next IAM Online, which will focus on the TIER access governance strategy described in the Grouper Deployment Guide, a comprehensive document developed collaboratively by and for the trust and identity community.

Bill Thompson will lead you through these topics and touch on the container-based architecture of the Internet2 TIER packaged software. In addition, Chris Hyzer will touch on the features and changes in the new Grouper release (v2.4).

Presenters

• Chris Hyzer, University of Pennsylvania
• Bill Thompson, Lafayette College

Moderator

• Michael Gettes, University of Florida

August 8, 2018

• View the recording (YouTube)
• Download the slides

Identity Matching is an essential part of any institution’s identity management processes. When a new student or employee enters the system, are they already known from a previous affiliation? What if an error is corrected later in their identity data? How does the system detect possible duplicate identities later? Doing identity matching well is really hard, but preventing duplicate identities or cases of mistaken identity can lead to some sticky situations.

In this IAM Online, you’ll hear from two speakers with ideas to help you improve your identity matching practices. Summer Scanlan will talk about some of the procedures used at the University of California, Berkeley for identity matching and her work to continue to improve them. Ben Oshrin from Spherical Cow Group will explain the technology behind identity matching and give a sneak peek at identity matching work coming out of Internet2’s TIER initiative.

Presenters

• Benn Oshrin, Spherical Cow Group
• Summer Scanlan, University of California, Berkeley

Moderator:

• Keith Wessel, University of Illinois at Urbana-Champaign