Federating Identity to Support Collaboration in the CIC

• Rahul Doshi, Lead Analyst / Programmer, Indiana University
• Timothy D. Newcomb, Network Analyst, Committee on Institutional Cooperation (CIC)
• Marko Stojkovic, Information Technology Specialist, Committee on Institutional Cooperation (CIC)

Federated identity allows collaboration between schools in the Committee on Institutional Cooperation (CIC) via a Microsoft Sharepoint instance.  Started process in spring of 2008, all CIC member institutions joined InCommon (UNL is a member of InCommon).  Migrated their Sharepoint instance to authenticate against Shibboleth by February.  Used ASP.NET Shibboleth forms authentication - refers back to an SQL membership database that contains users and roles. They use a "lazy session" in Shibboleth, use eduPersonPrincipalName as username, which is their most important factor.  They still use direct authentication for non-federated users.

Shibboleth was chosen over upcoming standards like Microsoft's Geneva because it already exists, and many of their schools were already members of InCommon. As things evolve, there could possibly be changes if it makes sense.

From the user side, they hit the service, choose their institution, authenticate, and then the system checks to see if they have authorization.  If they authenticate and don't yet have a role, they do get to see a form and request access.  They have a role management interface that seems to be manual.  They have groups of roles which makes it easier to manage blocks of users and permissions.

Next steps are to facilitate the development of a CIC-wide attribute release standardization.  Also looking at federating more CIC-wide applications.