Federated Identity

InCommon and Shibboleth taken together are an implementation of a federated approach to identity, allowing users to use their local identity, assigned by their campus, to access services such as academic publications and educational materials, and to collaborate with partners outside the borders of the campus. Shibboleth provides the technological component in that it is an implementation for expressing and exchanging identity information between organizations. InCommon provides the policy component representing agreed standards between participants on technology issues, legal issues and acceptable uses of identity information.

Several federal agencies (e.g., NSF, NIH) have joined InCommon, and national-scale infrastructures such as TeraGrid and OOI are exploring its use. The Committee on Institutional Cooperation (CIC) is leveraging InCommon for its online collaborative workspace. InCommon promises to provide a standard interface to the differing campus identity management systems and allow outside leverage of local identities without the need to understand the nuances at each campus. Shibboleth is software technology developed by Internet2 that allows organizations to federate identity information. In practical terms, this means a user from one institution can authenticate at their home institution and have the resulting identity (identifier and/or attributes) made available to the second institution for the purposes of accessing resources at that second institution. Shibboleth is commonly used in privacy-preserving applications, where access to resources is granted based on the user's attributes (for example, "University of Illinois student") without requiring disclosure of the user's name or personal information. For example, many universities partner with online content providers to enable students to access journal articles using Shibboleth attributes. Shibboleth implements the SAML Web Browser Single Sign-On protocols, which work well for browser-based applications but do not translate directly to the command-line, complex-workflow, unattended/batch processes that make up a significant proportion of CI computing workloads.