Dr. Mike Conlon, Director of Data Infrastructure for UF, presented this invited paper entitled "Identity Management at the University of Florida" at the Educause CAMP: Charting Your Authentication Roadmap event in Tempe Arizona on February 8, 2007.

The Idea

As services continue to be deployed on the Internet, the need to authenticate to services - that is, provide username and password or other identifiers to services - increases. Currently many people do business with many different web sites. It is not uncommon for people to have many usernames and passwords in order to do business with the University, the federal government, Amazon.com and many other electronic service providers.

Many organizations are currently "credential providers" - that is, they provide usernames and passwords to their customers/constituents for the purpose of asserting identity. The University of Florida is a credential provider. A UFID is assigned to each individual and a GatorLink username and password is associated with the UFID.

Rather than have credential providers proliferate, leading to complexity for each person using electronic services, there is a growing consensus that some service providers may "trust" some credential providers to assert identity for individuals.

This leads to a three-way model in which a consumer (student, staff or faculty member) might attempt to reach a web site that requires identity. Rather than issuing a username and password and becoming a credential provider, the service might claim "We take GatorLink" and rely on the university to provide credentials. We have a nascent example of this three-way arrangement in place now with Mobile Campus, a provider of SMS text messages to students. Mobile Campus is a service provider, but not a credential provider. Users of the Mobile Campus site use GatorLink credentials to assert identity under an arrangement with the University.

Trust Federations

Rather than have each service provider work out a trust relationship with each service provider, yet another concept is emerging - that of a trust federation. VeriSign is already in the "trust business" - issuing certificates which assert the authenticity of specific web services. In an analogous fashion, InCommon is emerging as a trust provider for higher education identity credentials. InCommon certifies the operation of the credentialing and identity processes on a campus through various audit processes resulting in a trust statement that can be accepted by other institutions. So, for example, rather than UF having to verify the authenticity and validity of PennState's credentials directly, UF could see that PennState is a member of InCommon and that InCommon has verified PennState's credential and identity processes. By trusting InCommon, UF can simplify its acceptance of credentials from a potentially large group of higher education organizations. Similarly, UF credentials, once certified by InCommon, may be acceptable at a range of other institutions.

This means that to access username and password protected sites at other schools, UF faculty and staff would be able to sign on using their existing GatorLink username and password and that would suffice for asserting identity at the other institution's site.

Applications

Applications of federated identity are growing. Libraries are considering federated identity solutions for access to vended materials, state-wide catalogues and for inter-institutional use of resources. Scientific collaborators are looking at federated identity solutions to avoid the current practice of having credentials at each institution with which they collaborate. The federal government is considering federated solutions for access to federal resources for higher-ed users, including grants.gov, their electronic proposal submission service.

Middleware

Several technical platforms for supporting federated identity are emerging. Shibboleth is an open-source platform for supporting the three-way credential scenario described previously. InfoCard and CardSpace are open solutions from Microsoft supporting Shibboleth and built in to Microsoft Vista that enable desktop users to provide credentials through the use of electronic "cards" that can be supplied like credit cards to assert identity in on-line transactions.

Federated Identity at UF

Federated identity is in its infancy at UF. But GatorLink provides a strong foundation for future services. As applications emerge, new services will be built to support these exciting new ways of interacting on line.