Identity Management Streamlined at University of Texas Campuses

As a powerful collaboration tool, the Internet poses a dilemma. Asking institutions to open their IT systems to users at other institutions, so that far-flung partners can work together, is like asking all homeowners to leave their doors unlocked. Trusted neighbors can drop by easily, but so can vandals and thieves.

On the other hand, if institutions ramp up security on their networks, that makes collaboration inconvenient. Imagine the level of community spirit in a neighborhood where you have to show identification and give a password to drop off your child for a play date at one home, and submit to a retina scan to join a bridge game at another.

Faced with a mandate to encourage collaboration and an equally urgent directive to better safeguard IT systems, the University of Texas (UT) produced a solution based on technology and carefully defined relationships. UT's Identity Management Federation lets participants at the university's 16 institutions use local credentials for secure access to remote resources.

"We have 15 UT institutions plus the UT System Administration that collaborate and exchange information constantly," said Miguel Soldi, information security policy and resourcing analyst with the UT System Administration in Austin. The 15 include nine academic institutions and six health institutions. In the past, a user at one of those locations who wanted to use a Web-based application at another location had to jump through numerous hoops to gain access.

Say, for example, researchers at the UT Southwestern Medical Center at Dallas wanted to access information hosted on the Blackboard learning management system at the UT Health Science Center at Houston. "We would need to give them a guest credential," said Bill Weems, assistant vice president of academic technology at the Houston center, as well as dean of IT and associate professor of integrative biology and pharmacology in the center's medical school.

No matter what credentials the applicants had at their home institutions, they would go through a separate process to gain access to the Houston system. "They would have to go before a notary and get their driver's license notarized and send in the appropriate paperwork before we would give them the credential," Weems said. And there's another inconvenient detail. "They now have another user name and password to remember." Separately UT Houston would have to determine whether the applicant was eligible to access the particular system in question.

"It gets to be a fairly time-consuming process," Weems said. It's no wonder users didn't care to go through it every time they wanted to use a different application at a sister UT institution.

In 2004, using seed money from the National Science Foundation's Middleware Initiative, UT officials laid the foundation for the Identity Management Federation. The technology mechanism they chose was Shibboleth, an open source middleware solution based on Security Assertion Markup Language (SAML). Shibboleth was developed by the networking consortium Internet2.

Federation members also considered another technology solution, developed by a group called the Liberty Alliance. But they determined that software wouldn't meet their needs, said Clair Goldsmith, senior adviser for IT in the UT System Administration.

"The problem was that higher ed has a stronger emphasis on privacy than, for instance, the Liberty Alliance does," Goldsmith said. The Liberty Alliance solution creates a trust relationship between two systems only for the purpose of a single transaction; universities need to build trust relationships that last for years. "This technology [Shibboleth] came out of Internet2 specifically to deal with higher education."

Known and Trusted

Under the federated identity management model using Shibboleth, when users try to access a resource belonging to a remote institution, the software directs them to their home institution's login screen, where they use their local credentials to authenticate their identity. The local institution, as an identity provider, then contacts the