remote institution and, in essence, provides an affidavit.
It not only vouches that the users are known and trusted, but may also give the remote system a list of agreed-upon user attributes such as "tenured faculty, biochemistry department" or "junior undergraduate, business major, honors program."
"At that point, the remote institution's application can make a determination to see if that person can access that resource or not," said Soldi.
The institution that owns the resource retains sole control over whether to let the user in, said Goldsmith. "The identity provider simply offers up the attributes that are requested."
UT introduced the Identity Management Federation in summer 2004 with a prototype application designed to entice potential members. It gave wireless access to the UT system for federation members attending meetings at the administrative campus in Austin. "You could connect to faster, better, unrestricted wireless access and authenticate using your local credentials," Soldi said. "If you were not part of the federation or you did not have that capability, you were restricted to not-so-good, slower wireless."
In September 2006, the federation graduated from the prototype stage into full production mode. Today, users at member institutions can use their local credentials to access 30 applications hosted throughout the UT system.
One of these applications supports a large, state-funded project called the Forensic Assessment Center Network (FACN). It allows caseworkers in the state's Department of Family and Protective Services to consult with pediatric faculty at UT's four medical schools about child abuse cases. A pediatrician at any of the schools can access the system using local credentials. "The appropriate authentication pieces take place behind the scenes, such that the pediatricians who should be authorized to utilize that system are granted the privilege to do so," Weems said.
Another example is an application for research collaboration hosted at UT Arlington. "Researchers can profile themselves and seek out researchers with similar interests and common sources of funding, and potential opportunities for collaboration," said Paul Caskey, technology architect in the UT System Administration.
Among other applications, the federation lets users at different campuses access the Blackboard system hosted by the UT Health Science Center in Houston and allows students at one campus to take online courses developed at another.
Hard to 'Shibbolize'
Unfortunately there are also many applications the federation can't support because they use proprietary authentication mechanisms or aren't Web-based. They include widely used legacy applications such as enterprise resource planning systems. "These are the killer apps that would really showcase federated identity management," Soldi said, "but they would be difficult and costly to "Shibbolize."
Many other challenges the federation faces involve not only technology, but the trust relationship side of the equation. For example, under any federated identity management agreement, members must agree on the definitions of attributes they provide to one another.
"If I'm going to define somebody as faculty, there has to be some kind of common understanding of what a faculty member is," Soldi said. For instance, does the term include adjunct instructors? "A lot of that common understanding sometimes is missing. Sometimes that affects the trust."
In fact, building trust is probably the trickiest part of creating an identity management federation - harder than building the technology framework or laying out the governing policies. Sometimes two institutions simply won't accept each other's authentication procedures. "All the information and policies are there, but the institutions just can't quite bring themselves to trust the other guy," Goldsmith said. "It's just human nature. They don't want to give up control."
Despite these challenges, use of UT's Identity Management Federation is growing. Members are also thinking about ways to bring more institutions under the federation umbrella and build bridges to similar federations.