As a powerful collaboration tool, the Internet poses a dilemma. Asking institutions to open their IT systems to users at other institutions, so that far-flung partners can work together, is like asking all homeowners to leave their doors unlocked. Trusted neighbors can drop by easily, but so can vandals and thieves.
On the other hand, if institutions ramp up security on their networks, that makes collaboration inconvenient. Imagine the level of community spirit in a neighborhood where you have to show identification and give a password to drop off your child for a play date at one home, and submit to a retina scan to join a bridge game at another.
Faced with a mandate to encourage collaboration and an equally urgent directive to better safeguard IT systems, the University of Texas (UT) produced a solution based on technology and carefully defined relationships. UT's Identity Management Federation lets participants at the university's 16 institutions use local credentials for secure access to remote resources.
"We have 15 UT institutions plus the UT System Administration that collaborate and exchange information constantly," said Miguel Soldi, information security policy and resourcing analyst with the UT System Administration in Austin. The 15 include nine academic institutions and six health institutions. In the past, a user at one of those locations who wanted to use a Web-based application at another location had to jump through numerous hoops to gain access.
Say, for example, researchers at the UT Southwestern Medical Center at Dallas wanted to access information hosted on the Blackboard learning management system at the UT Health Science Center at Houston. "We would need to give them a guest credential," said Bill Weems, assistant vice president of academic technology at the Houston center, as well as dean of IT and associate professor of integrative biology and pharmacology in the center's medical school.
No matter what credentials the applicants had at their home institutions, they would go through a separate process to gain access to the Houston system. "They would have to go before a notary and get their driver's license notarized and send in the appropriate paperwork before we would give them the credential," Weems said. And there's another inconvenient detail. "They now have another user name and password to remember." Separately UT Houston would have to determine whether the applicant was eligible to access the particular system in question.
"It gets to be a fairly time-consuming process," Weems said. It's no wonder users didn't care to go through it every time they wanted to use a different application at a sister UT institution.
In 2004, using seed money from the National Science Foundation's Middleware Initiative, UT officials laid the foundation for the Identity Management Federation. The technology mechanism they chose was Shibboleth, an open source middleware solution based on Security Assertion Markup Language (SAML). Shibboleth was developed by the networking consortium Internet2.
Federation members also considered another technology solution, developed by a group called the Liberty Alliance. But they determined that software wouldn't meet their needs, said Clair Goldsmith, senior adviser for IT in the UT System Administration.
"The problem was that higher ed has a stronger emphasis on privacy than, for instance, the Liberty Alliance does," Goldsmith said. The Liberty Alliance solution creates a trust relationship between two systems only for the purpose of a single transaction; universities need to build trust relationships that last for years. "This technology [Shibboleth] came out of Internet2 specifically to deal with higher education."
Known and Trusted
Under the federated identity management model using Shibboleth, when users try to access a resource belonging to a remote institution, the software directs them to their home institution's login screen, where they use their local credentials to authenticate their identity. The local institution, as an identity provider, then contacts the
remote institution and, in essence, provides an affidavit.
It not only vouches that the users are known and trusted, but may also give the remote system a list of agreed-upon user attributes such as "tenured faculty, biochemistry department" or "junior undergraduate, business major, honors program."
"At that point, the remote institution's application can make a determination to see if that person can access that resource or not," said Soldi.
The institution that owns the resource retains sole control over whether to let the user in, said Goldsmith. "The identity provider simply offers up the attributes that are requested."
UT introduced the Identity Management Federation in summer 2004 with a prototype application designed to entice potential members. It gave wireless access to the UT system for federation members attending meetings at the administrative campus in Austin. "You could connect to faster, better, unrestricted wireless access and authenticate using your local credentials," Soldi said. "If you were not part of the federation or you did not have that capability, you were restricted to not-so-good, slower wireless."
In September 2006, the federation graduated from the prototype stage into full production mode. Today, users at member institutions can use their local credentials to access 30 applications hosted throughout the UT system.
One of these applications supports a large, state-funded project called the Forensic Assessment Center Network (FACN). It allows caseworkers in the state's Department of Family and Protective Services to consult with pediatric faculty at UT's four medical schools about child abuse cases. A pediatrician at any of the schools can access the system using local credentials. "The appropriate authentication pieces take place behind the scenes, such that the pediatricians who should be authorized to utilize that system are granted the privilege to do so," Weems said.
Another example is an application for research collaboration hosted at UT Arlington. "Researchers can profile themselves and seek out researchers with similar interests and common sources of funding, and potential opportunities for collaboration," said Paul Caskey, technology architect in the UT System Administration.
Among other applications, the federation lets users at different campuses access the Blackboard system hosted by the UT Health Science Center in Houston and allows students at one campus to take online courses developed at another.
Hard to 'Shibbolize'
Unfortunately there are also many applications the federation can't support because they use proprietary authentication mechanisms or aren't Web-based. They include widely used legacy applications such as enterprise resource planning systems. "These are the killer apps that would really showcase federated identity management," Soldi said, "but they would be difficult and costly to "Shibbolize."
Many other challenges the federation faces involve not only technology, but the trust relationship side of the equation. For example, under any federated identity management agreement, members must agree on the definitions of attributes they provide to one another.
"If I'm going to define somebody as faculty, there has to be some kind of common understanding of what a faculty member is," Soldi said. For instance, does the term include adjunct instructors? "A lot of that common understanding sometimes is missing. Sometimes that affects the trust."
In fact, building trust is probably the trickiest part of creating an identity management federation - harder than building the technology framework or laying out the governing policies. Sometimes two institutions simply won't accept each other's authentication procedures. "All the information and policies are there, but the institutions just can't quite bring themselves to trust the other guy," Goldsmith said. "It's just human nature. They don't want to give up control."
Despite these challenges, use of UT's Identity Management Federation is growing. Members are also thinking about ways to bring more institutions under the federation umbrella and build bridges to similar federations.
"I am working as we speak on redoing all the policy and agreement documents to extend participation in the federation to entities outside UT," Soldi said.
Among those likely to join the FACN application are non-UT medical schools in Texas, so that their pediatricians also can participate in that program, Caskey said.
Also, the federation is working toward cross-certification with the Federal Bridge Certificate Authority. This certification will let UT System institutions interoperate in a secure and trusted manner with the federal government, said Caskey. With this certification, members of the UT federation could use local credentials to securely access applications provided by federal agencies, starting with the National Institutes of Health.
Although, so far, the federation has drawn only a small number of users, it's gaining ground throughout the UT system, Caskey said. "People don't see this as some foreign technology that's useful for a niche purpose." For example, in a recent discussion about developing a portal for distributed network administration, one of the first questions raised was whether the federation could support it. "That's the key, when people start asking those questions and start wanting to do that first."