JA-SIG Conference: Future of Identity Management in HigherEd

Jens’s talk is focusing on Identity Management where he’s focusing on life-cycle of identity data. Looks like the talk is going to focus on moving towards user-centered identity.”Access to the right resources, to the right users, at the right time” — focused on providing, not preventing access (e.g. from a security perspective).

Authentication vs. Authorization is an important distinction which as an industry we’ve definitely treated sloppily. The delegation scenario (e.g. Kim Cameron‘s many writings on the topic) is also very interesting, as “acting on behalf of” really is such a core capability that we often lose when we move into the electronic realm.


  • Identity is about relationships – (especially) university ones change over time
  • Multiple authoritative sources – authorities for attributes, not people
  • Separating account names from stored account ids
  • Dynamic rules instead of static roles – interesting in how that pattern’s been modeled in the uPortal community via the adoption of PAGS groups over statically defined ones…

Interestingly, Jens (also in previous conversations) does believe that Federation has some low-hanging fruit and is worthwhile, at least in the short run. I’m still not sure — though he made a very good distinction in the amount of work necessary for IdP vs. SP participation. Shibboleth… one of the key distinctions that Jens is making for the federation case is that Shib maybe more appropriate for federation requirements with generalized, lightweight access where you have similar rules across all members – e.g. all members can access protected library resources.

TurnItIn, iTunesU, JSTOR are on Jens’s list of shibboleth providers and products, which is a pretty attractive list. Not sure what kind of federation agreements have to be in place for these various resources.eduRoam is neat looking — ability to login to another institution’s wifi would be cool.

Identity 2.0: now we’re talking! Claims based — the comment Jens made about University-centric identity assuming that institutional relationships are the most important relationships people have, but that’s not how users are likely to see it seems quite apropos. Claims combined with self vs. 3rd-party verification in a mixed-model really is a neat model for thinking about identity data, and does seem to match the real-world situation well.

The privacy angle of not requiring the IdP to process the transactions, and hence possibly have access to what I’m doing is something that doesn’t seem to get talked about in the US as much, but as more things move online does seem key.OpenID — where we’re seeing convergence in the identity space. CardSpace is also a key player. OpenID support in CAS really seems to make it well positioned to participate in this space.

Conclusion: not sure I’m sold on Federation as the low-hanging fruit, but some of the Shib enabled services do seem pretty compelling. User-centric definitely looks like it’s gaining steam though, which is definitely exciting. This definitely seems to be an area where Higher Education should be at the forefront, since our it is one of the few areas where Higher Education does seem to have legitimately more complex needs and requirements.