How many password do you use for all of your accounts at the University of Nebraska? At UNK all faculty, staff and students have a minimum of 2 sets of credentials (usernames and passwords) they need to log into various resources. UNK campus systems such as email, Blackboard, wireless, Qualtrics, library databases and logging onto your computer use UNK campus credentials in a system called EASI. UN enterprise systems such as MyBlue and Firefly use UN credentials in a system called TrueYou. Both sets of credentials have password change requirements a few times a year and any and all devices you access those resources and store those credentials must be updated when you change your passwords. Password change assistance is the number one type of contact to our campus Helpdesk making up 75% of our contacts. A concept called Federation would allow single sign-on for campus and university systems effectively reducing the number of credentials everyone needs to access all local (campus) and enterprise (university) resources.
Federation is a term used to describe the concept of federated identity management. Identity management refers to the policies, processes and technologies that establish user identities and enforce rules about access to digital resources including email, learning management systems, library databases, student information systems, and numerous other systems across the university that are used every day. You may have separate credentials (usernames and passwords) for each system or systems may be integrated into the enterprise identity management system providing you with single sign-on to multiple systems. Federated identity management permits extending this approach above the enterprise level by creating a trusted authority for digital identities across multiple organizations. In a federated system, institutions share identity attributes based on agreed-upon standards to grant access to online resources.
The InCommon Federation is one of the larger federations with more than 150 participating organizations – most of them colleges and universities – currently covering more than three million end users. When a user affiliated with a member of a federation requests to log onto a system from another member organization, the user logs in with his or her “home campus” credentials. This request is passed to the home organization, which verifies the credentials and asserts to the requesting organization that the user has been authenticated. Users need only one set of authentication credentials to access resources and systems from other federation members.
There are security benefits to federation. Institutions no longer have to create and maintain large numbers of user credentials, instead managing identities only for their own users and accepting credentials from other federation members which are most likely to have current, accurate information about the user. The need to propagate user status changes across multiple systems is eliminated. This results in greatly simplified administration and streamlined (and faster) access to resources. The need to replicate databases of user credentials for separate applications and systems-each of which represents a potential point of weakness-is eliminated. Federated identity management can offer improved security, both for digital resources and for users’ personal information. This increased security can facilitates compliance with federal and state regulations covering personal data, including HIPAA, FERPA, and others.
There are some barriers to implementing federation. The up-front costs to modify existing applications and systems can be an obstacle for some institutions. Federation might require different or more stringent identity rules than an institution would prefer, for example more complex password requirements or higher frequency of required password changes. Also, it can be a large effort to develop thorough institutional policies concerning access rights and compliance.
The benefits of federation are significant. The speed of deployment of new applications is increased by using existing campus credentials. There is no need for additional account credential issuance. Increased security is achieved by the reduction of authentication data being breached at all the members institutions of a federation since these credentials are only stored at the “home” campus or institution. The ease of use is enhanced by what is effectively single-sign on between all federation member institutions.
Many higher education federations authorize users via Shibboleth Federating Software, a standards-based, open-source software package developed by the Internet2 Middleware Initiative. Shibboleth allows a user to utilize a single ID and password to access protected resources.
The University of North Carolina has had a system federation for all 16 campuses to allow online course exchange since 2008. A degree-seeking student enrolled at any UNC institution can take online courses offered at sister UNC campuses. Federation improves the registration process while protecting students’ information. They developed a system that displays online course offerings at all UNC campuses with a single query, and enables registration. They now have over 17 additional systems and services that use the federation because once it was built there was little to no additional associated overhead for a new application to use it.
Federated Identity Management will position institutions for the future of secure authentication and streamline identity processes. It will also provide the University of Nebraska constituents single sign-on between campuses as well as other universities.