The Rebecca J. Holz Series in Research Data Management is a monthly lecture series hosted during the spring and fall academic semesters. On March 27, Jon Miner, from the Identity and Access Management team at DoIT, spoke about identity federation for researchers and how identity access management systems are used at UW-Madison and how researchers can use identity federation to access data.
What is identity federation? Basically, as Miner explained, it lets people use login credentials that they have from one institution or organization to create accounts or log into other services or applications without having to create a new account. This helps solve issues of fragmented identity such as having multiple user accounts to different services or applications, not having a full user profile for certain accounts, or using certain accounts infrequently and not remembering user credentials.
Identity federations rely on a group of Identity Providers and Service Providers having a trust framework. Identity providers use credentials a user is familiar with (e.g. your NetID) and provide information, or attributes, about you to a Service Provider. A Service Provider is a typically an application (such as Outlook or a library account) which can provide certain access or restrict access based on the information provided (e.g. provide access to a pay-walled journal article to which the Libraries’ subscribe based on the information of your status – such as student or staff – with the university). By extending that trust framework, researchers at UW-Madison can use their credentials to work with other researchers and projects and login in to various cyberinfrastructures across the US and the world.
These systems are common in research and higher education. The Wisconsin Federation joins all of the UW System through a single access portal. Additionally, UW-Madison is a member institution of InCommon Federation, a nationwide federation provider. Through InCommon, UW-Madison agrees to comply with baseline expectations about requirements that the school must meet, as well as what the school receives from InCommon in return. For example, UW-Madison must meet certain accessibility requirements to be able to use InCommon. By being a member of InCommon, UW-Madison’s campus community is able to collaborate more easily with people at other InCommon member institutions.
InCommon member institutions include all R1 universities, most other UW System schools, many other schools in the U.S., and other governmental and nonprofit groups. Several research organizations in the U.S. use federation to allow users to create accounts or login to services and applications with existing institutional or organizational credentials: CILogon, Globus, XSEDE, Open Science Grid, NSF, and NIH are among such institutions.
While InCommon is the UW-Madison’s community’s identity provider in the U.S., UW-Madison’s membership with EduGAIN provides federation worldwide. Notable research projects and teams that leverage identity federation for their work are LIGO, the Department of Energy, CERN, NERSC, the Translational Genomics Research Institute, and the ESA Earth Observation. Collaborative access for UW-Madison researchers with these groups is possible because of our membership with both InCommon and EduGAIN.
Some concerns with federated access revolve around how many attributes about a user are transferred from the institution providing access (i.e., UW-Madison) and the resource being accessed. FERPA protects students by controlling how many attributes about a student are made available to outside groups and delivered when a student logs into a resource using their UW-Madison NetID. However, privacy for staff at a university cannot yet be managed, since they are outside of FERPA’s purview. Attribute consent is something that is common in the European Union, per GDPR (General Data Protection Regulation) guidelines, but that has not become common in the U.S. yet. Technologists at Duke University are in the process of developing a system that will allow users to select with attributes are delivered.