Internet2 Tech Exchange 2015 – RESTful APIs and Resource Definitions for Higher Ed

Keith Hazelton – UWisc

TIER work growing out of CIFER – Not just RESTful APIs. The goal is to make identity infrastructure developer and integrator friendly.

Considering use of RAML API designer and tools for API design and documentation.

Data structures – the win is to get a canonical representation that can be shared across vertical silos. Looking at messaging approaches. Want to make sure that messaging and API approaches are using the same representations. Looking at JSON space.

DSAWG – the TiER Data Structures and APIs Working Group – just forming, not yet officially launched. Will be openly announced.

Ben Oshrin, Spherical Cow

CIFER APIs – Quite a few proposed, some more mature than others.

More Mature: (Core schema – attributes that show up across multiple APIs); ID Match (creates a representation for asking “do I know this person already, and do I have an identifier?”); SOR to Registry (create a new role for a person); Authorization (standard ways of representing authorization queries).

Less mature: Registry extraction (way to pull or push data from registry – overlap with provisioning); Credential management (do we really need to have multiple password reset apps?)’

Not even itemized: Management APIs; Monitoring APIs. Have come up in TIER discussions.

Non CIFER  APIs / Protocols of interest: CAS, LDAP, OAuth, OIDC, ORCID, SAML2, SCIM, VOOT2

Use cases:

  • Intra-component: e.g. person registry queries group registry for authorization; group registry receives person subject records from person registry.
  • Enterprise to component: System or Record provisions student or employee data in Person Registry
  • Enterprise APIs: Homw grown person registry exposes person data to campus apps.


API Docs; Implementations


CSG Spring 2014 – Identity Workshop, continued

Harvard Catalyst and ORCID update

Catalyst – Profiles Research Networking Software – allows for network analysis and data visualization. Analyzes co-authoring patterns. 

Over 200 institutions have downloaded PRofiles. Estimate that about 30 universities using Profiles actively. Boston University adding ORCID support. 

Harvard Faculty Finder – doing deduplication with PubMed, Web of Science, DSpace, etc. 

Harvard adding ORCID to Peoplesoft to flow into directory

Steve Zoppe – TIER Objective

Primary objective to build upon community work that’s already been done. How to onboard services and providers? 

e.g. some providers use email address as primary identifier – annoying.

Putting together a sandbox, to show what works, and evolve over time: reference architecture and canonical implementation.

What’s the problem? To enable the community to consume and integrate with cloud services most efficiently. 

Most service providers are not clueful about identity and do not understand groups within or across enterprises.

The core needs are for AuthN and AuthZ for interrealm use. Lacking a common approach has led to a proliferation of approaches in the community – TIER is choosing a baseline of Shibboleth, Grouper, and CoManage.

Generalized design  – Facade design pattern. Give service providers a normalized end point. 

Will include lightweight workflow services.

Klara Jelinkova – TIER

InCommon is part of Internet2, a wholly owned subsidiary of Internet2. Most of the identity work has been done in Internet2. InCommon was spun off to be the trust framework for US R&E – not development efforts.

InCommon Steering – functions as a program subcommittee and external relations and governance. 

InCommon next steps: New clearer charter (wholly owned subsidiary of Intenet2); New clearer bylaws: Internet2 runs InCommon; InCommon Steering is a Board that advises Internet2); Better/streamlined processes for day-to-day operations; Internet2 staff needs to run InCommon and get community feedback; Priority setting and communication: InCommon Steering program committee helps set priorities and advise on future plans; Work with Internet2/InCommon staff to fulfill FY14 objectives and set FY15 objectives.

TIER – was launched at recent Internet2 Global Summit. 

What is TIER – Trust and Identity in Education and Research.

Longstanding problem in separation of development efforts from mature, consumable services. 

Tier next steps: Set a TIER charter (governance structure, operating processes); Figure out a funding model for the items unfunded on operating lines. 

CSG Spring 2014- Identity Workshop: Ken Klingenstein

Federation today

Federated identity in private industry still tends to bilateral federation, but in government and R&E multilateral federation is becoming the norm.

US Government Efforts: FICAM (Classic identity services for government; slowly growing); NSTIC (Aimed at Next Gen services, privacy, etc. Has distinct governance and pilots efforts. Created by President Obama in 2009; Scoping is a finesse: affecting government identity interactions, but it wants to influence the commercial marketplace, but big commercial providers are not showing up. Idenity needs to be global, but post-Snowden is difficult.

What’s not working: Populating, releasing, and using attributes (attribute retentive instittuions); Social identity provdiers rules of engagement are very tricky – e.g. Yahoo reassigning email addresses. International layers fo rules (e.g. is IP address personally identifiable info?); New businesses without rules yet; The economics of higher LOA – Benefit to SP, cost to IdP. If you offer MFA on your campus, everybody in the federation benefits. 

Future of trust

Metadata growing rapidly and increasingly dynamic. Metadata needs fo cross federation boundaries and interoperate. Campus may want metadata from multiple aggregations. Interoperate includes syntactic and semantic meanings of tags.

– We’re leaving /etc/hosts and heading towards DNS

The future of technical trust – approaches: Metadata registries (Base level open source software (PEER), what is the trust model that allows me to deposit metadata about a third party? Metadata exchange protocls – MDX, moving through IETF standards processes; Several implementations exist for SAML and JSON metadata. Services instances that want to register and exchange metadata; developing a metadata aggregator for Shibboleth.

Policy – Implementing a trust for a COI requires addressing appropriate trust elements using two structures: Trust marks and trust frameworks. Work under way on an accessibility mark, a minor’s mark. Some marks may have a MUST/SHOUD/MAY format.

Now moving away from trust to the end user experience, provide privacy consent mechanisms.

Lifestyles of the Attribute Rich and Privacy Preserved (LARPP)

A tool for managing privacy attributes. Several CSG campuses participating. Tool cane out of the Swiss federation – over a third of the schools in Switzerland have adopted the tool. Work going on to describe accessibility attributes that can help software adapt. 

One interesting use case has to do with filtering out attributes released by social software (e.g. GMail). 

PrivacyLens – Open source privacy manager funded by NSTIC – available on GitHub.

Fulfilling the original federated vision

Scholarly Identity

CILogin – convets federated identity into grid credentials for national comput and data storcs

ORCID, SCienCV, etc.

 Currently space is disjointed – Federated identity, ORCID, Institutional scholarly record systems, Publishers and scholarly societies, Agencies, and Grant management systems. All use separate IDs. 

SciENCV = Science Experts Network Curriculum Vitae; SciENCV working group – lots of federal agencies participating. Voluntary researcher profile system. How do we get institutional attributes into SciEnCV? Each agency is doing things separately, want to link using ORCID. Need lines and flows in this scholarly identity space. Need to find leverage points and make it sustainable. Constituencies and economic interests are not well aligned.

CSG Spring 2014 – Notre Dame – Identity Landscaping Workshop

A very brief history of Identity in Higher Education – a short stroll down memory lane: Michael Gettes

In the beginning: essentially no security on the Internet; then CMU did Andrewy, MIT did Athena in the ’80s; BITNET-III, a project to use home University creds to access remote modem pools and central bill the University – FAIL!

94/6 – slapd emerges from uMich (LDAP), 1998 OpenLDAP project started. Most of uMich slapd team moves to Netscape in ’98.Public Key + LDAP – cost effective PKI – still 19 months away.

Various SSO efforts: MIT Kerberos; Yale CAS; Michigan CoSign; Washington PubCookie; Many WebAuths. Did WebISO effort in Internet2.


September 1999, Ken Klingenstein, first ideas of inter-org AutnN/AuthZ on the web.

1998 – MACE fomred – first projects: DoDHE, eduPerson, Shibboleth. 

US Federal Viewpoint – HSPD1-12 mandated government-wide secure IDs for all employees + contractors. Yielded NIST FIPS 201 – PIV, using PKI, LDAP/X.500 and friends. Ded E-Auth initiative spawns guidance. InCommon Bronze/Silver != Fed 1-4 but comparable.

NSF Middleware (NMI-EDIT) – 2002 – 2006 collab between I2MI and GRID. Produced tons of stuff, regular software package releases of many components.

2004- InCommon is born. IBM tried to patent Shib/SAML, but were unsuccessful. SAML largely developed by RL Bob Morgan and Scott Cantor. 10 years lager.. InCommon is critical infrastructure to many Universities. 

What worked/works: Shibboleth, simpleSAMLphp, SAML 2.0 by vendors; LDAP (eduPerson, LDAP-Recipe); Grouper; Middleware Resarch; CAMPS; Global collaborations; NMI-EDIT; InCommon! (~600 participants, >7.5 million users; 10 years).

Not so much: Signet (Priv Mgmt System – didn’t take off); DoDHE (Directory of Directories); USHER – Root CA for HE – couldn’t get it in the browsers; Voice/Video AuthN/Z – still proprietary; EDDY – Distributed Diagnistics; InCommon Bronze, Silver, Gold – not a lot of uptake yet. 

PKI Still 18 months away!

And we move on…

SHibboleth Consortium formed; REFEDS (locus for R+E federation operators_; CommIT project; Scalable Privacy Grant; IAM test-bed emerging; Multi-factor authentication; Provisioning and integration – practices for all. Still much to do – Trusted Identity in Education and Research (TIER).

IAM Test-bed: