InCommon Frequently Asked Questions:
What is InCommon?
InCommon is a formal federation of organizations focused on creating a common
framework for collaborative trust in support of research and education. InCommon makes
sharing protected online resources easier, safer, and more scalable in our age of digital resources and services. Leveraging SAML-based authentication
and authorization systems, InCommon enables cost-effective, privacy-preserving
collaboration among InCommon participants. InCommon eliminates the need
for researchers, students, and educators to maintain multiple, password-protected
accounts. The InCommon federation supports user access to protected resources
by allowing organizations to make access decisions to resources based on
a user's status and privileges as presented by the user's home organization.
What are the benefits of joining of
InCommon?
InCommon supports web-based distributed authentication and authorization
services, an example of which is controlled access to protected library
resources. Participation in InCommon means that trust decisions regarding
access to resources can be managed by exchanging information in a standardized
format. Using a standard mechanism for exchanging information provides economies
of scale by reducing or removing the need to repeat integration work for
each new resource. Since access is driven by policies set by the resource
being accessed, higher security and more granular control to resources can
be supported. Reduced account management overhead is another benefit, since
users can be authenticated and access resources from the home institution
and no longer need separate accounts to access particular resources.
InCommon is operated by Internet2 to provide consistency and participant
support.
InCommon and User Identity
InCommon also preserves privacy since the home institution controls when identity is disclosed. Information can be exchanged about authorized user access, without having to disclose the identity of the user unless both sides agree it's needed.
What is a federation?
A federation is an association of organizations that use a common set of
attributes, practices and policies to exchange information about their users
and resources in order to enable collaborations and transactions.
Who can currently join InCommon?
There are two primary categories of federation participation in InCommon:
Higher Education Institutions and their Sponsored Partners. To learn more about the eligibility criteria and the processes for joining, visit our join page.
What is required to join InCommon?
Organizations applying to join InCommon must agree at an executive level
of their organization to the terms and conditions of federation participation (legal framework and federation policies),
which include documenting an organization's practices and procedures used to grant and
manage user accounts. Contacts for the organization must be official representatives
and will be verified as such. There are also technical requirements to support InCommon's federated authentication
model. For more details on the Shibboleth software, please see the question
on Shibboleth below.
Being accepted into InCommon is a two-step process. The first step is to
complete the InCommon agreement, identifying the person who will act as
the Executive Liaison to InCommon. After the participation agreement has been signed by both parties,
a registration process will verify the designated Executive and Administrators for the organization, afterwhich the organization will be able to register its systems in the federation. For more information on this process, see the join page.
What is the cost of joining the InCommon
Federation?
InCommon operates on a cost-recovery basis with fees reviewed annually.
Fees are: A one time Participant Registration Fee of $700, payable by credit
card online. An annual fee of $1000 will be invoiced via email to the organization for the basic Higher
Education Institution or Sponsored Partner system package, which includes
1 identity management system and up to 20 Service Provider IDs. A Service
Provider is any online system that provides information or services to a restricted set of individuals or groups. The annual fee is for the
calendar year and is not pro-rated. All fees are non-refundable. Additional
Service Provider IDs are available at a rate of $1000 for every additional
20. For more information please see the InCommon Fee Schedule.
How do I prepare for InCommon?
Organizations that are eligible to join InCommon may consider testing with Shibboleth to gain familiarity with federation technology, concepts,
and requirements. As described on the join page, the first step in participation is to review and submit a signed participation agreement. The NMI-EDIT Consortium has some excellent resources available on planning, which among other resources includes two excellent roadmaps: The Enterprise Directory Implementation Roadmap and The Enterprise Authentication Implementation Roadmap.
What is Shibboleth?
Shibboleth software enables the sharing of Web resources that are subject
to access controls such as user IDs and passwords. Shibboleth leverages
institutional sign-on and directory systems to work among organizations
by locally authenticating users and then passing information about them
to the resource site to enable that site to make an informed authorization
decision. The Shibboleth architecture protects privacy by letting institutions
and individuals set policies to control what type of user information can
be released to each destination. For more information on Shibboleth please
visit http://shibboleth.internet2.edu/.
How do I test my Shibboleth installation?
If your Identity Provider system is in InCommon, you can test against the test service provider. Regardless of your federation affiliation, you can test your Shibboleth Identity Provider and Service Providers in TestShib, which includes sample providers (both IdP and SP) and automated setup to test your installation.