AMDG Current Industry Efforts

Higher Education & Research

Open Source Identity and Access Management for Higher Education

• (OSIdM4HE) Alliance. Kuali Rice, Internet2 and Jasig are collaborating on defining, releasing and supporting an open source IAM Reference Architecture and Software Suite. The first task was to define gaps in the open source IAM space. A top priority gap is person registries (aka Person Hub, Master Data Management for Person Information). Work is underway to define the way forward. Notable results include a draft person data model.

White papers and discussion

• REFEDS Attribute Management Working Group report
  • This work is being done by REFEDS (https://refeds.org/), an international group of research and education federation representatives chartered by TERENA (Trans-European Research and Education Networking Association) to discuss issues involving identity and access management.  This is a work in progress and touches on some very interesting areas of attribute management.
• InCommon Federation
  • Abstract: New methods of managing attributes promise to make federation easier to use and to operate. The key elements are: publishing of attribute requirements, support for user consent, and common attribute policies. Software and services that provide these features are becoming available, but will require InCommon participants to align their policy and technology deployments to actually realize the potential benefits across the federation.

Tools

• uApprove
  • A tool for the user that allows them to see and approve sharing of specific attributes to other sites (Shibboleth/SAML tool).
• Trusted Attribute Aggregation Service
  • TAAS acts as a secure service to link multiple IdP/AAs together using persistent identifiers without actually requiring the service that is performing the linking to know anything about the user at all. The TAAS then stores the attribute types that the IdPs return as part of the account. It can then work as a proxy IdP service that authenticates the user at an IdP and retrieves the user attributes that are requested by the SP from multiple AAs.

Standards work

• Simple Cloud Identity Management (SCIM)
• Schema Comparison maps inetOrgPerson, eduPerson, Portable Contacts, SMPL and Saleforce
• OASIS Customer Information Quality v3
• Portable Contacts
• vCard
  • Microformats
    • hCard
      • XMDP profile
• See also
  • SAML Change Notify Protocol V 1.0
  • IMS Learning Tool Interoperability person data model

Government

Department for Work and Pensions  - United Kingdom

• Framework tender

Department of Defense - USA - Enterprise Directory Services Capability - Contact Attributes Specification

• Version 2.0 July 2009

Department of Defense Identity and Privilege Management Working Group

• Biometrics Collaboration Forum 2011

Department of Commerce NIST "A Report on the Privilege Management Workshop"

• NISTIR 7657 (March 2010)

NIEM and NIEF from GFIPM (Global Federated Identity and Priviledge Management)

• http://tools.niem.gov/niemtools/home.iepd;jsessionid=E16CFE8229BD7DCFDDDA596BDC4C8345
• https://nief.gfipm.net/

MITRE Cyber Observable Expression (CybOX)

• Attributes as observable expressions

Industry/Commercial

• International Press Telecommunications Council
  • rNews http://dev.iptc.org/rNews

White papers and discussion

• Personal Levels of Assurance
  • A white paper written by J. Oliver Glasgow of AT&T discussing a different approach for determining transaction-based assurance.
• A WS twist on PKI Backend Attribute Exchange - draft NZ igovt paper  Backend Identity Data Exchange framework 0 2.doc
• ['Tokenization' of attributes - presentation to OASIS Trust Elevation TC by Rakesh Rhadakrishnan (Bank of America)|http://www.oasis-open.org/committees/document.php?document_id=44489&wg_abbrev=trust-el

Tools

• Accumulo Proposal http://wiki.apache.org/incubator/AccumuloProposal

Other

ISOC-sponsored "Mapping the Identity Ecosystem workshop", Amsterdam, December 2011

• AMDG Notes from attribute break-out session

IIW Attribute Management Discussion, Washington, DC 2012

• Distinction between core identity attributes (name, date of birth, biometrics) and acquired attributes
  • Often breaks down along the lines of authentication (core identity or identifier) and authorization (acquired over time)
  • Base attributes, dynamic attributes and particular use case extension are another set of distinctions
• Another line of distinction around identity and attributes is between the proofing process and the token activation and the attributes of each
• Differences in attribute control (lifecycle management) vs. attribute brokering (exchange)
• What is trust elevation?
  • Check with OASIS committee to see how this evolves.
  • Also track the OIX Attribute Exchange work (OIX AX)
• Can attributes be normalized and characterized by Object Identifiers (OIDs)?
• Definitions still can be a challenge
  • Authoritative vs. Trusted Attributes
  • Level of Assurance or Level of Confidence
• How do attributes relate to scopes
  • OpenID Connect provides one take

ISOC-sponsored "Moving forward with an Internet Attribute Infrastructure", Gaithersburg, March 2012

Discussion and summary of Attribute Workshop.  Goals were to knowledge share across multi-focus and multi-context communities.  Attendees included representatives from Research and Education, State, Local and Tribal Governments, Enterprise, Standards Setting and Fostering Organizations, International Federal Governments. Organizations and attendees shared overviews of their work in the Attribute space. One high-level next step is the creation of a requirements document for the creation and resourcing of an Attribute Registry. 

Discussion: What are next steps? The Attribute Registry Requirements document will likely be socialized with in the workshop stakeholder group and likely further externally as it develops.  A follow on meeting may be planned but is not yet confirmed.