The concept of cloud identity in higher education was recognized in November 2009 with the EDUCAUSE Catalyst Award, which honors IT-based innovations that provide groundbreaking solutions to major challenges in higher education. But what is cloud identity? The gist is that cloud identity enables a person's "user" information to be distributed on the Internet. This solves a common problem: the need to maintain a username at every website. In this paradigm shift, identity information is not stored within each website, but accessed on the wire as needed. Websites become "relying parties" (RPs) using the information of trusted "identity providers" (IdPs). Although it has taken a while, finally the recipe for federated identity seems clear.

1. Cloud Identity: A Recipe for Higher
Education
By: Mike Schwartz, Gluu

2. Key Takeaways
● Cloud identity is transformative technology that will turn higher
education institutions into both identity consumers and identity
providers.
● The ROI for cloud identity will be derived by enabling people to use
their campus identity to access both internal and external websites,
leveraging the institutions' existing identity infrastructure.
● Use of cloud identity will enable people at institutions to do higher
value transactions online, such as submit a grant proposal to a
federal agency.
● Cloud identity gives people more control over their privacy and
personal security.

3. Protocols
There were many protocols to choose from...
● SAML has shown dominance
○ Shibboleth is the most widely used open source
SAML software in Higher Ed.
● OpenID Connect on the rise
○ JSON / REST (OAuth 2) authentication protocol
○ Better support for cloud / mobile / social
○ Centralized authorization

4. Identity Discovery
Where does a website send a person to be
authenticated (or "WAYF," Where are you from...")
● OpenID Connect Discovery
○ Email "style" identifier (id@domain)
○ Send HTTP request to Domain
■ What URL to send user for authentication
■ What URL to validate tokens from domain
○ Websites don't need to do anything special to
authenticate a person at the institution... its the
same workflow as a major consumer IDP, just a
different domain name

5. Multi-Party Federation
An organization can host a federation which its
partners can join as either an IDP or relying party.
Federations provide the rules to drive down the cost of
doing business.
Examples: InCommon, NJ Edge and dozens
more. A Wikipedia list of higher ed federations : http:
//en.wikipedia.org/wiki/Shibboleth_(Internet2)#Federations

6. Conclusion
● Cloud identity reduces on-boarding time for new cloud
services, reduces time for custom software
development, and minimizes account provisioning.
● Federations like InCommon provide the tools and rules
to enable efficient management of trust and security.
● New protocols like OpenID Connect will make cloud
identity even more convenient and secure.

7. The Gluu Appliance

8. More Resources...
● CEO Michael Schwartz's June 2010 guidelines
published by EDUCAUSE Quarterly: http://goo.
gl/B8bKU
● Gluu EDU Webinar: http://goo.gl/lZhJa
● Gluu Resources: http://goo.gl/0scXd