Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Foundations for a Federation

UCTrust Builds Its System-Wide Federation On Top Of InCommon

October 2, 2007

Download PDF

Solution Summary

The University of California used InCommon to federate access to their self-service applications for six of their campuses.  This allows over 375,000 users to easily and securely to access campus services and resources, all integrated together in one single sign-on environment.


Products & Services

UCTrust is a federation providing access to resources for member-campuses of the University of California system. Six of the 10 UC campuses belong to UCTrust, taking advantage of business service applications. All UC locations are expected to join UCTrust by the end of 2008.

The Problem

With ten campuses, plus five medical centers and three national research laboratories, the University of California has more than 375,000 computer users that could take advantage of self-service applications, saving the university time and money.

However, those users will also need access to resources on their own campuses as well as outside resources like library databases or services offered specifically to students. Each campus may have a license to access different resources, or they may form consortia to share such resources.

The main problem, then, is to develop a way for a user to access the appropriate applications and resources – whether those come from the central UC system office, the individual campus or from a third party. And this needs to include single sign-on convenience.

The Solution

The University of California system has created UCTrust, a federation serving just UC campuses and related entities. UCTrust is built on InCommon – essentially one federation built on top of another. This allows the UC campuses to take advantage of InCommon’s existing trust arrangements and operational infrastructure. Six UC campuses, along with the UC Office of the President, now belong to UCTrust and InCommon, providing single sign-on convenience for users, access to intra-university resources, and to the external resources of a federation of more than 60 identity providers and service providers.

“InCommon provides the tasks related to federation and UCTrust offers a level of assurance appropriate to UC's federated services,” said David Walker, Director of Advanced Technology. “So far, we have focused on applications we offer centrally. Since most applications are hosted at our campuses, however, we anticipate our greatest future growth with intercampus collaborations that are not necessarily system-wide.”

The UCTrust framework offers a level of assurance equivalent to National Institute of Standards and Technology (NIST) Level 2 through a rigorous set of policies governing participants' identity management.

“We know that when the federal government starts offering services, people will want to use them,” Walker explained. “This high level of assurance means we are ready to go.”

The Result

Six of the 10 UC campuses take advantage of federated access to a growing number of services:

  • At Your Service Online (AYSO), a self-service application that allows employees to update personal information, access W-2 information and view benefit and tax information.
  • UC Grid, the platform for UC's federated cyberinfrastructure.
  • The Effort Reporting System, used in conjunction with research grants and contracts.
  • A training management system is coming soon to operate mandatory employee training programs.
  • Also coming soon, a travel portal that will allow university employees to gather travel information and to book their own arrangements.

Walker appreciates the flexibility provided by InCommon. “A campus can do what’s good for that campus,” he said, but still have the option to take advantage of outside resources made available through UCTrust. Because campuses are members of both UCTrust and InCommon, they can take advantage of services from both federations.”

The UC system relies on InCommon to operate the underlying federation infrastructure for them. InCommon manages the registration and maintenance of the necessary information about each participating organization. This applies to all manner of collaborations, whether from university to university within the same system or from university to its many service partners — arrangements that may have completely different privacy and access constraints.