The InCommon Community empowers members to move beyond connection and into impact. By getting involved, you can advance the future of identity management in R&E, collaborate with peers facing similar challenges, grow professionally through shared learning, and drive solutions that expand secure digital access across global campuses.
Explore specialized topics relevant to your expertise or interests, and shape emerging community initiatives.
Steer the strategic direction of InCommon by joining committees that shape policy, guide process, and influence program development.
Connect with peers and leaders at forums, meet-ups, and conferences to stay up-to-date on industry trends, grow your network, and exchange ideas.
Advance your IAM skills or share what you know. Join workshops, training, and programs like BaseCAMP to learn from peers, grow your career, or help other navigate real-world challenges.
Engage in curated programs that fast-track IAM goals and initiatives through mentorship, collaboration, and community support.
Partner with vetted industry experts and service providers who offer hands-on help, strategic guidance, and implementation expertise to move your projects forward.
Whether you’re adding features or improving documentation, your code helps strengthen and evolve the tools institutions rely on every day.
Showcase your solutions and outcomes to inspire peers, demonstrate leadership, and help others accelerate their own success.
Share blog posts, guides, how-to articles, and best practices that highlight community success and help others solve real-world IAM challenges.
Present at webinars or conferences, mentor peers, join training teams, or help shape programs by serving on planning committees––all while deepening your own expertise.
In 2023, when a community group formed to improve Grouper documentation, Noelette Stout of Idaho State University stepped up to coordinate the effort. “I wanted to contribute to the community and provide any assistance I could offer,” Noelette explained. “Grouper has been such an invaluable tool for us, so I was eager to help. Since I’m not a programmer, this seemed like a great opportunity to give back to the team in an alternative way.” Grouper is an enterprise group and access management system that simplifies access management by letting you use the same group or role in many places in your organization. The software has offered an expanding array of capabilities in recent years as Grouper’s user base grew, and as the Grouper project team, led by Chris Hyzer of University of Pennsylvania, responded to the community’s use cases. Grouper rules, provisioning, deprovisioning, auditing, and authentication are just a few of the areas that have been enhanced. Grouper’s wiki-based documentation,while voluminous and helpful, needed updating and reorganizing to improve users’ experience. Refocusing and Refining Project Documentation “We identified some gaps and some areas that needed restructuring,” Chris Hyzer noted. Past Grouper documentation improvement efforts provided significant advances with a major contribution being the Grouper Deployment Guide, which was developed in 2017 by a team that Bill Thompson, then of Lafayette College, led. The Grouper documentation team that formed in 2023 conducted a survey to gauge community needs. The group meets bi-weekly on Zoom, maintains an active Slack channel to field new ideas, and tracks some of its work on a public wiki page. Constantly reviewing the recent changes in the wiki, as well as new needs for documentation, motivates the team to continue making progress. Deployers need to update the Grouper product at least quarterly to make sure the deployments have the latest security fixes and up to date libraries. The Grouper Team archived documentation for people running expired versions of Grouper, so it is still possible to get the information they need. Going forward, documentation will focus on current features, which will help keep the wiki fresh and well-organized. There is now a dedicated “Grouper developers” wiki to separate internal development documents from the user-facing documentation. Even though the working group mostly focuses on the wiki, they also discuss other documentation like Swagger for web services and help text, in the Grouper user interface. Making Great Progress In a cool use of visualization technology, Chad Redman of Unicon developed a Grouper documentation heat map.“The heat map showed the relationships between Grouper documentation wiki pages, and also the ages of related articles,” Chad explained. “Pages that were out of date were removed, rewritten, folded into other pages, or moved into the internal development space.” The following two images show our progress by having fewer disconnected circles of pages, and the colors are more yellow (recent) and less purple (old). 2023 Grouper Documentation Heat Map 2024 Grouper Documentation Heat Map “The team has shown tremendous dedication, and it has been impressive to see the improvements,” Noelette observed. “We’ve had a core group of volunteers who have put in so much of their valuable time to improve the documentation as well as the site navigation.” “A number of the newer features have been documented, which has been much appreciated, based on the feedback we’ve received,” she continued. “The site organization and navigation improvements have made it much easier to search for information. We’ve got a great team. Their hard work really shows.” Steve Zoppi, Internet2 Associate Vice President for Services Integration and Architecture, provides a big-picture view of the Grouper documentation effort. “In response to the changing community needs over the past decade, the Grouper solution has expanded and evolved. The nature of open-source programs is that the documentation quality can lag the perceived higher-priority of adding features and functionality,” he said. “That same project and its dedicated community recognized and responded to this reality by streamlining, refocusing and refining the project documentation. The outstanding result of their multi-year effort is a testament to the dedication and knowledge of our vibrant community and the development team.” Grouper documentation improvements were among the topics highlighted at the Grouper BOF at 2024 Internet2 Technology Exchange in Boston. About Grouper Grouper is an enterprise group and access management system that simplifies access management by letting you use the same group or role in many places in your organization. Grouper is part of the InCommon Trusted Access Platform, an identity and access management suite of software designed to integrate with existing systems. Our roadmap is based on community input. Grouper, the access management component of the InCommon Trusted Access Platform, evolves to meet the community’s needs. ICYMI Grouper Rules: Any Angler Can Use Them Now
Consider these scenarios: A university is hosting a students-only dance marathon. Students need to prove that they are actively enrolled to get into the event. A researcher at the University of Colorado is on a grant to study the molecular biology of a species of tumbleweed and needs access to a facility at Colorado State University. An employer needs to verify a prospective employee’s college diploma and/or transcript. While these use-cases are performed today using legacy methods spanning the gamut from use of plastic student ID cards, metal keys, and paper transcripts, which must be physically presented or used, to electronic methods, including shipping large documents around the network, none of the present electronic solutions puts the student, faculty, or staff member in a position to play a critical (and privacy-preserving) role in the decision making process. As the landscape of electronic identity shifts away from highly centralized, federated web single-single-on infrastructures to a user-centric identity ecosystem, members of the InCommon and REFEDS community wanted to understand if, why, and how the research and education (R&E) identity and access management (IAM) ecosystem needs to grow and adapt to this new environment and set of expectations. How Did the Community Members Move Forward? Last year, the Internet2Community Architecture Committee for Trust and Identity (CACTI) formed a Next-Generation Credentials Use Cases Working Group, chaired by Dan Taube of Illinois State University and Kevin Hickey of the University of Detroit-Mercy, to explore community use cases for what CACTI calls “Next-Generation Credentials.” (Read the working group’s final report.) Twenty-nine community members came together and distilled 33 different use cases, which span the gamut of authentication, authorization, and representation of different attributes associated with the many personas a person may present or use within the context of research and education. The working group’s final report makes a series of recommendations for next steps, including the formation of a new “trust registries for next-generation credentials” working group, which is in the process of being chartered by CACTI. In the meantime, the group has developed a definition of next-generation credentials and identified four key characteristics for an ecosystem in which they are widely used. What Are Next-Generation Credentials? Next-generation credentials are emerging technology that empowers credential holders to choose what identity they assert, at what time, with what relying party/verifier, and what types of information they disclose. This type of user-centric identity ecosystem is known variously as “self-sovereign identity,” “verifiable credentials,” and “wallet-based credentials,” etc. Further, a next-generation credential is a machine-verifiable method of conveying information about an entity (a natural person, system, organization, etc.), either self-asserted by that entity or attested about that entity from: An issuer, In the case of physical access to university spaces, this might be the facilities services group of a university to A verifier, This might be a card reader on a door or a mobile device held by a public safety officer in the above example by means of A wallet, which is a secure piece of software on a user’s phone or other computing device, capable of rich interactions and policy-based calculations and controlled disclosure of information on behalf of a user controlled by A holder, in this case a person wanting to gain access to a sensitive physical space. This actor could be a person or a system. Less formally stated, it is a bundle of attributes about a subject, such as birth certificate, driver’s license, campus ID card, door access list, source of role information about a project or job, professional certification, or academic degree or badge, which can be presented by the owner when required. The critical difference in a next-generation credential ecosystem is that the service provider no longer receives credentials from the issuer but from the user directly. Further, a wallet is able to perform advanced privacy-preserving and secure activities based upon homomorphic encryption (encryption where the result can be computed without decrypting the data itself), such as telling a point of sale system that a person is “21 years of age or older” without revealing any other information about the person and where the wallet knows the person’s date of birth in an encrypted format. What Are the Key Characteristics of a Next-Generation Credential Ecosystem? Based on its definition of next-generation credentials, the group recognized that for them to reach their full potential the goals, design, and operation of a next-generation credential ecosystem must be transparent and consider four key characteristics: Interoperability – Next-generation credentials must be interoperable globally, and across sectors. Industry tends towards building non-interoperable ecosystems. CACTI should consider participating in existing efforts to standardize in this space as well as pushing for more standardization where it is lacking. The trust model – Next-generation credentials will likely require the adoption of a new trust model, and certainly a new trust infrastructure or infrastructures. A trust model is the framework which ensures that transactions can take place safely, securely and in a privacy-preserving manner, and enforces policy and legal requirements over the network of participants (verifiers and issuers). Revocability – Next-generation credentials must be revocable. That is, they must be able to be marked as invalid. Credentials may have a defined lifespan upon issuance or expire upon future conditions agreed upon by both issuer and holder. Revocation is also required in cases where events necessitate reissuance of credentials, and where individual data elements have been invalidated and need to be re-issued. User Experience – Next-generation credentials place a responsibility on users to verify and trust both issuers and verifiers. The user experience must allow for users to easily understand what they are being asked to disclose and by whom, for what purpose, with what scope and constraints, and then the verifier must flexibly react to a user’s bona fide and informed decisions to accommodate the user’s preferences and decisions. Our work to understand this emerging ecosystem is just beginning, and we are closely following the work of colleagues in the European Union (which has a mandate to enable these technologies in each member state by 2026) and elsewhere. To learn more, read the group’s final report. By Community, For Community As noted in the charter of the Next-Generation Credentials Use Cases Working Group, “…we need to understand the use cases and drivers for adoption of these technologies, from the perspective of our diverse user communities: learners, teachers, researchers, administrators, [and] alumni, etc.” “It is not possible for CACTI members, in isolation, to derive meaningful or all-encompassing use-cases without the strong participation of a larger community of practitioners and users.” We encourage you to engage in our dialogue about this important topic. Read the working group’s final report and consider joining the upcoming working group as well. About CACTI The Community Architecture Committee for Trust and Identity (CACTI) is a standing architecture strategy group of community members chartered by Internet2’s Vice President for Trust and Identity. Margaret Cullen of Painless Security and Kevin Hickey from the University of Detroit-Mercy serve as the current chair and vice chair respectively. CACTI members include a broad representation from research and education. Minutes and additional information are available on the CACTI wiki.
Stay current with identity and access management by joining community events, trainings, and webinars. Explore upcoming opportunities to learn, connect, and grow your expertise.
Our team is here to provide guidance and help you navigate your options. Reach out to us directly!