"Identity Management" (IdM) refers to the provisioning and maintenance of electronic credentials and attributes, generally for the purpose of controlling access to resources. In other words, it is how we can tell who you are and what you are supposed to be able to do. A successful Identity Management implementation

• Allows members of the community to quickly gain access to the systems and services they need or are entitled to
• Removes access to those systems and services when members are no longer authorized to use them
• Allows multiple systems to communicate about the same individuals easily using common identifiers
• Minimizes exposures and liabilities in the process

At Columbia, Identity Management revolves around the University Network ID (UNI), the unique identifier assigned to at every person affiliated with University, including alumni and casual employees. In most cases, the UNI also coincides with the person's email address, but this is not necessarily so.

Ideally, an individual should have only one identifier. Imagine the chaos that would ensue if each time a driver entered a new state he or she had to apply for a new license -- driving from Maine to Florida would become a bureaucratic nightmare. Unfortunately, this chaos is the reality, both within the University and on the internet as whole. Identity Management technologies and policies can help solve this problem.

Policies and governance are as critical to a successful Identity Management system as the technology. What good is a central identity repository if each new application that comes online refuses to use it? Of course, policies cannot be established in a vacuum and require the participation of all relevant parties in their creation for their adoption to be successful.

An Identity Management authentication service answers the question "is this person who he or she claims to be?" Authentication is based on one or more of something the person knows, something the person has, and something the person is. Columbia relies heavily on something the person knows for access to online resources: the password attached to the UNI. Access to campus buildings relies on something the person has: a Columbia ID card. Biometrics, something intrinsic to the person such as her or his fingerprints, are not widely in use at Columbia. Use of two of these mechanisms at the same time is referred to as two factor authentication.

Level of assurance refers to with what certainty an electronic identifier belongs to a given individual. For example, the level of assurance for someone required to present photo ID in order to activate an electronic identity would be greater than that for someone who nearly needed to provide a birthdate.

The enterprise directory is a repository of information about each person in the organization. At Columbia, this information comes from the place of a person's attachment to the University, for example SIS, PAC, local departments, or an affiliate such as Barnard. A person can have more than one source. The directory may contain data such as the person's name, address, telephone number, and email address. The directory may also contain information about the person's roles within the University. Not all directory information is publicly visible.

Roles may be determined demographically based on the person's source, or by other means. Once established, roles make authorization possible: determining whether or not a person is permitted to access a given resource. Roles may also allocate resources for the individual, such as email accounts. The process of granting these permissions and resources is referred to as provisioning. By provisioning based on roles in the directory generated by membership in source feeds, deprovisioning when the person leaves a role can be automatic. At Columbia, some services such as Cyrus email as well as access to many web-based applications are automatically provisioned and deprovisioned.

For the many web-based applications to each know how to handle authenticating a Columbia person is problematic for many reasons, including the exposure of the password to the application. Proxy authentication services (also known as institutional sign on, single sign on, reduced sign on, WebISO, WebSSO, RSSO, etc) solve this problem by having these applications hand off authentication to a central service. Authorization information may also be presented in this matter. At Columbia, this service is provided by WIND.

Federation takes this process and extends it outside the University. Access to resources maintained at other universities and institutions becomes possible using a Columbia UNI. Similarly, access to select Columbia resources can be granted to those outside the University using their home authentication services.