IncommonEdit

InCommon, officially the InCommon Federation, is a trust framework that enables cross-institution identity and access management within the higher-education and research communities in the United States. It binds member organizations—primarily colleges, universities, and libraries—into a shared security ecosystem that supports secure single sign-on to digital resources across campuses and partner services. Operated as a nonprofit, member-governed initiative, InCommon emphasizes efficiency, reliability, and accountability in handling credentials and access. At its core, InCommon relies on a federated model of trust, where a user’s home institution vouches for identity and attributes and service providers grant access based on that vouching. The implementation rests on widely adopted standards like SAML, and it is closely associated with the Shibboleth software stack for exchanging authenticated information. These elements allow institutions and their students, faculty, staff, and researchers to move between resources with less friction while maintaining control over who can see what data. federation identity management SAML Shibboleth InCommon

History

InCommon emerged from the need to coordinate identity and access across a growing ecosystem of universities, libraries, and research centers. The early 2000s saw colleges and consortia experimenting with federated approaches to authentication, and a formal framework began to take shape as institutions sought to reduce password fatigue and improve security without duplicating IT work at every campus. By the mid-to-late 2000s, InCommon had established itself as a recognized federation with a formal governance structure and a growing roster of participating institutions. The initiative leveraged existing standards and the work of early adopters to create a scalable trust model that could serve a diverse set of service providers, from library catalogs to learning management systems. Over time, InCommon expanded to include a broader set of services and assurance practices, while remaining focused on voluntary participation and collaborative oversight. EDUCAUSE Internet2 federation Shibboleth

Governance and structure

InCommon operates under a governance framework driven by member institutions and supported by a nonprofit backbone, with oversight and day-to-day management provided by organizations in the higher-education technology community, notably EDUCAUSE and related consortia. The governance model emphasizes transparency, accountability, and cost-sharing among participants. Members pay dues that fund security reviews, attribute-release policies, and the maintenance of trusted relationships with service providers. The framework includes an identity-provider (IdP) and service-provider (SP) ecosystem, with a formal set of rules about how attributes are released and used. An assurance program helps ensure that participating IdPs meet minimum security and verification standards, reinforcing trust across the federation. EDUCAUSE Internet2 Identity assurance federation attribute release

How it works

Users authenticate through their home institution's identity provider, and the home IdP issues a cryptographically verifiable assertion about the user to the requested service provider. The service provider then uses the asserted identity and the accompanying attributes to determine access to resources such as digital journals, course materials, or research data repositories. The system relies on the Security Assertion Markup Language (SAML) for exchanging authentication statements and on the Shibboleth stack as a practical implementation. By design, data sharing is minimized and controlled; only necessary attributes are released to the external service provider, and institutions retain control over what information is shared with which partners. This model reduces the burden on individual campuses while maintaining a robust, campus-based approach to identity security. SAML Shibboleth single sign-on attribute release service provider Identity management

Services and impact

Through InCommon, member institutions enable seamless access to a wide array of digital resources across campuses. Library catalogs, journals, data repositories, learning management systems, and collaboration platforms can be accessed using a student or faculty member’s home credentials, provided the home IdP has granted the appropriate attributes. This cross-institution capability lowers operational costs for IT departments by avoiding duplicated credential systems and supports cross-campus collaboration on research and learning initiatives. The federation also helps publishers and other service providers manage access under a consistent framework, making it easier for students and researchers to obtain legitimate scholarly materials. InCommon’s reach extends to collaboration with publishers, research platforms, and library networks, underscoring how trusted identity can unlock practical gains in education and research. JSTOR ProQuest library learning management system publisher federation

Controversies and debates

As with any large shared technology infrastructure, InCommon presents arguments on privacy, control, and security. Critics from various perspectives raise questions about data handling: what attributes are released, to whom, and under what circumstances. Proponents counter that the framework emphasizes data minimization, institutional control, and voluntary participation, arguing that centralized approaches can actually reduce risk by standardizing security practices and incident response across many institutions. Supporters also point out that a cooperative model aligns with the realities of a fragmented higher-education landscape, where universities, consortia, and libraries rely on shared resources and cross-institution services. Debates around governance often focus on how inclusive the decision-making process is for smaller colleges, how transparent the cost structure remains, and how rapidly the framework can adapt to new privacy expectations and regulatory requirements. InCommon’s structure is designed to address these concerns by maintaining open governance, providing clear audit trails, and continually refining assurance and attribute policies. Critics who advocate more aggressive privacy protections may push for stricter opt-ins or more granular control over attribute release, while defenders argue that the current model strikes a pragmatic balance between security, efficiency, and user access. data privacy privacy by design data governance identity management SAML Shibboleth

See also

• EDUCAUSE
• Internet2
• Shibboleth
• SAML
• Federated identity
• Identity management
• Single sign-on
• Data privacy
• Higher education
• Library science