Frequently Asked Questions

What is InCommon?
InCommon is a formal federation of organizations focused on creating a common framework for collaborative trust in support of research and education. InCommon makes sharing protected online resources easier, safer, and more scalable in our age of digital resources and services. Leveraging SAML-based authentication and authorization systems, InCommon enables cost-effective, privacy-preserving collaboration among InCommon participants. InCommon eliminates the need for researchers, students, and educators to maintain multiple, password-protected accounts. The InCommon federation supports user access to protected resources by allowing organizations to make access decisions to resources based on a user's status and privileges as presented by the user's home organization.

What are the benefits of joining of InCommon?
InCommon supports web-based distributed authentication and authorization services, an example of which is controlled access to protected library resources. Participation in InCommon means that trust decisions regarding access to resources can be managed by exchanging information in a standardized format. Using a standard mechanism for exchanging information provides economies of scale by reducing or removing the need to repeat integration work for each new resource. Since access is driven by policies set by the resource being accessed, higher security and more granular control to resources can be supported. Reduced account management overhead is another benefit, since users can be authenticated and access resources from the home institution and no longer need separate accounts to access particular resources. InCommon is operated by Internet2 to provide consistency and participant support.

InCommon and User Identity
InCommon also preserves privacy since the home institution controls when identity is disclosed. Information can be exchanged about authorized user access, without having to disclose the identity of the user unless both sides agree it's needed.

What is a federation?
A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaborations and transactions.

Who can currently join InCommon?
There are two primary categories of federation participation in InCommon: Higher Education Institutions and their Sponsored Partners. To learn more about the eligibility criteria and the processes for joining, visit our join page.

What is required to join InCommon?
Organizations applying to join InCommon must agree at an executive level of their organization to the terms and conditions of federation participation (legal framework and federation policies), which include documenting an organization's practices and procedures used to grant and manage user accounts. Contacts for the organization must be official representatives and will be verified as such. There are also technical requirements to support InCommon's federated authentication model. For more details on the Shibboleth software, please see the question on Shibboleth below.
Being accepted into InCommon is a two-step process. The first step is to complete the InCommon participation agreement [pdf], identifying the person who will act as the Executive Liaison to InCommon. After the participation agreement has been signed by both parties, a registration process will verify the designated Executive and Administrators for the organization, afterwhich the organization will be able to register its systems in the federation. For more information on this process, see the join page.

What is the cost of joining the InCommon Federation?
InCommon operates on a cost-recovery basis with fees reviewed annually. Fees are: A one time Participant Registration Fee of $700, payable by credit card online. An annual fee of between $1,100 and $3,000 will be invoiced via email to the organization for the basic Higher Education Institution or Sponsored Partner system package, which includes one identity management system and up to 50 Service Provider IDs. The level of annual fee depends, for an educational institution, on the Carnegie classification; and, for an SP, on annual revenue. Detailed information on the annual fee is available here.

A Service Provider is any online system that provides information or services to a restricted set of individuals or groups. The annual fee is for the calendar year and is not pro-rated. All fees are non-refundable. Additional Service Provider IDs are available at a rate of $1000 for every additional 50.

How do I prepare for InCommon?
Organizations that are eligible to join InCommon may consider testing with Shibboleth to gain familiarity with federation technology, concepts, and requirements. As described on the join page, the first step in participation is to review and submit a signed participation agreement [pdf]. The NMI-EDIT Consortium has some excellent resources available on planning, which among other resources includes two excellent roadmaps: The Enterprise Directory Implementation Roadmap and The Enterprise Authentication Implementation Roadmap.

What is Shibboleth?
Shibboleth software enables the sharing of Web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies to control what type of user information can be released to each destination. For more information on Shibboleth please visit

Please note: InCommon strongly recommends that all new participants planning to use Shibboleth Federated Single Sign-on Software install and deploy version 2.x. Shibboleth v1.3 is no longer supported.

How do I test my Shibboleth installation?
If your Identity Provider system is in InCommon, you can test against the test service provider. Regardless of your federation affiliation, you can test your Shibboleth Identity Provider and Service Providers in TestShib, which includes sample providers (both IdP and SP) and automated setup to test your installation. Service Providers have two ways to test their implementation; with an IdP partner or through setting up a test IdP. We have provided an overview for both.

What is an InCommon partnership?
As part of a user-driven community, InCommon participants, from time to time, shepherd a particular joint project into being. How do such partnerships happen and what support does InCommon provide? Read the Partnership FAQ for all of the information.

How do I notify InCommon of a change in our designated executive?
To change your executive, you need to inform InCommon in writing of the change. We have provided a downloadable template for a letter; this must be submitted on your institution's letterhead and signed by the appropriate person.