160 likes | 174 Views
The UK Access Management Federation. John Chapman Project Adviser – Becta. UK Access Management Federation for Education and Research. Supported by JISC and Becta, and operated by UKERNA
E N D
The UK Access Management Federation John Chapman Project Adviser – Becta
UK Access Management Federation for Education and Research • Supported by JISC and Becta, and operated by UKERNA • Provides a single solution to access online resources and services for all education and research in UK including schools, colleges and universities • Live 30 November 2006
Federation Stats: 13th April 2007 • 50 members • 113 entities (two dual in nature): • 51 Identity Providers • 64 Service Providers • 29 ‘core’ university/college members • 3 ‘core’ school sector members • Potentially >600 IdPs with more than 10,000,000 users... • Or even more if we include parents...
Rules of Membership • Recommendations for Use of Personal Data • Technical Recommendations for Participants • Federation Technical Specifications • Federation Operator Procedures
Registration mechanism for SPs and IdPs • Adding new members to the federation & updating existing members’ metadata • Fault finding and trouble shooting • Compatibility testing of server certificates and CA Qualification • Technical and operational documentation • Ongoing federation development • Reporting
Discovery Service • Resilient WAYF • Hosting of metadata • Monitoring of SPs and IdPs • Test environment • Federation web site: www.ukfederation.org.uk
Guidance and advice to IdPs& SPs • Configuration guides • Training courses • Online training material • Workshops to help organisations join the UK Federation
Definitions Rules for all members Specific rules for IdPs and SPs Data Protection and Privacy User Accountability Liability Audit and Compliance Termination Membership Cessation Changes to Rules Dispute Resolution Policy Document 1: Rules of Membership The basic contractual framework for trust Covers:
Policy Document 2:Recommendations for Use of Personal Data • Recommendations for use of personal data • Covers legal requirements – Data Protection Act 1998 • practical use of attributes: • eduPersonScopedAffiliaton: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions. • eduPersonTargetedID: designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity. “For most applications a combination of the attributes eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.” • eduPersonPrincipleName comes under the personal data guidelines of DP Act. • eduPersonEntitlement: may be possible to determine Identity from entitlement so again governed by DP Act.
Policy Document 3: Technical Recommendations for Participants • Specifies the technical architecture for Federation and participants • Choice of IdP / SP software (UK is neutral but must be SAML compliant and tested by Federation) • Authentication response profiles • Metadata processes • Digital Certificate processes • ‘Discovery’ processes – to WAYF or not to WAYF • Attribute usage • Includes Future Directions for each area of work
UK Federation Required Attributes plus subsidiary attributes
Policy Document 4: Federation Technical Specification and Policy Document 5: Federation Operator Procedures • Federation Technical Specification: • High level document about trust fabrics and how the UK Access Management Federation achieves trust. • Federation Operator Procedures: • The procedures actually undertaken by the Federation Operator (UKERNA): • Enrolment • CA Qualification • Support • Monitoring / Audit
Upcoming…in Policy More practical documents related to baseline Federation such as Identity Provider deployment. • More advice and policy as developments move to service: • Levels of assurance • Virtual organisation support • Virtual ‘orphanage’ (SDSS already offering TypeKey and ProtectNetwork solutions) • Detailed policies for outsourced identity providers and outsourced service providers
Levels of Authentication • FAME-PERMIS • 1 January 2005 – 31 December 2006 • Develop middleware extensions to facilitate multi-factor authentication and authentication strength linked fine-grained access control supporting a wide range of authentication methods • Allow users to choose the right authentication token to achieve a required level of authentication strength and feed this LoA to the PERMIS decision engine to facilitate LoA linked fine-grained user authorisation and access control. • ES-LoA: e-infrastructure security levels of assurance • 1 November 2006 – 31 October 2007 • JISC-funded project to examine existing definitions of authentication levels of assurance, both at UK and international levels, building consensus and making proposals regarding standard definitions for use in the UK education and research community. • JISC Identity Project • www.identity-project.info • Research into and establish consensus in the current practice and future needs of UK academic institutions in Identity Management • Issues that will be addressed include Grid use, Shibboleth installations, inter-institutional collaborations, internal and shared dynamic virtual organisations, classes of users, library access schemes, and NHS involvement. • DfES Identity Management Scoping study • Becta Schools Interoperability Framework: 2nd PoC and Pilot
www.ukfederation.org.uk www.jisc.ac.uk/federation.html n.harris@jisc.ac.uk j.farnhill@jisc.ac.uk