1 / 15

The UK Access Management Federation for education and research

The UK Access Management Federation for education and research. John Chapman, Project Adviser, Technical Policy & Standards. Problems we are trying to solve. Multiple usernames and passwords Multiple copies of personal data held by third parties

eljah
Download Presentation

The UK Access Management Federation for education and research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards

  2. Problems we are trying to solve • Multiple usernames and passwords • Multiple copies of personal data held by third parties • Duplication of effort across multiple institutions • Publishers and network providers having to interface with multiple systems • Difficulty in sharing resources between institutions

  3. JISC announce its intention to support federated access management for UK FE/HE. • All LAs members of the federation? • Personalised online learning space • WMnet & LGfL pilots prove Shibboleth works in UK school sector Integrated learning & management systems • Becta’s business case accepted by DfES • LGfL continues regional federation as a production service • Standards Fund Grant 121 (and 121a) Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology • Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research – launched 30 November 2003 2004 2005 2006 2007 2008 2009 2010

  4. Shibboleth • Neither an authentication or authorisation system • Secure exchange of messages between two parties (Identity Provider and Service Provider) • Authentication handled by institution/LA/RBC (devolved authentication) • Authorisation achieved by an exchange of attributes (such as ‘member of an institution’) • Providers need to sign up to a ‘trust’ agreement • An implementation of SAML (Security Assertion Mark-Up Language)

  5. Benefits of simplified sign-on and the UK federation • For the learner: • Easier access to resources • Privacy preserving • Facilitates anytime, anywhere learning • For the institution: • Reduction in administrative burdens for managers and users in schools • For the LA/RBC: • Allow for greater aggregation of purchasing content • Facilitate secure sharing of content between authorities • For the education sector: • Shared, cross-sector infrastructure • Facilitate access to e-portfolios • For the Government: • Strong collaboration between Becta and JISC • Centrally provided services for best possible value

  6. The UK Access Management Federation • A group of member organisations who sign up to a set of rules • An independent body, managing the trust relationships between members • End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs) • Publishers and resource providers act as ‘service providers’ (SPs)

  7. Organisational Structure • Funded by DfES & JISC • Provided for Schools, FE & HE • Operational management by UKERNA • Policy & Governance Board • 3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mike Kendal) • 3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore) • ‘Neutral’ Chair (Professor Sir David Watson) • Technical Advisory Group • JISC, Becta, RBC, LA, University and College representation

  8. What the service provides • A set of Rules that binds members: • Make accurate statements to other members • Keep federation systems and data secure • Use personal data correctly (inc. DPA1998) • Resolve problems within the Federation • Not by legal action • Guidance, examples, support • How to comply with the Rules • How to work with other members • Common definitions, etc.

  9. What the service provides • Operational management • Registration mechanism for SPs and IdPs • Adding new members to the federation & updating existing members’ metadata • Fault finding and trouble shooting • Compatibility testing of server certificates and CA Qualification • Technical and operational documentation • Ongoing federation development • Reporting

  10. OK, I redirect your request now to the Handle Service of your home org. Please tell me where are you from? I don’t know you. Not even which home org you are from. I redirect your request to the WAYF I don’t know you. Please authenticate Using WEBLOGIN 2 3 4 5 6 1 7 Credentials Assertion Service HS 8 Handle User DB Handle Resource Manager Handle 9 AA Requester OK, I know you now. I redirect your request to the target, together with a handle Attributes 10 Attributes I don’t know the attributes of this user. Let’s ask the Attribute Authority Let’s pass over the attributes the user has allowed me to release OK, based on the attributes, I grant access to the resource © SWITCH WAYF Identity Provider Service Provider Web Site Resource

  11. Birmingham’s walkthrough SP BGfL+ IdP BGfL Identity Provider UK Access Management Federation

  12. LA/RBC roadmap to join the UK federation • LA/RBC audit – Review readiness to adopt federated access management. • Directory Development – Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the eduPerson specification. • Authentication Development – Choose and implement a local/regional authentication, or single sign-on system. • Implement IdP – Implement Shibboleth Identity Provider software. • Join Federation – All organisations who wish to participate will need to join the UK federation by registering and agreeing to observe federation policy. • Institutional Roll-out – On becoming a member of the federation, the institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms.

  13. Core attributes • eduPersonScopedAffiliation – does this institution subscribe to the service in question? e.g. member@netherhall.cambs.sch.uk, or student@keele.ac.uk • student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member (comprises all the previous categories), affiliate (relationship short of full member), alum (ex pupil/alumnus) • eduPersonTargetedID – persistent opaque identifier – can provide personalisation & usage monitoring across sessions • eduPersonPrincipalName – the ‘NetID’ of the user, e.g. user@school.lea.sch.uk – a persistent identifier across different services • eduPersonEntitlement – enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource e.g. “entitled to access financial accounts” • Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but... For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient

  14. Executive Liaison: a senior role within the LA Management Liaison: authorised to register entities SCS certificates available from UKERNA

  15. More information • UK federation • http://www.ukfederation.org.uk • High level info on Becta’s site • http://schools.becta.org.uk/index.php?rid=11277 • http://industry.becta.org.uk/display.cfm?resID=14598 • Shibboleth • http://shibboleth.internet2.edu/ (main site) • http://spaces.internet2.edu/display/SHIB/ (wiki)

More Related