1 / 25

The UK federation

The UK federation. HEAnet National Networking Conference, 16 th November 2007, Kilkenny Henry Hughes, JANET(UK). Overview . Historic position Federated access management UK federation Policy and technical framework How does it work? What’s next?. Historic position.

hada
Download Presentation

The UK federation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The UK federation HEAnet National Networking Conference, 16th November 2007, Kilkenny Henry Hughes, JANET(UK)

  2. Overview • Historic position • Federated access management • UK federation • Policy and technical framework • How does it work? • What’s next?

  3. Historic position • Existing Authentication and Authorisation Services • Athens (HE/FE/Research) • IP Based Authentication (Schools) • Concern surrounding use of IP based authentication • Challenge of providing remote access to services • Difficulty in the sharing of content and resources between organisations and sectors • Publishers have to interface to a multiplicity of systems • Wish to help provide a consistent user experience and sets standards for AAI within the educations sector

  4. Legacy access management Are you a licensed user? I’m “AJones/T,t<*?I1” ? Licence Site • User’s identity and personal data are known to all • Publisher knows more than it wants and less than it needs • Organisation’s precious credentials given to all publishers Identity Provider (IdP) Service Provider (SP)

  5. Federated access management I’m “AJones/T,t<*?I1”, am I? Are you a licensed user? They say I’m licensed Yes, you’re licensed OK! Licence Site Identity Provider (IdP) Service Provider (SP) • User’s identity and personal data are protected • Publisher knows exactly what it needs • Distribution of credentials is reduced

  6. The UK federation • A group of member organisations who sign up to a set of rules • An independent body, managing the trust relationships between members • End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs) • Publishers and resource providers act as ‘service providers’ (SPs)

  7. Organisational Structure • Funded by JISC & Becta • Provided for Schools, FE, HE & Research • Operational management by JANET(UK) • Policy Board • Technical Advisory Group

  8. Policy and technical framework • Rules of membership: Mandatory • Recommendations for use of personal data: • Technical recommendations: • Technical specifications: • Federation operator procedures: } Advisory

  9. Rules of membership • Requires that members: • Make accurate statements to other members • Keep federation systems and data secure • Use personal data correctly (UK DPA,1998) • Resolve problems within the federation • Not by legal action • Assist federation operator and other members

  10. 4 3 5 2 6 1 7 Authentication 8 9 Attribute Request Authorisation 10 How does it work? 1

  11. What’s next…? • UK federation development roadmap http://www.ukfederation.org.uk/content/Documents/DevelopmentRoadMap • Opening up wider Identity Management challenges • Widening participation (within the UK) • NHS libraries • Public libraries, museums, etc • Collaboration and standardisation of federation technologies • HEAnet (approach and structure) • AARnet (service interoperability) • I2 (Core technology) • OASIS (SAML 2.0)

  12. Questions? • More info: • www.ukfederation.org.uk • E-mail lists: • Ukfederation-announce@jiscmail.ac.uk • Ukfederation-discuss@jiscmail.ac.uk

  13. Rhys Smith Cardiff University Adopting FAM at Cardiff University

  14. Outline • CU's case for implementing FAM • Deployment of FAM at CU • Benefits of FAM • Where to go next

  15. A bit of background • CU: • ~ 4,500 staff • ~ 30,000 students • Big user of UK's AM system (Athens)‏ • ~ 8000 accounts created every year • ~ 100 Athens resources • ~ 1 million user logins/year • Many FTEs (IT & library staff) managing the service (password resets, etc.)‏

  16. Business Case vs Old System • Implementing FAM • Users get better experience using e-resources • More flexibility for collaborative research • Large saving FTE effort: • No provisioning/deprovisioning of accounts • No password resets, etc • (All absorbed by existing processes and FTE count)‏ • Small increased of FTE effort: • Maintaining Shib servers and service • Cost savings of ~£8k/year

  17. Deploying FAM - Audit Resources • Resources tested for shibboleth compliance. • Non-compliant resources • Only one or two left, workarounds • Alerts, Saved Searches and Personalisation.

  18. Access to “allowed” Resources • FAM attributes - e.g. affiliation of user (member/staff/student/etc) and entitlements important for access control • CU's IDM system drives provisioning of attributes • Not as simple as you might think – 18 month (and counting!) group at CU decided membership, categories & entitlements

  19. Promotion and Communication • Emails about shibboleth/CU Login sent to all Information services staff • Presentation on changes given to all library and helpdesk staff • Documentation sent to all 18 libraries • Web page – Off campus access • Changes to databases page • Subject Librarians cascaded information to all new students and staff

  20. What has happened so far? • Went live – Sept 06 • Users • New Training Grade Doctors • New Students • New Staff • Users with expired accounts or problems • >60% of access to e-resources is by CU login

  21. What's happening now? • 2nd July 2007 – changed website to encourage remaining Athens users to switch • Email to users with active Athens accounts • Monitor use of Athens accounts over the next academic year and contact individual users to migrate. • April 08 – All Athens accounts expire

  22. Benefit - Increased flexibility • When developing internal systems, no need to develop AuthN/AuthZ, just plug into Shib • CU's web interface to IDM system • EZProxy • Same for externally available resources • Even more useful!

  23. Conclusions • Saving of money, reduced staff effort • Better service to CU users • Increased AuthN/AuthZ flexibility for internal systems and web apps • Increased AuthN/AuthZ flexibility for systems and web apps designed for external users

  24. Any Questions? • for: • more info • a copy of these slides • clarification of any points • meaningful discussion about shib • meaningless discussion about Ice Hockey • email: smith@cardiff.ac.uk the end

More Related