310 likes | 439 Views
The UK federation. Mark Tysom, JANET(UK) 9 October 2007. “Shibboleth 2007” http://news.bbc.co.uk/2/hi/entertainment/7033619.stm. A work of art. “The work, entitled Shibboleth 2007, runs the full 167 metres of the cavernous hall on London's South Bank.
E N D
The UK federation Mark Tysom, JANET(UK) 9 October 2007
“Shibboleth 2007”http://news.bbc.co.uk/2/hi/entertainment/7033619.stm
A work of art • “The work, entitled Shibboleth 2007, runs the full 167 metres of the cavernous hall on London's South Bank. • It begins as a crack then widens and deepens as it snakes across the room. • Colombian artist Salcedo said the work - on display to the public until April next year - symbolised racial hatred and division in society.”
Overview • Life before the federation • Federated-v-non-federated • Technology trials • Cross sector approach • The federation service • Policy framework • Scaling challenges: discovery • Uptake • What’s next?
Before the federation: schools • IP address-based checks • Ad-hoc bilateral arrangements between IdP and SP • Multiple usernames and passwords • Multiple copies of personal data held by third parties • Duplication of effort across multiple institutions • Publishers and network providers having to interface with multiple systems • Difficulty in sharing resources between institutions
Before the federation: FE/HE • Ad-hoc bilateral arrangements & Athens • Classic Athens - a centralised service: • Institution provides identity info about users to Athens • Athens brokers both authentication and authorisation with service providers on behalf of the organisation • Data can only be managed by site Athens Administrators • Athens database contains a lot of information about users and about the services to which institutions have subscribed
Technology trials • Independent trials within the education sector • Becta: 2003 – 2004 - workshops - strategy paper - Shib laboratory test • 2 pilots: WMnet & LGfL 2004 - 2005
Technology trials • JISC Core Middleware Development Programme selected Shibboleth and started in April 2004 • JISC early adopters (MATU) • Established Shibboleth Development and Support Service (SDSS) federation
Shibboleth selected • Individually chosen by JISC and Becta as most suitable option • Government steer towards collaborative services to avoid duplication of resources • Agreement for JANET(UK) to proceed with a joint approach March 2006 • Aim for one federation…
What are the benefits? • Provides consistency across the education sectors • Improves the user experience • Facilitates sharing of content and collaboration within and across sectors • Economies of scale for both sectors • Centrally-funded: no annual fees! • Based on an international standard (SAML)
The UK federation • Launched November 2006 • Schools, FE, HE and Research • Organisations and institutions providing services to these sectors
What is “the UK federation?” • A set of Rules that binds members to: • Make accurate statements to other members • Keep federation systems and data secure • Use personal data correctly (UK DPA,1998) • Resolve problems within the federation • Not by legal action • Assist federation operator and other members
Organisational Structure • Joint funded by Becta & JISC • Operational management by JANET(UK) • Policy Board • Stakeholder representatives • Technical Advisory Group • Experts from all sectors
UK federation infrastructure • Hosted by JANET(UK) • Discovery Service • Resilient WAYF • Hosting of metadata • Describes the UK federation • Monitoring of SPs and IdPs • Test environment • Federation web site - www.ukfederation.org.uk
Fully supported JANET service • Support team at JANET(UK) • Expert support from the JANET community • Guidance and advice to IdPs & SPs • Configuration guides • Training courses • Workshops to help organisations join the UK federation
Policy and technical framework • Rules of membership: Mandatory • Recommendations for use of personal data: • Technical recommendations: • Technical specifications: • Federation operator procedures: } Advisory
Definitions Rules for all members Specific rules for IdPs and SPs Data Protection and Privacy User Accountability Liability Audit and Compliance Termination Membership Cessation Changes to Rules Dispute Resolution 1. Rules of Membership • The basic contractual framework for trust
2. Recommendations for Use of Personal Data • Suggests how to satisfy legal requirements • UK Data Protection Act, 1998: eight data protection principles • “Responsibility of those collecting or using data concerning children to inform responsible adults, obtain valid consent or prevent inappropriate use of data by those handling it” • Not the responsibility of the UK federation • Recommends a core set of attributes
Four Core Attributes • eduPersonScopedAffiliation: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions. • eduPersonTargetedID: designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity. • eduPersonPrincipalName: comes under the personal data guidelines of UK Data Protection Act. • eduPersonEntitlement: may be possible to determine Identity from entitlement, so governed by UK Data Protection Act. “For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.”
3. Technical Recommendations for Participants • Specifies the technical architecture for federation and participants • Contains choices of IdP/SP software (UK is neutral but must be SAML compliant) • Authentication response profiles • Metadata processes • Digital Certificate processes • Attribute usage • Includes future directions for each area of work
4. Federation Technical Specification • Federation Technical Specification: • How the UK Access Management Federation achieves trust 5. Federation Operator Procedures • Federation Operator Procedures: • The procedures actually undertaken by the federation operator (JANET UK): • Enrolment • CA Qualification • Support • Monitoring / Audit
Deployment Challenges • Scaling – approx. 12–18 million eligible users – hundreds of member organisations – hundreds or thousands of entities
Discovery Challenges • Institutional portal avoids the issue • SP can perform discovery locally: – SP often knows its community of users – Particularly true for licensed content, where a real- world contract will exist – Also true for resources built around small collaborations
Central WAYF • UK federation provides central “Where Are You From” service as backstop • Production WAYF servers work from federation metadata – three identical machines – geographically distributed in multiple data centres – https:// as anti-spoofing measure
UK federation statistics (8th October 07) • 108 full member organisations • 135 SAML entities – 63 identity providers – 72 service providers • Software: – 92% Shibboleth 1.3 – 3% Shibboleth 1.2 – 5% other (AthensIM, Guanxi, etc) • Approx. 3 new applications/week
What’s next…? • UK federation development roadmap http://www.ukfederation.org.uk/content/Documents/DevelopmentRoadMap - Increase functionality - Enhance usability • Widening participation • NHS • Museums, etc
Conclusion • Federation launched – great! • Lots of potential to exploit • Job done…? • Actually, it’s just beginning!
Questions? • More info: • www.ukfederation.org.uk • E-mail lists: • Ukfederation-announce@jiscmail.ac.uk • Ukfederation-discuss@jiscmail.ac.uk