The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.

Slides:

Advertisements

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Advertisements

Lousy Introduction into SWITCHaai

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,

Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth Update a.k.a. “shibble-ware”

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

SWITCHaai Team Federated Identity Management.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

Becta’s story… Federated identity. About Becta Becta is the government agency leading the national drive to ensure the effective and innovative use of.

Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure.

The InCommon Federation The U.S. Access and Identity Management Federation

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.

Shibboleth at Columbia Update David Millman R&D July ’05

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Copyright JNT Association 20051Optional Copyright JNT Association The UK federation Mark Tysom, JANET(UK) 9 October 2007.

State of e-Authentication in Higher Education August 20, 2004.

E-Authentication in Higher Education April 23, 2007.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.

E-Authentication & Authorization Presentation to the EA2 Task Force March 6, 2007.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Shibboleth Architecture

Ian Bird GDB Meeting CERN 9 September 2003

e-Infrastructure Workshop 28th March 2006, University of Leeds

GakuNin: Federated Identity Management Activities in Japan

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

South African Identity Federation

ESA Single Sign On (SSO) and Federated Identity Management

TNC - 22nd May 2007 Mark Tysom, UKERNA

UK Access Management Federation

UK Federation 101 Ian A. Young EDINA, University of Edinburgh (and the UK Federation) Internet2 Fall Member Meeting, 7 Dec Shibboleth Development.

Supporting Institutions Towards a Shibbolized Infrastructure

Protecting Privacy with Federated AA

Presentation transcript:

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards

Problems we are trying to solve Multiple usernames and passwords Multiple copies of personal data held by third parties Duplication of effort across multiple institutions Publishers and network providers having to interface with multiple systems Difficulty in sharing resources between institutions

Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology WMnet & LGfL pilots prove Shibboleth works in UK school sector JISC announce its intention to support federated access management for UK FE/HE. Becta’s business case accepted by DfES Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research – launched 30 November LGfL continues regional federation as a production service Personalised online learning space Integrated learning & management systems All LAs members of the federation? Standards Fund Grant 121 (and 121a)

Shibboleth Neither an authentication or authorisation system Secure exchange of messages between two parties (Identity Provider and Service Provider) Authentication handled by institution/LA/RBC (devolved authentication) Authorisation achieved by an exchange of attributes (such as ‘member of an institution’) Providers need to sign up to a ‘trust’ agreement An implementation of SAML (Security Assertion Mark-Up Language)

Benefits of simplified sign-on and the UK federation For the learner: –Easier access to resources –Privacy preserving –Facilitates anytime, anywhere learning For the institution: –Reduction in administrative burdens for managers and users in schools For the LA/RBC: –Allow for greater aggregation of purchasing content –Facilitate secure sharing of content between authorities For the education sector: –Shared, cross-sector infrastructure –Facilitate access to e-portfolios For the Government: –Strong collaboration between Becta and JISC –Centrally provided services for best possible value

Benefits for Service Providers –No need to maintain your own user database Authentication is performed by the IdP Can authorise per institution, role, and/or entitlement –Reduced user support requirements –Reduced compliance burden Less storage/processing of personal data –Accurate implementation of licence conditions –Users take better care of credentials –Organisations take better care of assertions

The UK Access Management Federation A group of member organisations who sign up to a set of rules An independent body, managing the trust relationships between members End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs) Publishers and resource providers act as ‘service providers’ (SPs)

Organisational Structure Funded by DfES & JISC Provided for Schools, FE & HE Operational management by UKERNA Policy & Governance Board –3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mike Kendal) –3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore) –‘Neutral’ Chair (Professor Sir David Watson) Technical Advisory Group –JISC, Becta, RBC, LA, University and College representation

What the service provides A set of Rules that binds members: –Make accurate statements to other members –Keep federation systems and data secure –Use personal data correctly (inc. DPA1998) –Resolve problems within the Federation Not by legal action Guidance, examples, support –How to comply with the Rules –How to work with other members Common definitions, etc.

What the service provides Operational management –Registration mechanism for SPs and IdPs –Adding new members to the federation & updating existing members’ metadata –Fault finding and trouble shooting –Compatibility testing of server certificates and CA Qualification –Technical and operational documentation –Ongoing federation development –Reporting

Resource WAYF Identity Provider Service Provider Web Site 1 Assertion Service I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. Requester Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource © SWITCH

Birmingham’s walkthrough SP BGfL+ IdP BGfL Identity Provider UK Access Management Federation

LA/RBC roadmap to join the UK federation 1.LA/RBC audit – Review readiness to adopt federated access management. 2.Directory Development – Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the eduPerson specification. 3.Authentication Development – Choose and implement a local/regional authentication, or single sign-on system. 4.Implement IdP – Implement Shibboleth Identity Provider software. 5.Join Federation – All organisations who wish to participate will need to join the UK federation by registering and agreeing to observe federation policy. 6.Institutional Roll-out – On becoming a member of the federation, the institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms.

Core attributes eduPersonScopedAffiliation – does this institution subscribe to the service in question? e.g. or –student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member (comprises all the previous categories), affiliate (relationship short of full member), alum (ex pupil/alumnus) eduPersonTargetedID – persistent opaque identifier – can provide personalisation & usage monitoring across sessions eduPersonPrincipalName – the ‘NetID’ of the user, e.g. – a persistent identifier across different services eduPersonEntitlement – enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource e.g. “entitled to access financial accounts” Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but... For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient

Executive Liaison: a senior role within the LA SCS certificates available from UKERNA Management Liaison: authorised to register entities

More information UK federation – High level info on Becta’s site – – Shibboleth – (main site) – (wiki)