The UK Access Management Federation John Chapman Project Adviser – Becta.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
The Art of Federations. Topics Federations of what… Federated identity versus federations Federations in other sectors – business, gov, ad hoc R&E Federations.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Joint Information Systems Committee 01/04/2014 | | Slide 1 e-Infrastructure Programme James Farnhill, Programme Manager, JISC Identity Management and Levels.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Supporting Further and Higher Education Building the UK National Information Environment - Lessons from the Past and Pointers To the Future Norman Wiseman.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Shibboleth Update a.k.a. “shibble-ware”
Supporting further and higher education Authentication & Authorisation for JISC and UK e-Science Alan Robiette, JISC Development Group.
To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.
Becta’s story… Federated identity. About Becta Becta is the government agency leading the national drive to ensure the effective and innovative use of.
Functional Model Workstream 1: Functional Element Development.
Federated Identity Management in New Zealand Sat Mandri Service Manager TNC15 REFEDs Meeting, 14 th June 2015.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
The InCommon Federation The U.S. Access and Identity Management Federation
Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
Supporting further and higher education UK Middleware Update TF-EMC2 Meeting, 4 November 2004 Alan Robiette, JISC Development Group.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.
Shibboleth for Real Dave Kennedy
The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.
Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Supporting education and research Security and Authentication for the Grid Alan Robiette, JISC Development Group.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
Copyright JNT Association 20051Optional Copyright JNT Association The UK federation Mark Tysom, JANET(UK) 9 October 2007.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.
Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
e-Infrastructure Workshop 28th March 2006, University of Leeds
Scalability of trust and metadata exchange across federations
GakuNin: Federated Identity Management Activities in Japan
TNC - 22nd May 2007 Mark Tysom, UKERNA
UK Access Management Federation
UK Federation 101 Ian A. Young EDINA, University of Edinburgh (and the UK Federation) Internet2 Fall Member Meeting, 7 Dec Shibboleth Development.
Community AAI with Check-In
The JISC Core Middleware Call
Protecting Privacy with Federated AA
Presentation transcript:

The UK Access Management Federation John Chapman Project Adviser – Becta

UK Access Management Federation for Education and Research Supported by JISC and Becta, and operated by UKERNA Provides a single solution to access online resources and services for all education and research in UK including schools, colleges and universities Live 30 November 2006

Federation Stats: 13 th April members 113 entities (two dual in nature): –51 Identity Providers –64 Service Providers 29 ‘core’ university/college members 3 ‘core’ school sector members Potentially >600 IdPs with more than 10,000,000 users... Or even more if we include parents...

UK Federation Services

Rules of Membership Recommendations for Use of Personal Data Technical Recommendations for Participants Federation Technical Specifications Federation Operator Procedures

Registration mechanism for SPs and IdPs Adding new members to the federation & updating existing members’ metadata Fault finding and trouble shooting Compatibility testing of server certificates and CA Qualification Technical and operational documentation Ongoing federation development Reporting

Discovery Service –Resilient WAYF Hosting of metadata Monitoring of SPs and IdPs Test environment Federation web site:

Guidance and advice to IdPs& SPs Configuration guides Training courses Online training material Workshops to help organisations join the UK Federation

Policy Document 1: Rules of Membership –Definitions –Rules for all members –Specific rules for IdPs and SPs –Data Protection and Privacy –User Accountability –Liability –Audit and Compliance –Termination –Membership Cessation –Changes to Rules –Dispute Resolution The basic contractual framework for trust Covers:

Policy Document 2: Recommendations for Use of Personal Data Recommendations for use of personal data Covers legal requirements – Data Protection Act 1998 practical use of attributes: –eduPersonScopedAffiliaton: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions. –eduPersonTargetedID: designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity. “For most applications a combination of the attributes eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.” –eduPersonPrincipleName comes under the personal data guidelines of DP Act. –eduPersonEntitlement: may be possible to determine Identity from entitlement so again governed by DP Act.

Policy Document 3: Technical Recommendations for Participants Specifies the technical architecture for Federation and participants Choice of IdP / SP software (UK is neutral but must be SAML compliant and tested by Federation) Authentication response profiles Metadata processes Digital Certificate processes ‘Discovery’ processes – to WAYF or not to WAYF Attribute usage Includes Future Directions for each area of work

UK Federation Required Attributes plus subsidiary attributes TECHNICAL ATTRIBUTE NAMEWHAT THIS REALLY MEANS eduPersonScopedAffiliation or UK specific controlled vocabulary Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute. eduPersonTargetedID (r001xf4rg2ss) opaque string defined by institution ‘A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity. eduPersonPrincipalName (harrisnv) defined by institution – login name Used when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute. eduPersonEntitlement (expressed as an agreed URI) mutually agreed by institution and service Used when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module, entitled to access financial records.

Policy Document 4: Federation Technical Specification and Policy Document 5: Federation Operator Procedures Federation Technical Specification: –High level document about trust fabrics and how the UK Access Management Federation achieves trust. Federation Operator Procedures: –The procedures actually undertaken by the Federation Operator (UKERNA): Enrolment CA Qualification Support Monitoring / Audit

Upcoming…in Policy More practical documents related to baseline Federation such as Identity Provider deployment. More advice and policy as developments move to service: –Levels of assurance –Virtual organisation support –Virtual ‘orphanage’ (SDSS already offering TypeKey and ProtectNetwork solutions) –Detailed policies for outsourced identity providers and outsourced service providers

Levels of Authentication FAME-PERMIS –1 January 2005 – 31 December 2006 –Develop middleware extensions to facilitate multi-factor authentication and authentication strength linked fine-grained access control supporting a wide range of authentication methods –Allow users to choose the right authentication token to achieve a required level of authentication strength and feed this LoA to the PERMIS decision engine to facilitate LoA linked fine-grained user authorisation and access control. ES-LoA: e-infrastructure security levels of assurance –1 November 2006 – 31 October 2007 –JISC-funded project to examine existing definitions of authentication levels of assurance, both at UK and international levels, building consensus and making proposals regarding standard definitions for use in the UK education and research community. JISC Identity Project – –Research into and establish consensus in the current practice and future needs of UK academic institutions in Identity Management –Issues that will be addressed include Grid use, Shibboleth installations, inter- institutional collaborations, internal and shared dynamic virtual organisations, classes of users, library access schemes, and NHS involvement. DfES Identity Management Scoping study Becta Schools Interoperability Framework: 2 nd PoC and Pilot

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.