Connecting People to Resources

Joint Information Systems Committee

Connecting People to ResourcesFederated Access Management within the UK

Nicole HarrisSenior Services Transition Manager, JISC


Connecting People to Resources

OVERVIEW


A summary

JISC has published its intention to centrally support federated access management from July 2008 as the preferred access management system within UK Higher and Further education.

This will be enabled by the UK Access Management Federation, to be run by UKERNA: www.ukfederation.org.uk.

The federation is ‘technology neutral’ in terms of what systems an institution uses as long as it is SAML compliant: Shibboleth, Guanxi, AthensIM, Athens gateways (but potentially iChain and other commercial systems).

JISC will fund Athens until July 2008, after which institutions will be required to pay a subscription for ‘classic’ Athens and AthensDA (and other new Athens resources such as ‘Atacama’).

JISC is funding Eduserv to provide gateways between Athens and the UK Access Management Federation to allow Service Providers and Institutions to continue using Athens if they so chose.

Authentication is devolved to the institution: the institution needs to be able to authenticate every user who is entitled to access institutional resources.

Authorisation is handled by an exchange of information between an institution and service provider: the institution needs to know exactly what each and every user is entitled to access.


Why federated access management?

Moves closer to the single sign-on ideal. Users need not remember so many passwords as they use their institutional username and password to access external, internal and collaborative resources

Aligns with international convergence on Shibboleth/SAML - wider market for suppliers

Avoids the need to maintain a central Athens-type database of registered users- by JISC/Eduserv and by participating libraries

Open Source tools are available- so tools can be developed by participants and shared

Commercial tools are available - for those who do not wish to use open source solutions

Can be used for collaborative access to institutional resources - solves problem of how you allow access to your resources to other institutions WITHOUT having to register people as members of your institution.

Free at the point of use for all members of the UK Access Management Federation.


Why Has JISC Chosen this Route?

Extensive research proved this to be the most appropriate technology. Meets the defined criteria for an access management system within the UK:

– Internal (intra-institutional) applications (mostly through SSO system)

– Management of access to third-party digital library-type resources (as now)

– Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e-learning scenarios)

– Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs)

International take-up secures future of development and support.

International take-up provides economies of scale through work in partnership.


Why Is this Strategically Important?Key Messages

Federated access management system key deliverable within the current JISC strategy.

Implementation will require institutional effort, and should be recognised within institutional IT strategies.

Federated access management is required to meet other strategic requirements:

– DfES e-Strategy and e-Learning goals (such as e-Portfolios and e-Learning collaborations)

– HEFCE e-Learning Strategies

– Science and Innovation Investment Framework

National take-up: interaction with BECTA and the schools sector, and increasingly with NHS.

International take-up: importance of cross-working with Europe, US and Australia.


IMPACT

CHANGE

– JISC support for Athens will not be available to institutions after July 2008.

INSTITUTIONAL / SERVICE PROVIDER EFFORT

– To put in place the relevant parts of the system to allow devolved authentication.

CHOICE

– Of technologies. The federated access management system will not dictate the choice of single sign-on, directory system or environment in which you work.

JOIN-UP

– Across domains (e-Learning, e-Research and Information Environments) and across systems (for internal, external and collaborative access management)

IMPROVEMENTS

– Standards based approach to access management improving flexibility.

– Real single sign-on, improved directory systems, foundation blocks for secure collaboration.



STATISTICS


Reviewing Readiness: Independent Review

State

d po

sition

100%0% 50%10% 20% 30% 40% 60% 70% 80% 90%

Pragmatic range

Pragmatic range

HE

FE

State

d po

sition

100%0% 50%10% 20% 30% 40% 60% 70% 80% 90%

How many institutions will adopt federated access by July 2008?

(FE figures: Scotland, Wales and Northern Ireland only)

“ The Sunday Times University Guide was used as a measure of the top 20 Universities. Of the top 20, information on institutional position was

obtained for 18. Of the 18, 8 are early adopters of FAM, 9 plan to adopt by July 2008, 1 is interested but has no current plans to adopt. “


Federation Stats: 16th April 2007

51 MEMBERS.

29 ‘Core’ Institutional Members.


Predicted Adoption

Adopter Type Adoption Milestone Percentage No. Institutions

innovators 01/04/2004 0.30% 2

early adopters 31/05/2007 6% 39

early majority (1) 01/11/2007 13% 83

early majority (2) 01/11/2008 20% 128

late majority 01/11/2009 32.30% 207

laggards not set 28.40% 182



CHOICES


Option 1 and 2: Roadmap for Institutions


Choices for Service Providers

Become a full member of the UK Access Management Federation, using community-supported tools

BENEFITSNo ongoing subscription costs, compliance with international standards and institutional requirements

COSTSInternal effort to implement software, join federation and manage provider attributes

Become a full member of the UK Access Management Federation, using tools with paid-for support

BENEFITSFull support in implementation, compliance with international standards and institutional requirements

COSTSCost of support from supplier and internal effort in liaison between supplier and Federation

Decide not to implement Shibboleth Continue with Athens or other access management solution

BENEFITSAthens providers will have access to the Federation through the ‘gateway’, funded by the JISC at least until July 2008

COSTSProviders using Athens will continue to pay current subscription and licence costs to Eduserv


Option 3: The Gateways

ATHENS INSTITUTION

UK ACCESS

MANAGEMENT FEDERATION

FEDERATED INSTITUTION

ATHENS CENTRAL ATHENS

PROTECTED RESOURCE

FEDERATED RESOURCE

IdP

Gatew

ay

SP

Gatew

ay


UK Federation Core Attributes

TECHNICAL ATTRIBUTE NAME WHAT THIS REALLY MEANS

eduPersonScopedAffiliation([email protected])

UK specific controlled vocabulary

Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute.

eduPersonTargetedID(r001xf4rg2ss)

opaque string defined by institution

‘A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity.

eduPersonPrincipalName(harrisnv)

defined by institution – login name

Used when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute.

eduPersonEntitlement(expressed as an agreed URI)

mutually agreed by institution and service

Used when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module.


Gateway Attributes

Athens Identity Providers accessing Shibboleth Service Providers can use:

– eduPersonScopedAffiliation.

– eduPersonTargetedID.

Shibboleth Identity Providers accessing Athens Service Providers can use:

– eduPersonTargetedID.

– eduPersonEntitlement (full permission set).

All other scenarios can make use of appropriate attributes as required. Not limited to core set.



EXAMPLES



INDEX TO THE TIMES: EDINA


Shibboleth Access via a WAYF for external services

User knows URL of resource and that Shibboleth is used

And where they are from



JSTOR


JSTOR Example: Service Provider Developed WAYF



SCIENCE DIRECT


Shibboleth behind a library portal for external services

Alternatively, on or off campus, you could just go to the list of e-resources in the library’s portal.

In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:

…but it could just be a list on a ‘hand-crafted’ web page


Shibboleth behind the library portal

The expanded list shows a link direct to the Service Provider, in this case Elsevier


Shibboleth behind the library portal

After clicking link in library portal:



LANDMAP: MIMASWith thanks to Ross Macintyre



SUPPORT


Support Resources

www.jisc.ac.uk/federation and [email protected].

‘shib-enable-vendor’ lists: contact Jane Charlton @ JISC for more information.

Briefing Paper – available on the JISC stand.

Federated Access Management Animation.

Service Provider process map: available on the JISC website.


www.ukfederation.org.uk

www.jisc.ac.uk/federation.html

[email protected]

[email protected]

Connecting People to Resources

Documents

Transcript of Connecting People to Resources