Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access...

Copyright JNT Association 2005 1OptionalCopyright JNT Association 2007

Overview of the UK Access Management Federation

Josh Howlett


Summary

• What is it?

• How does it work?

• Benefits

• What the service provides

• Suggested approach• Further Information


The UK Federation

• A group of member organisations who sign up to a set of rules

• An independent body, managing the trust relationships between members

• End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs)

• Publishers and resource providers act as ‘service providers’ (SPs)


Organisational Structure

• Funded by Becta & JISC

• Provided for Schools, FE & HE

• Operational management by UKERNA

• Policy & Governance Board

• Technical Advisory Group


Components

Federation Infrastructure

Policy

Operational ManagementUser SupportAssisted Take-up

Outreach


Scope of Federation

IdentityProvider

ServiceProvider

Federation operator

Metadata Rules

Possible bilateral agreement

WAYF

Discovery: either WAYF or WAYG

Assertions : AuthN, Attributes, (AuthZ)


How it works

U sed w hen a specific resource has a specific entitlem ent condition not covered e lsewhere: m ust be over 21, m ust have com pleted foundation course m odule.

e d u P e rso n E n title m e n t(e xp re sse d a s a n a g re e d U R I)

m u tu a lly a g re e d b y in s titu tio n a n d se rv ice

U sed w hen a pers is tent user identifie r is required across serv ices. Typ ica lly used in for in ternal institu tional serv ices. R eal identity can be estab lished from attribute.

e d u P e rso n P rin c ip a lN a m e(h a rrisn v)

d e fin e d b y in s titu tio n – lo g in n a m e

‘A pers is tent user pseudonym ’ to a llow for serv ice personalisation and usage m onitoring across sess ions. N ot a rea l w orld identity .

e d u P e rso n T a rg e te d ID(r0 0 1 x f4 rg 2 ss)

o p a q u e s trin g d e fin e d b y in s titu tio n

Establishes user’s re la tionship with ins titu tion – e.g. s ta ff, s tudent, m em ber. T erm s as used in J IS C M odel license. M ost authorisation can be done against th is a ttribute.

e d u P e rso n S co p e d A ffilia tio n(m e m b e r@ jisc .a c .u k)

U K sp e c ific co n tro lle d vo ca b u la ry

W H AT TH IS R E ALL Y M E AN STEC H N IC AL ATTR IB U TE N AM E

U sed w hen a specific resource has a specific entitlem ent condition not covered e lsewhere: m ust be over 21, m ust have com pleted foundation course m odule.

e d u P e rso n E n title m e n t(e xp re sse d a s a n a g re e d U R I)

m u tu a lly a g re e d b y in s titu tio n a n d se rv ice

U sed w hen a pers is tent user identifie r is required across serv ices. Typ ica lly used in for in ternal institu tional serv ices. R eal identity can be estab lished from attribute.

e d u P e rso n P rin c ip a lN a m e(h a rrisn v)

d e fin e d b y in s titu tio n – lo g in n a m e

‘A pers is tent user pseudonym ’ to a llow for serv ice personalisation and usage m onitoring across sess ions. N ot a rea l w orld identity .

e d u P e rso n T a rg e te d ID(r0 0 1 x f4 rg 2 ss)

o p a q u e s trin g d e fin e d b y in s titu tio n

Establishes user’s re la tionship with ins titu tion – e.g. s ta ff, s tudent, m em ber. T erm s as used in J IS C M odel license. M ost authorisation can be done against th is a ttribute.

e d u P e rso n S co p e d A ffilia tio n(m e m b e r@ jisc .a c .u k)

U K sp e c ific co n tro lle d vo ca b u la ry

W H AT TH IS R E ALL Y M E AN STEC H N IC AL ATTR IB U TE N AM E


How it works

• The core attributes should be sufficient.• If not

– eduPerson• ie. nickName

– organizationalPerson• ie. telephoneNumber

– inetOrgPerson• ie. preferredLanguage

– Custom attributes are permitted “as a last resort”.


Benefits

• Benefits for users– Much less need to disclose your identity– Personal data kept between you and your

home organisation– Publishers can tailor services better– (At least) one less password to remember


Benefits

• Benefits for Identity providers (IdPs)– Typical IdPs are LAs, RBCs, FE, HE or Research– Easier to comply with regulatory requirements

• Data Protection Act 1998, etc.

– Better service offered to users– Uses existing access management systems– Can use same access control for all resources

• Both internal and external

– Fewer credentials should mean fewer support problems


Benefits• Benefits for Service providers (SPs)

– Typical SPs are publishers, etc.– No need to store user credentials or entitlements

• Authentication is performed by the IdP• Can authorise per institution, role, and/or entitlement

– Reduced user support requirements– Reduced compliance burden

• Less storage/processing of personal data

– Accurate implementation of licence conditions– Users take better care of credentials– Organisations take better care of assertions


Benefits

• Benefits for the community– Provides consistency across the whole of

education for federated (distributed) authentication and authorisation

– Improves the user experience – Pooling of experience and expertise– Economies of scale for both sectors– Facilitates sharing of content and collaboration

across sectors


What the service provides


Policy


Outreach



• A set of Rules that binds members:– Make accurate statements to other members

• If you say you can hold users accountable, do so

– Keep federation systems and data secure– Use personal data correctly (inc. DPA1998)– Resolve problems within the Federation

• Not by legal action

– Assist Federation Operator and other members



Guidance, examples, support– How to comply with the Rules– How to interoperate with other members

• Common definitions, etc.

– Help in planning the transition– Experiences of early adopters– Software to implement Federation services

• All this is advisory, not prescriptive– Can use as much or as little as you need




Policy


Outreach


What the service provides• Operational management

– Registration mechanism for SPs and IdPs– Adding new members to the federation &

updating existing members’ metadata– Fault finding and trouble shooting – Compatibility testing of server certificates and CA

Qualification– Technical and operational documentation– Ongoing federation development– Reporting




Policy


Outreach



• Federation infrastructure– Discovery Service

• Resilient WAYF

– Hosting of metadata• Describes the Federation

– Monitoring of SPs and IdPs – Test environment – Federation web site




Policy


Outreach



• User support– Guidance and advice to IdPs & SPs – Configuration guides– Training courses– Online training material– Workshops to help organisations join the

UK Federation– Frequently Asked Questions list


Suggested approach• Review your identity management strategy

– for example, how many directories do you have and who owns them?

• Build the business case• JISC will cease to centrally fund Athens in July

2008, options– Join federation, subscribe to ‘Outsourced IdP’

• Join federation, continue to use Athens through gateways– Join federation, deploy community supported tools – Join federation, using tools with paid-for support


Further Information

• Website– www.ukfederation.org.uk

• E-mail lists– [email protected]– [email protected]


Questions?

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access...

Documents

Transcript of Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access...