Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access...
-
date post
20-Dec-2015 -
Category
Documents
-
view
231 -
download
1
Transcript of Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access...
Copyright JNT Association 2005 1OptionalCopyright JNT Association 2007
Overview of the UK Access Management Federation
Josh Howlett
Copyright JNT Association 2005 2OptionalCopyright JNT Association 2007
Summary
• What is it?
• How does it work?
• Benefits
• What the service provides
• Suggested approach• Further Information
Copyright JNT Association 2005 3OptionalCopyright JNT Association 2007
The UK Federation
• A group of member organisations who sign up to a set of rules
• An independent body, managing the trust relationships between members
• End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs)
• Publishers and resource providers act as ‘service providers’ (SPs)
Copyright JNT Association 2005 4OptionalCopyright JNT Association 2007
Organisational Structure
• Funded by Becta & JISC
• Provided for Schools, FE & HE
• Operational management by UKERNA
• Policy & Governance Board
• Technical Advisory Group
Copyright JNT Association 2005 5OptionalCopyright JNT Association 2007
Components
Federation Infrastructure
Policy
Operational ManagementUser SupportAssisted Take-up
Outreach
Copyright JNT Association 2005 6OptionalCopyright JNT Association 2007
Scope of Federation
IdentityProvider
ServiceProvider
Federation operator
Metadata Rules
Possible bilateral agreement
WAYF
Discovery: either WAYF or WAYG
Assertions : AuthN, Attributes, (AuthZ)
Copyright JNT Association 2005 7OptionalCopyright JNT Association 2007
How it works
U sed w hen a specific resource has a specific entitlem ent condition not covered e lsewhere: m ust be over 21, m ust have com pleted foundation course m odule.
e d u P e rso n E n title m e n t(e xp re sse d a s a n a g re e d U R I)
m u tu a lly a g re e d b y in s titu tio n a n d se rv ice
U sed w hen a pers is tent user identifie r is required across serv ices. Typ ica lly used in for in ternal institu tional serv ices. R eal identity can be estab lished from attribute.
e d u P e rso n P rin c ip a lN a m e(h a rrisn v)
d e fin e d b y in s titu tio n – lo g in n a m e
‘A pers is tent user pseudonym ’ to a llow for serv ice personalisation and usage m onitoring across sess ions. N ot a rea l w orld identity .
e d u P e rso n T a rg e te d ID(r0 0 1 x f4 rg 2 ss)
o p a q u e s trin g d e fin e d b y in s titu tio n
Establishes user’s re la tionship with ins titu tion – e.g. s ta ff, s tudent, m em ber. T erm s as used in J IS C M odel license. M ost authorisation can be done against th is a ttribute.
e d u P e rso n S co p e d A ffilia tio n(m e m b e r@ jisc .a c .u k)
U K sp e c ific co n tro lle d vo ca b u la ry
W H AT TH IS R E ALL Y M E AN STEC H N IC AL ATTR IB U TE N AM E
U sed w hen a specific resource has a specific entitlem ent condition not covered e lsewhere: m ust be over 21, m ust have com pleted foundation course m odule.
e d u P e rso n E n title m e n t(e xp re sse d a s a n a g re e d U R I)
m u tu a lly a g re e d b y in s titu tio n a n d se rv ice
U sed w hen a pers is tent user identifie r is required across serv ices. Typ ica lly used in for in ternal institu tional serv ices. R eal identity can be estab lished from attribute.
e d u P e rso n P rin c ip a lN a m e(h a rrisn v)
d e fin e d b y in s titu tio n – lo g in n a m e
‘A pers is tent user pseudonym ’ to a llow for serv ice personalisation and usage m onitoring across sess ions. N ot a rea l w orld identity .
e d u P e rso n T a rg e te d ID(r0 0 1 x f4 rg 2 ss)
o p a q u e s trin g d e fin e d b y in s titu tio n
Establishes user’s re la tionship with ins titu tion – e.g. s ta ff, s tudent, m em ber. T erm s as used in J IS C M odel license. M ost authorisation can be done against th is a ttribute.
e d u P e rso n S co p e d A ffilia tio n(m e m b e r@ jisc .a c .u k)
U K sp e c ific co n tro lle d vo ca b u la ry
W H AT TH IS R E ALL Y M E AN STEC H N IC AL ATTR IB U TE N AM E
Copyright JNT Association 2005 8OptionalCopyright JNT Association 2007
How it works
• The core attributes should be sufficient.• If not
– eduPerson• ie. nickName
– organizationalPerson• ie. telephoneNumber
– inetOrgPerson• ie. preferredLanguage
– Custom attributes are permitted “as a last resort”.
Copyright JNT Association 2005 9OptionalCopyright JNT Association 2007
Benefits
• Benefits for users– Much less need to disclose your identity– Personal data kept between you and your
home organisation– Publishers can tailor services better– (At least) one less password to remember
Copyright JNT Association 2005 10OptionalCopyright JNT Association 2007
Benefits
• Benefits for Identity providers (IdPs)– Typical IdPs are LAs, RBCs, FE, HE or Research– Easier to comply with regulatory requirements
• Data Protection Act 1998, etc.
– Better service offered to users– Uses existing access management systems– Can use same access control for all resources
• Both internal and external
– Fewer credentials should mean fewer support problems
Copyright JNT Association 2005 11OptionalCopyright JNT Association 2007
Benefits• Benefits for Service providers (SPs)
– Typical SPs are publishers, etc.– No need to store user credentials or entitlements
• Authentication is performed by the IdP• Can authorise per institution, role, and/or entitlement
– Reduced user support requirements– Reduced compliance burden
• Less storage/processing of personal data
– Accurate implementation of licence conditions– Users take better care of credentials– Organisations take better care of assertions
Copyright JNT Association 2005 12OptionalCopyright JNT Association 2007
Benefits
• Benefits for the community– Provides consistency across the whole of
education for federated (distributed) authentication and authorisation
– Improves the user experience – Pooling of experience and expertise– Economies of scale for both sectors– Facilitates sharing of content and collaboration
across sectors
Copyright JNT Association 2005 13OptionalCopyright JNT Association 2007
What the service provides
Federation Infrastructure
Policy
Operational ManagementUser SupportAssisted Take-up
Outreach
Copyright JNT Association 2005 14OptionalCopyright JNT Association 2007
What the service provides
• A set of Rules that binds members:– Make accurate statements to other members
• If you say you can hold users accountable, do so
– Keep federation systems and data secure– Use personal data correctly (inc. DPA1998)– Resolve problems within the Federation
• Not by legal action
– Assist Federation Operator and other members
Copyright JNT Association 2005 15OptionalCopyright JNT Association 2007
What the service provides
Guidance, examples, support– How to comply with the Rules– How to interoperate with other members
• Common definitions, etc.
– Help in planning the transition– Experiences of early adopters– Software to implement Federation services
• All this is advisory, not prescriptive– Can use as much or as little as you need
Copyright JNT Association 2005 16OptionalCopyright JNT Association 2007
What the service provides
Federation Infrastructure
Policy
Operational ManagementUser SupportAssisted Take-up
Outreach
Copyright JNT Association 2005 17OptionalCopyright JNT Association 2007
What the service provides• Operational management
– Registration mechanism for SPs and IdPs– Adding new members to the federation &
updating existing members’ metadata– Fault finding and trouble shooting – Compatibility testing of server certificates and CA
Qualification– Technical and operational documentation– Ongoing federation development– Reporting
Copyright JNT Association 2005 18OptionalCopyright JNT Association 2007
What the service provides
Federation Infrastructure
Policy
Operational ManagementUser SupportAssisted Take-up
Outreach
Copyright JNT Association 2005 19OptionalCopyright JNT Association 2007
What the service provides
• Federation infrastructure– Discovery Service
• Resilient WAYF
– Hosting of metadata• Describes the Federation
– Monitoring of SPs and IdPs – Test environment – Federation web site
Copyright JNT Association 2005 20OptionalCopyright JNT Association 2007
What the service provides
Federation Infrastructure
Policy
Operational ManagementUser SupportAssisted Take-up
Outreach
Copyright JNT Association 2005 21OptionalCopyright JNT Association 2007
What the service provides
• User support– Guidance and advice to IdPs & SPs – Configuration guides– Training courses– Online training material– Workshops to help organisations join the
UK Federation– Frequently Asked Questions list
Copyright JNT Association 2005 22OptionalCopyright JNT Association 2007
Suggested approach• Review your identity management strategy
– for example, how many directories do you have and who owns them?
• Build the business case• JISC will cease to centrally fund Athens in July
2008, options– Join federation, subscribe to ‘Outsourced IdP’
• Join federation, continue to use Athens through gateways– Join federation, deploy community supported tools – Join federation, using tools with paid-for support
Copyright JNT Association 2005 23OptionalCopyright JNT Association 2007
Further Information
• Website– www.ukfederation.org.uk
• E-mail lists– [email protected]– [email protected]