Federation Policy
-
Upload
jiscam -
Category
Technology
-
view
1.994 -
download
1
description
Transcript of Federation Policy
Joint Information Systems Committee 04/10/23 | | Slide 1
Federation Policy Issues
The UK Perspective Nicole HarrisProgramme Manager – JISC
Joint Information Systems Committee 04/10/23 | slide 2
Issues from the UK
Experience from the UK highlights the importance of:
– Making the move from a pilot to full service
– Getting it right for your national requirements
– Mapping requirements across the UK educational sector
– Managing ‘outsourced identity providers’
– Managing ‘outsourced service providers’
– Not just the Federation and Policies but outreach, assisted take-up, vendor liaison
Joint Information Systems Committee 04/10/23 | slide 3
Moving from SDSS to the UK Access Management Federation
SDSS federation UK federation
Status Project Service
Duration 3 years Ongoing
Scale Programme National
Home EDINA National Data Centre
UKERNA
Joint Information Systems Committee 04/10/23 | slide 4
Differences for Users in Transition from SDSS
Very little:
– Metadata recommendations have been preserved
– SDSS team in place to provide second-line support for the foreseeable future
– Communication: pushing people to use SDSS in the interim (don’t wait!)
– Communication: explaining the changeover process
– Formalising: actually signing formal policy documents rather than pilot recommendations can be scary / institutionally difficult
– Athens “gateways” will be live and in service:
• Athens will join the Federation as an outsourced Identity Provider and represent many institutions that have not made the move to full federated access management
• Athens will join the Federation as an outsourced Service Provider and represent many resource owners that have not made the move to full federated access management
Joint Information Systems Committee 04/10/23 | slide 5
Federation Stats: 13th April 2007
50 MEMBERS.
113 ENTITIES (two dual in nature):
– 51 Identity Providers
– 64 Service Providers
29 ‘Core’ Institutional Members.
Joint Information Systems Committee 04/10/23 | slide 6
Policy Document 1: Rules of Membership
The basic contractual framework for trust.
Covers:
– Definitions
– Rules for all members
– Specific rules for IdPs and SPs
– Data Protection and Privacy
– User Accountability
– Liability
– Audit and Compliance
– Termination
– Membership Cessation
– Changes to Rules
– Dispute Resolution
Joint Information Systems Committee 04/10/23 | slide 7
Policy Document 2:Recommendations for Use of Personal Data
Recommendations for use of personal data
Covers legal requirements – Data Protection Act 1998
practical use of attributes:
– eduPersonScopedAffiliaton: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions.
– eduPersonTargetedID:designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity.
“For most applications a combination of the attributes eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.”
– eduPersonPrincipleName comes under the personal data guidelines of DP Act.
– eduPersonEntitlement: may be possible to determine Identity from entitlement so again governed by DP Act.
Joint Information Systems Committee 04/10/23 | slide 8
Policy Document 3: Technical Recommendations for Participants
Specifies the technical architecture for Federation and participants.
Choice of IdP / SP software (UK is neutral but must be SAML compliant and tested by Federation)
Authentication response profiles
Metadata processes
Digital Certificate processes
‘Discovery’ processes - to WAYF or not to WAYF
Attribute usage
Includes Future Directions for each area of work
Joint Information Systems Committee 04/10/23 | slide 9
UK Federation Required Attributes
TECHNICAL ATTRIBUTE NAME WHAT THIS REALLY MEANS
eduPersonScopedAffiliation([email protected])
UK specific controlled vocabulary
Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute.
eduPersonTargetedID(r001xf4rg2ss)
opaque string defined by institution
‘A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity.
eduPersonPrincipalName(harrisnv)
defined by institution – login name
Used when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute.
eduPersonEntitlement(expressed as an agreed URI)
mutually agreed by institution and service
Used when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module.
Joint Information Systems Committee 04/10/23 | slide 10
Policy Document 4: Federation Technical Specification and Policy Document 5: Federation Operator Procedures
Federation Technical Specification:
– High level document about trust fabrics and how the UK Access Management Federation achieves trust.
Federation Operator Procedures:
– The procedures actually undertaken by the Federation Operator (UKERNA):
• Enrolment
• CA Qualification
• Support
• Monitoring / Audit
Joint Information Systems Committee 04/10/23 | slide 11
Upcoming…in Policy
More practical documents related to baseline Federation such as Identity Provider deployment.
More advice and policy as developments move to service:
– Levels of assurance
– Virtual organisation support
– Virtual ‘orphanage’ (SDSS already offering TypeKey and ProtectNetwork solutions)
– Detailed policies for outsourced identity providers and outsourced service providers
Joint Information Systems Committee 04/10/23 | slide 12
The Gateways
ATHENS INSTITUTION
UK ACCESS
MANAGEMENT FEDERATION
FEDERATED INSTITUTION
ATHENS CENTRAL ATHENS
PROTECTED RESOURCE
FEDERATED RESOURCE
IdP
Gatew
ay
SP
Gatew
ay
Joint Information Systems Committee 04/10/23 | slide 13
www.ukfederation.org.uk
www.jisc.ac.uk/federation.html