the uk access management federation for education and research l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The UK Access Management Federation for education and research PowerPoint Presentation
Download Presentation
The UK Access Management Federation for education and research

Loading in 2 Seconds...

play fullscreen
1 / 15

The UK Access Management Federation for education and research - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

The UK Access Management Federation for education and research. John Chapman, Project Adviser, Technical Policy & Standards. Problems we are trying to solve. Multiple usernames and passwords Multiple copies of personal data held by third parties

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

The UK Access Management Federation for education and research


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the uk access management federation for education and research

The UK Access Management Federation for education and research

John Chapman, Project Adviser, Technical Policy & Standards

slide2

Problems we are trying to solve

  • Multiple usernames and passwords
  • Multiple copies of personal data held by third parties
  • Duplication of effort across multiple institutions
  • Publishers and network providers having to interface with multiple systems
  • Difficulty in sharing resources between institutions
slide3

JISC announce its intention to support federated access management for UK FE/HE.

  • All LAs members of the federation?
  • Personalised online learning space
  • WMnet & LGfL pilots prove Shibboleth works in UK school sector

Integrated learning & management systems

  • Becta’s business case accepted by DfES
  • LGfL continues regional federation as a production service
  • Standards Fund Grant 121 (and 121a)

Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology

  • Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research – launched 30 November

2003 2004 2005 2006 2007 2008 2009 2010

shibboleth
Shibboleth
  • Neither an authentication or authorisation system
  • Secure exchange of messages between two parties (Identity Provider and Service Provider)
  • Authentication handled by institution/LA/RBC (devolved authentication)
  • Authorisation achieved by an exchange of attributes (such as ‘member of an institution’)
  • Providers need to sign up to a ‘trust’ agreement
  • An implementation of SAML (Security Assertion Mark-Up Language)
benefits of simplified sign on and the uk federation
Benefits of simplified sign-on and the UK federation
  • For the learner:
    • Easier access to resources
    • Privacy preserving
    • Facilitates anytime, anywhere learning
  • For the institution:
    • Reduction in administrative burdens for managers and users in schools
  • For the LA/RBC:
    • Allow for greater aggregation of purchasing content
    • Facilitate secure sharing of content between authorities
  • For the education sector:
    • Shared, cross-sector infrastructure
    • Facilitate access to e-portfolios
  • For the Government:
    • Strong collaboration between Becta and JISC
    • Centrally provided services for best possible value
the uk access management federation
The UK Access Management Federation
  • A group of member organisations who sign up to a set of rules
  • An independent body, managing the trust relationships between members
  • End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs)
  • Publishers and resource providers act as ‘service providers’ (SPs)
organisational structure
Organisational Structure
  • Funded by DfES & JISC
  • Provided for Schools, FE & HE
  • Operational management by UKERNA
  • Policy & Governance Board
    • 3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mike Kendal)
    • 3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore)
    • ‘Neutral’ Chair (Professor Sir David Watson)
  • Technical Advisory Group
    • JISC, Becta, RBC, LA, University and College representation
what the service provides
What the service provides
  • A set of Rules that binds members:
    • Make accurate statements to other members
    • Keep federation systems and data secure
    • Use personal data correctly (inc. DPA1998)
    • Resolve problems within the Federation
      • Not by legal action
  • Guidance, examples, support
    • How to comply with the Rules
    • How to work with other members
      • Common definitions, etc.
what the service provides9
What the service provides
  • Operational management
    • Registration mechanism for SPs and IdPs
    • Adding new members to the federation & updating existing members’ metadata
    • Fault finding and trouble shooting
    • Compatibility testing of server certificates and CA Qualification
    • Technical and operational documentation
    • Ongoing federation development
    • Reporting
slide10

OK, I redirect your

request now to

the Handle Service

of your home org.

Please tell me

where are you from?

I don’t know you.

Not even which home

org you are from.

I redirect your request

to the WAYF

I don’t know you.

Please authenticate

Using WEBLOGIN

2

3

4

5

6

1

7

Credentials

Assertion

Service

HS

8

Handle

User DB

Handle

Resource

Manager

Handle

9

AA

Requester

OK, I know you now.

I redirect your request

to the target, together

with a handle

Attributes

10

Attributes

I don’t know the

attributes of this user.

Let’s ask the Attribute

Authority

Let’s pass over the

attributes the user

has allowed me to

release

OK, based on the

attributes, I grant

access to the

resource

© SWITCH

WAYF

Identity Provider

Service Provider

Web Site

Resource

birmingham s walkthrough
Birmingham’s walkthrough

SP

BGfL+

IdP

BGfL

Identity

Provider

UK Access Management

Federation

la rbc roadmap to join the uk federation
LA/RBC roadmap to join the UK federation
  • LA/RBC audit – Review readiness to adopt federated access management.
  • Directory Development – Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the eduPerson specification.
  • Authentication Development – Choose and implement a local/regional authentication, or single sign-on system.
  • Implement IdP – Implement Shibboleth Identity Provider software.
  • Join Federation – All organisations who wish to participate will need to join the UK federation by registering and agreeing to observe federation policy.
  • Institutional Roll-out – On becoming a member of the federation, the institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms.
core attributes
Core attributes
  • eduPersonScopedAffiliation – does this institution subscribe to the service in question? e.g. member@netherhall.cambs.sch.uk, or student@keele.ac.uk
    • student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member (comprises all the previous categories), affiliate (relationship short of full member), alum (ex pupil/alumnus)
  • eduPersonTargetedID – persistent opaque identifier – can provide personalisation & usage monitoring across sessions
  • eduPersonPrincipalName – the ‘NetID’ of the user, e.g. user@school.lea.sch.uk – a persistent identifier across different services
  • eduPersonEntitlement – enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource e.g. “entitled to access financial accounts”
  • Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but...

For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient

slide14

Executive Liaison: a senior role within the LA

Management Liaison: authorised to register entities

SCS certificates available from UKERNA

more information
More information
  • UK federation
    • http://www.ukfederation.org.uk
  • High level info on Becta’s site
    • http://schools.becta.org.uk/index.php?rid=11277
    • http://industry.becta.org.uk/display.cfm?resID=14598
  • Shibboleth
    • http://shibboleth.internet2.edu/ (main site)
    • http://spaces.internet2.edu/display/SHIB/ (wiki)