The UK federation HEAnet National Networking Conference, 16th November 2007, Kilkenny Henry Hughes, JANET(UK)
Overview • Historic position • Federated access management • UK federation • Policy and technical framework • How does it work? • What’s next?
Historic position • Existing Authentication and Authorisation Services • Athens (HE/FE/Research) • IP Based Authentication (Schools) • Concern surrounding use of IP based authentication • Challenge of providing remote access to services • Difficulty in the sharing of content and resources between organisations and sectors • Publishers have to interface to a multiplicity of systems • Wish to help provide a consistent user experience and sets standards for AAI within the educations sector
Legacy access management Are you a licensed user? I’m “AJones/T,t<*?I1” ? Licence Site • User’s identity and personal data are known to all • Publisher knows more than it wants and less than it needs • Organisation’s precious credentials given to all publishers Identity Provider (IdP) Service Provider (SP)
Federated access management I’m “AJones/T,t<*?I1”, am I? Are you a licensed user? They say I’m licensed Yes, you’re licensed OK! Licence Site Identity Provider (IdP) Service Provider (SP) • User’s identity and personal data are protected • Publisher knows exactly what it needs • Distribution of credentials is reduced
The UK federation • A group of member organisations who sign up to a set of rules • An independent body, managing the trust relationships between members • End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs) • Publishers and resource providers act as ‘service providers’ (SPs)
Organisational Structure • Funded by JISC & Becta • Provided for Schools, FE, HE & Research • Operational management by JANET(UK) • Policy Board • Technical Advisory Group
Policy and technical framework • Rules of membership: Mandatory • Recommendations for use of personal data: • Technical recommendations: • Technical specifications: • Federation operator procedures: } Advisory
Rules of membership • Requires that members: • Make accurate statements to other members • Keep federation systems and data secure • Use personal data correctly (UK DPA,1998) • Resolve problems within the federation • Not by legal action • Assist federation operator and other members
4 3 5 2 6 1 7 Authentication 8 9 Attribute Request Authorisation 10 How does it work? 1
What’s next…? • UK federation development roadmap http://www.ukfederation.org.uk/content/Documents/DevelopmentRoadMap • Opening up wider Identity Management challenges • Widening participation (within the UK) • NHS libraries • Public libraries, museums, etc • Collaboration and standardisation of federation technologies • HEAnet (approach and structure) • AARnet (service interoperability) • I2 (Core technology) • OASIS (SAML 2.0)
Questions? • More info: • www.ukfederation.org.uk • E-mail lists: • Ukfederationfirstname.lastname@example.org • Ukfederationemail@example.com
Rhys Smith Cardiff University Adopting FAM at Cardiff University
Outline • CU's case for implementing FAM • Deployment of FAM at CU • Benefits of FAM • Where to go next
A bit of background • CU: • ~ 4,500 staff • ~ 30,000 students • Big user of UK's AM system (Athens) • ~ 8000 accounts created every year • ~ 100 Athens resources • ~ 1 million user logins/year • Many FTEs (IT & library staff) managing the service (password resets, etc.)
Business Case vs Old System • Implementing FAM • Users get better experience using e-resources • More flexibility for collaborative research • Large saving FTE effort: • No provisioning/deprovisioning of accounts • No password resets, etc • (All absorbed by existing processes and FTE count) • Small increased of FTE effort: • Maintaining Shib servers and service • Cost savings of ~£8k/year
Deploying FAM - Audit Resources • Resources tested for shibboleth compliance. • Non-compliant resources • Only one or two left, workarounds • Alerts, Saved Searches and Personalisation.
Access to “allowed” Resources • FAM attributes - e.g. affiliation of user (member/staff/student/etc) and entitlements important for access control • CU's IDM system drives provisioning of attributes • Not as simple as you might think – 18 month (and counting!) group at CU decided membership, categories & entitlements
Promotion and Communication • Emails about shibboleth/CU Login sent to all Information services staff • Presentation on changes given to all library and helpdesk staff • Documentation sent to all 18 libraries • Web page – Off campus access • Changes to databases page • Subject Librarians cascaded information to all new students and staff
What has happened so far? • Went live – Sept 06 • Users • New Training Grade Doctors • New Students • New Staff • Users with expired accounts or problems • >60% of access to e-resources is by CU login
What's happening now? • 2nd July 2007 – changed website to encourage remaining Athens users to switch • Email to users with active Athens accounts • Monitor use of Athens accounts over the next academic year and contact individual users to migrate. • April 08 – All Athens accounts expire
Benefit - Increased flexibility • When developing internal systems, no need to develop AuthN/AuthZ, just plug into Shib • CU's web interface to IDM system • EZProxy • Same for externally available resources • Even more useful!
Conclusions • Saving of money, reduced staff effort • Better service to CU users • Increased AuthN/AuthZ flexibility for internal systems and web apps • Increased AuthN/AuthZ flexibility for systems and web apps designed for external users
Any Questions? • for: • more info • a copy of these slides • clarification of any points • meaningful discussion about shib • meaningless discussion about Ice Hockey • email: firstname.lastname@example.org the end