the uk federation n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
The UK federation PowerPoint Presentation
Download Presentation
The UK federation

Loading in 2 Seconds...

play fullscreen
1 / 25
hada

The UK federation - PowerPoint PPT Presentation

233 Views
Download Presentation
The UK federation
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. The UK federation HEAnet National Networking Conference, 16th November 2007, Kilkenny Henry Hughes, JANET(UK)

  2. Overview • Historic position • Federated access management • UK federation • Policy and technical framework • How does it work? • What’s next?

  3. Historic position • Existing Authentication and Authorisation Services • Athens (HE/FE/Research) • IP Based Authentication (Schools) • Concern surrounding use of IP based authentication • Challenge of providing remote access to services • Difficulty in the sharing of content and resources between organisations and sectors • Publishers have to interface to a multiplicity of systems • Wish to help provide a consistent user experience and sets standards for AAI within the educations sector

  4. Legacy access management Are you a licensed user? I’m “AJones/T,t<*?I1” ? Licence Site • User’s identity and personal data are known to all • Publisher knows more than it wants and less than it needs • Organisation’s precious credentials given to all publishers Identity Provider (IdP) Service Provider (SP)

  5. Federated access management I’m “AJones/T,t<*?I1”, am I? Are you a licensed user? They say I’m licensed Yes, you’re licensed OK! Licence Site Identity Provider (IdP) Service Provider (SP) • User’s identity and personal data are protected • Publisher knows exactly what it needs • Distribution of credentials is reduced

  6. The UK federation • A group of member organisations who sign up to a set of rules • An independent body, managing the trust relationships between members • End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs) • Publishers and resource providers act as ‘service providers’ (SPs)

  7. Organisational Structure • Funded by JISC & Becta • Provided for Schools, FE, HE & Research • Operational management by JANET(UK) • Policy Board • Technical Advisory Group

  8. Policy and technical framework • Rules of membership: Mandatory • Recommendations for use of personal data: • Technical recommendations: • Technical specifications: • Federation operator procedures: } Advisory

  9. Rules of membership • Requires that members: • Make accurate statements to other members • Keep federation systems and data secure • Use personal data correctly (UK DPA,1998) • Resolve problems within the federation • Not by legal action • Assist federation operator and other members

  10. 4 3 5 2 6 1 7 Authentication 8 9 Attribute Request Authorisation 10 How does it work? 1

  11. What’s next…? • UK federation development roadmap http://www.ukfederation.org.uk/content/Documents/DevelopmentRoadMap • Opening up wider Identity Management challenges • Widening participation (within the UK) • NHS libraries • Public libraries, museums, etc • Collaboration and standardisation of federation technologies • HEAnet (approach and structure) • AARnet (service interoperability) • I2 (Core technology) • OASIS (SAML 2.0)

  12. Questions? • More info: • www.ukfederation.org.uk • E-mail lists: • Ukfederation-announce@jiscmail.ac.uk • Ukfederation-discuss@jiscmail.ac.uk

  13. Rhys Smith Cardiff University Adopting FAM at Cardiff University

  14. Outline • CU's case for implementing FAM • Deployment of FAM at CU • Benefits of FAM • Where to go next

  15. A bit of background • CU: • ~ 4,500 staff • ~ 30,000 students • Big user of UK's AM system (Athens)‏ • ~ 8000 accounts created every year • ~ 100 Athens resources • ~ 1 million user logins/year • Many FTEs (IT & library staff) managing the service (password resets, etc.)‏

  16. Business Case vs Old System • Implementing FAM • Users get better experience using e-resources • More flexibility for collaborative research • Large saving FTE effort: • No provisioning/deprovisioning of accounts • No password resets, etc • (All absorbed by existing processes and FTE count)‏ • Small increased of FTE effort: • Maintaining Shib servers and service • Cost savings of ~£8k/year

  17. Deploying FAM - Audit Resources • Resources tested for shibboleth compliance. • Non-compliant resources • Only one or two left, workarounds • Alerts, Saved Searches and Personalisation.

  18. Access to “allowed” Resources • FAM attributes - e.g. affiliation of user (member/staff/student/etc) and entitlements important for access control • CU's IDM system drives provisioning of attributes • Not as simple as you might think – 18 month (and counting!) group at CU decided membership, categories & entitlements

  19. Promotion and Communication • Emails about shibboleth/CU Login sent to all Information services staff • Presentation on changes given to all library and helpdesk staff • Documentation sent to all 18 libraries • Web page – Off campus access • Changes to databases page • Subject Librarians cascaded information to all new students and staff

  20. What has happened so far? • Went live – Sept 06 • Users • New Training Grade Doctors • New Students • New Staff • Users with expired accounts or problems • >60% of access to e-resources is by CU login

  21. What's happening now? • 2nd July 2007 – changed website to encourage remaining Athens users to switch • Email to users with active Athens accounts • Monitor use of Athens accounts over the next academic year and contact individual users to migrate. • April 08 – All Athens accounts expire

  22. Benefit - Increased flexibility • When developing internal systems, no need to develop AuthN/AuthZ, just plug into Shib • CU's web interface to IDM system • EZProxy • Same for externally available resources • Even more useful!

  23. Conclusions • Saving of money, reduced staff effort • Better service to CU users • Increased AuthN/AuthZ flexibility for internal systems and web apps • Increased AuthN/AuthZ flexibility for systems and web apps designed for external users

  24. Any Questions? • for: • more info • a copy of these slides • clarification of any points • meaningful discussion about shib • meaningless discussion about Ice Hockey • email: smith@cardiff.ac.uk the end