Transcript Becta Industry Partner Seminar April 21st 2005

The UK Access
Management Federation
for education and
research
John Chapman, Project Adviser,
Technical Policy & Standards
Problems we are trying to solve
• Multiple usernames and passwords
• Multiple copies of personal data held by third
parties
• Duplication of effort across multiple
institutions
• Publishers and network providers having to
interface with multiple systems
• Difficulty in sharing resources between
institutions
JISC announce
its intention to
support
federated access
management for
UK FE/HE.
WMnet & LGfL
pilots prove
Shibboleth works
in UK school
sector
Personalised
online learning
space
Becta’s
business
case
accepted
by DfES
LGfL continues
regional
federation as a
production
service
Workshops, strategy paper
& laboratory test led to
recommendation of
implementing Shibboleth
technology
2003
2004
All LAs
members
of the
federation?
Integrated learning &
management systems
Standards Fund
Grant 121 (and
121a)
Work with JISC &
UKERNA to
establish the UK
Access
Management
Federation for
Education and
Research –
launched
30 November
2005
2006
2007
2008
2009
2010
Shibboleth
• Neither an authentication or authorisation system
• Secure exchange of messages between two
parties (Identity Provider and Service Provider)
• Authentication handled by institution/LA/RBC
(devolved authentication)
• Authorisation achieved by an exchange of
attributes (such as ‘member of an institution’)
• Providers need to sign up to a ‘trust’ agreement
• An implementation of SAML (Security Assertion
Mark-Up Language)
Benefits of simplified sign-on and the UK federation
•
For the learner:
– Easier access to resources
– Privacy preserving
– Facilitates anytime, anywhere learning
•
For the institution:
– Reduction in administrative burdens for managers and users in
schools
•
For the LA/RBC:
– Allow for greater aggregation of purchasing content
– Facilitate secure sharing of content between authorities
•
For the education sector:
– Shared, cross-sector infrastructure
– Facilitate access to e-portfolios
•
For the Government:
– Strong collaboration between Becta and JISC
– Centrally provided services for best possible value
The UK Access Management Federation
• A group of member organisations who sign
up to a set of rules
• An independent body, managing the trust
relationships between members
• End user organisations act as ‘identity
providers’ (IdPs) and optionally ‘service
providers’ (SPs)
• Publishers and resource providers act as
‘service providers’ (SPs)
Organisational Structure
•
•
•
•
Funded by DfES & JISC
Provided for Schools, FE & HE
Operational management by UKERNA
Policy & Governance Board
– 3 Becta nominated members (Paul Shoesmith,
Andy Tyerman, Mike Kendal)
– 3 JISC nominated members (John Robinson, Iain
Stinson, Brian Gilmore)
– ‘Neutral’ Chair (Professor Sir David Watson)
• Technical Advisory Group
– JISC, Becta, RBC, LA, University and College
representation
What the service provides
• A set of Rules that binds members:
–
–
–
–
Make accurate statements to other members
Keep federation systems and data secure
Use personal data correctly (inc. DPA1998)
Resolve problems within the Federation
• Not by legal action
• Guidance, examples, support
– How to comply with the Rules
– How to work with other members
• Common definitions, etc.
What the service provides
• Operational management
– Registration mechanism for SPs and IdPs
– Adding new members to the federation & updating
existing members’ metadata
– Fault finding and trouble shooting
– Compatibility testing of server certificates and CA
Qualification
– Technical and operational documentation
– Ongoing federation development
– Reporting
© SWITCH
OK, I redirect your
request now to
the Handle Service
of your home org.
Please tell me
where are you from?
I don’t know you.
Not even which home
org you are from.
I redirect your request
to the WAYF
WAYF
I don’t know you.
Please authenticate
Using WEBLOGIN
2
4 3
5
6
Identity Provider
1
Service Provider
Web Site
7
Credentials
HS
Assertion
Service
9
Handle
AA
Attributes
Requester
Resource
Handle
User DB
OK, I know you now.
I redirect your request
to the target, together
with a handle
Resource
Manager
Handle
8
10
Attributes
Let’s pass over the
attributes the user
has allowed me to
release
I don’t know the
attributes of this user.
Let’s ask the Attribute
Authority
OK, based on the
attributes, I grant
access to the
resource
Birmingham’s walkthrough
SP
BGfL+
UK Access
Management
Federation
IdP
BGfL
Identity
Provider
LA/RBC roadmap to join the UK federation
1.
2.
3.
4.
5.
6.
LA/RBC audit – Review readiness to adopt federated access
management.
Directory Development – Identify or implement a suitable
local/regional directory. Directories need to be correctly
populated with attributes about pupils and staff that meet the
federation standard, known as the eduPerson specification.
Authentication Development – Choose and implement a
local/regional authentication, or single sign-on system.
Implement IdP – Implement Shibboleth Identity Provider
software.
Join Federation – All organisations who wish to participate will
need to join the UK federation by registering and agreeing to
observe federation policy.
Institutional Roll-out – On becoming a member of the federation,
the institution/LA/RBC will need to roll out the new system. This
may include new user guides, training and support mechanisms.
Core attributes
• eduPersonScopedAffiliation – does this institution subscribe
to the service in question? e.g.
[email protected], or [email protected]
–
student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member
(comprises all the previous categories), affiliate (relationship short of full member), alum (ex
pupil/alumnus)
• eduPersonTargetedID – persistent opaque identifier – can
provide personalisation & usage monitoring across sessions
• eduPersonPrincipalName – the ‘NetID’ of the user, e.g.
[email protected] – a persistent identifier across
For most applications a combination of
different services
eduPersonTargetedID
• eduPersonScopedAffiliation
eduPersonEntitlement – enablesand
an institution
to assert that a
user satisfies an additional
setsufficient
of specific conditions that
will be
apply for access to a particular resource e.g. “entitled to
access financial accounts”
• Where extra attributes are required, the federation has a
process for the addition of subsidiary attributes, but...
Executive
Liaison: a
senior role
within
the
Management
SCS
LALiaison:
certificates
authorised to available
register
from
entities UKERNA
More information
• UK federation
– http://www.ukfederation.org.uk
• High level info on Becta’s site
– http://schools.becta.org.uk/index.php?rid=11277
– http://industry.becta.org.uk/display.cfm?resID=14598
• Shibboleth
– http://shibboleth.internet2.edu/ (main site)
– http://spaces.internet2.edu/display/SHIB/ (wiki)