Next Generation Athens Services
Ed Zedlewski
UK e-Science Town Meeting, London, 11 April 2005.
Overview
• The Athens (UK) federation
• Athens-Federation Gateway
• Some issues:
– Attribute release
– Shibboleth Athens interoperability
• Development roadmap
What is Athens?
• Athens is:
– an SSO architecture
– a (very large) federation
• A complete AAA Access Management System
– Designed to be a replicated and HA architecture
– Standards compliant
• SAML/Shibboleth support
• interoperates with Novell iChain
• Web Services – eg. SOAP via WSDL
– Devolved Authentication - AthensDA
• interacts with Directory Service, or
• accepts X.509 certificates
What is an Athens Federation?
Federation
Identity providers
ORG 1
ORG 2
ORG 3
ORG 4
…
…
Service providers
Digital resource or database
(DSP)
A national portal
(e.g. MyAthens)
VLE in ORG 2
(e.g. WebCT)
VLE in ORG 3
(e.g. Blackboard)
A national virtual university portal
A national research portal
• Infrastructure
• Registration
• Policies
• Trust
• Legal-framework
• Meta-data
What does this look like?
Athens Federation
Organisation A
Athens usernames
(Classic Athens)
Organisation B
Local usernames
(AthensDA)
Organisation C
Local usernames
(SAML/Shibboleth)
Service
Provider A
Registration
Trust
Policies
Metasearching
SAML gateway
Digital
Resource
Portal
(e.g. MyAthens)
Digital
Resource
Service
Provider B
Athens in use
• A UK HE/FE managed service delivers:
– Federated identity management
• 29 organisations using AthensDA
– Centralised identity management
• 800 organisations
• Hierarchical administration of 3 million+ users
• NHS managed service
– 1200+ NHS trusts (300k user accounts)
• Over 100 service providers around the globe
• Legal and trust framework
– DSP and organisational licence agreements
– Registration, support and service provision
Athens-Federation Gateway
• Goal: “To facilitate the inter-working between different technologies, communities and organisations.”
• Fully standards compliant
– SAML (eg. Novell iChain, Shibboleth)
– AthensDA
• Organisations can select the appropriate technology to best suit their needs
• Strong support for portals
• Value-added services (experience, consultancy, userfacing services...)
• Launching Athens (US) federation Q3 2005
Some Issues
• Attribute release
• Shibboleth interoperability
• Multiple identities
• Federation interoperability
• Athens and e-Science agenda
Attribute release policies
• Attribute Release Policies (ARPs) define which attributes can be released to which 3 rd parties (ie. service providers)
• Intrinsic part of federated architectures
• Users (or administrators) define which attribute(s) can be released to which service providers
Attribute release in Athens
• Goals
– Put user in full control over their attribute policy
– Deliver a greater range of attributes to
DSPs to use for authorisation and registration
• Advantages
– DSPs gain more accurate information about users so can apply more granular authorisation policies
– Users privacy is protected
– Users don’t need to re-register information as it can be provided by Athens
Attribute release in action
My Identity
Organisation: University of
Bath
Role: student, post-graduate
Department: physics
Email: joe.s@bath.ac.uk
Athens
1. Access resource
2. I need information about you
3. OK
My policy
This resource wants this information about you:
Role
Department
Resource:
PP ePrints
Access policy
(registration)
• Students only
• Personalisation
Shibboleth interoperability
• AthensIM (Identity Manager)
– SAML origin supporting Shib profile
– Released Feb 2005 under GPL
– Download at: http://www.athensams.net/shibboleth/
• Shib-Athens gateway launched now
• Full Shib <-> Athens interoperability in Q3 2005
– Shib Identity providers (origins) using Athens targets
– Athens origins accessing Shib targets
• JISC Middleware support service for Shib Early Adopters
A way forward for e-Science projects
• Most organisations are not able to deliver the required security infrastructure to support e-Science
• Projects can act as orgs in their own right within Athens or Shib federation
• Migrate into affiliated org when infrastructure is mature
• Athens can act as robust AMS framework
– Can support two/multi factor authentication
– Could layer project specific tools over core services
– User registration capability with stronger back-end validation
Development roadmap 2005
2005
Mar
Shibboleth-
Athens gateway launched
SAML-Athens gateway available for trial
Apr May
Classic Athens to Shibboleth gateway
June
Attribute release policy interfaces
Q4
2006
Agent version 4 release
SAML-Athens gateway launched
Multiple identity
Support for
Classic Athens
Federated multiple
Identity support
Contacts
• http://www.athensams.net