The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards Problems we are trying to solve • Multiple usernames and passwords • Multiple copies of personal data held by third parties • Duplication of effort across multiple institutions • Publishers and network providers having to interface with multiple systems • Difficulty in sharing resources between institutions JISC announce its intention to support federated access management for UK FE/HE. WMnet & LGfL pilots prove Shibboleth works in UK school sector Personalised online learning space Becta’s business case accepted by DfES LGfL continues regional federation as a production service Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology 2003 2004 All LAs members of the federation? Integrated learning & management systems Standards Fund Grant 121 (and 121a) Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research – launched 30 November 2005 2006 2007 2008 2009 2010 Shibboleth • Neither an authentication or authorisation system • Secure exchange of messages between two parties (Identity Provider and Service Provider) • Authentication handled by institution/LA/RBC (devolved authentication) • Authorisation achieved by an exchange of attributes (such as ‘member of an institution’) • Providers need to sign up to a ‘trust’ agreement • An implementation of SAML (Security Assertion Mark-Up Language) Benefits of simplified sign-on and the UK federation • For the learner: – Easier access to resources – Privacy preserving – Facilitates anytime, anywhere learning • For the institution: – Reduction in administrative burdens for managers and users in schools • For the LA/RBC: – Allow for greater aggregation of purchasing content – Facilitate secure sharing of content between authorities • For the education sector: – Shared, cross-sector infrastructure – Facilitate access to e-portfolios • For the Government: – Strong collaboration between Becta and JISC – Centrally provided services for best possible value The UK Access Management Federation • A group of member organisations who sign up to a set of rules • An independent body, managing the trust relationships between members • End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs) • Publishers and resource providers act as ‘service providers’ (SPs) Organisational Structure • • • • Funded by DfES & JISC Provided for Schools, FE & HE Operational management by UKERNA Policy & Governance Board – 3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mike Kendal) – 3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore) – ‘Neutral’ Chair (Professor Sir David Watson) • Technical Advisory Group – JISC, Becta, RBC, LA, University and College representation What the service provides • A set of Rules that binds members: – – – – Make accurate statements to other members Keep federation systems and data secure Use personal data correctly (inc. DPA1998) Resolve problems within the Federation • Not by legal action • Guidance, examples, support – How to comply with the Rules – How to work with other members • Common definitions, etc. What the service provides • Operational management – Registration mechanism for SPs and IdPs – Adding new members to the federation & updating existing members’ metadata – Fault finding and trouble shooting – Compatibility testing of server certificates and CA Qualification – Technical and operational documentation – Ongoing federation development – Reporting © SWITCH OK, I redirect your request now to the Handle Service of your home org. Please tell me where are you from? I don’t know you. Not even which home org you are from. I redirect your request to the WAYF WAYF I don’t know you. Please authenticate Using WEBLOGIN 2 4 3 5 6 Identity Provider 1 Service Provider Web Site 7 Credentials HS Assertion Service 9 Handle AA Attributes Requester Resource Handle User DB OK, I know you now. I redirect your request to the target, together with a handle Resource Manager Handle 8 10 Attributes Let’s pass over the attributes the user has allowed me to release I don’t know the attributes of this user. Let’s ask the Attribute Authority OK, based on the attributes, I grant access to the resource Birmingham’s walkthrough SP BGfL+ UK Access Management Federation IdP BGfL Identity Provider LA/RBC roadmap to join the UK federation 1. 2. 3. 4. 5. 6. LA/RBC audit – Review readiness to adopt federated access management. Directory Development – Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the eduPerson specification. Authentication Development – Choose and implement a local/regional authentication, or single sign-on system. Implement IdP – Implement Shibboleth Identity Provider software. Join Federation – All organisations who wish to participate will need to join the UK federation by registering and agreeing to observe federation policy. Institutional Roll-out – On becoming a member of the federation, the institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms. Core attributes • eduPersonScopedAffiliation – does this institution subscribe to the service in question? e.g. member@netherhall.cambs.sch.uk, or student@keele.ac.uk – student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member (comprises all the previous categories), affiliate (relationship short of full member), alum (ex pupil/alumnus) • eduPersonTargetedID – persistent opaque identifier – can provide personalisation & usage monitoring across sessions • eduPersonPrincipalName – the ‘NetID’ of the user, e.g. user@school.lea.sch.uk – a persistent identifier across For most applications a combination of different services eduPersonTargetedID • eduPersonScopedAffiliation eduPersonEntitlement – enablesand an institution to assert that a user satisfies an additional setsufficient of specific conditions that will be apply for access to a particular resource e.g. “entitled to access financial accounts” • Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but... Executive Liaison: a senior role within the Management SCS LALiaison: certificates authorised to available register from entities UKERNA More information • UK federation – http://www.ukfederation.org.uk • High level info on Becta’s site – http://schools.becta.org.uk/index.php?rid=11277 – http://industry.becta.org.uk/display.cfm?resID=14598 • Shibboleth – http://shibboleth.internet2.edu/ (main site) – http://spaces.internet2.edu/display/SHIB/ (wiki)