1、The UK Access Management Federation for education and research,John Chapman, Project Adviser, Technical Policy & Standards,Problems we are trying to solve,Multiple usernames and passwords Multiple copies of personal data held by third parties Duplication of effort across multiple institutions Publis
2、hers and network providers having to interface with multiple systems Difficulty in sharing resources between institutions,2003 2004 2005 2006 2007 2008 2009 2010,Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology,WMnet & LGfL pilots prove Shibbole
3、th works in UK school sector,JISC announce its intention to support federated access management for UK FE/HE.,Bectas business case accepted by DfES,Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research launched 30 November,LGfL continues regional federat
4、ion as a production service,Personalised online learning space,Integrated learning & management systems,All LAs members of the federation?,Standards Fund Grant 121 (and 121a),Shibboleth,Neither an authentication or authorisation system Secure exchange of messages between two parties (Identity Provid
5、er and Service Provider) Authentication handled by institution/LA/RBC (devolved authentication) Authorisation achieved by an exchange of attributes (such as member of an institution) Providers need to sign up to a trust agreement An implementation of SAML (Security Assertion Mark-Up Language),Benefi
6、ts of simplified sign-on and the UK federation,For the learner: Easier access to resources Privacy preserving Facilitates anytime, anywhere learning For the institution: Reduction in administrative burdens for managers and users in schools For the LA/RBC: Allow for greater aggregation of purchasing
7、content Facilitate secure sharing of content between authorities For the education sector: Shared, cross-sector infrastructure Facilitate access to e-portfolios For the Government: Strong collaboration between Becta and JISC Centrally provided services for best possible value,Benefits for Service Pr
8、oviders,No need to maintain your own user database Authentication is performed by the IdP Can authorise per institution, role, and/or entitlement Reduced user support requirements Reduced compliance burden Less storage/processing of personal data Accurate implementation of licence conditions Users t
9、ake better care of credentials Organisations take better care of assertions,The UK Access Management Federation,A group of member organisations who sign up to a set of rules An independent body, managing the trust relationships between members End user organisations act as identity providers (IdPs)
10、and optionally service providers (SPs) Publishers and resource providers act as service providers (SPs),Organisational Structure,Funded by DfES & JISC Provided for Schools, FE & HE Operational management by UKERNA Policy & Governance Board 3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mik
11、e Kendal) 3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore) Neutral Chair (Professor Sir David Watson) Technical Advisory Group JISC, Becta, RBC, LA, University and College representation,What the service provides,A set of Rules that binds members: Make accurate statements to oth
12、er members Keep federation systems and data secure Use personal data correctly (inc. DPA1998) Resolve problems within the Federation Not by legal action Guidance, examples, support How to comply with the Rules How to work with other members Common definitions, etc.,What the service provides,Operatio
13、nal management Registration mechanism for SPs and IdPs Adding new members to the federation & updating existing members metadata Fault finding and trouble shooting Compatibility testing of server certificates and CA Qualification Technical and operational documentation Ongoing federation development
14、 Reporting,Resource,WAYF,Identity Provider,Service Provider Web Site, SWITCH,Birminghams walkthrough,SP BGfL+,IdP BGfL Identity Provider,UK Access Management Federation,LA/RBC roadmap to join the UK federation,LA/RBC audit Review readiness to adopt federated access management. Directory Development
15、Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the eduPerson specification. Authentication Development Choose and implement a local/regional authentication, or si
16、ngle sign-on system. Implement IdP Implement Shibboleth Identity Provider software. Join Federation All organisations who wish to participate will need to join the UK federation by registering and agreeing to observe federation policy. Institutional Roll-out On becoming a member of the federation, t
17、he institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms.,Core attributes,eduPersonScopedAffiliation does this institution subscribe to the service in question? e.g. membernetherhall.cambs.sch.uk, or studentkeele.ac.uk student (lea
18、rner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member (comprises all the previous categories), affiliate (relationship short of full member), alum (ex pupil/alumnus) eduPersonTargetedID persistent opaque identifier can provide personalisation & usage monitoring ac
19、ross sessions eduPersonPrincipalName the NetID of the user, e.g. userschool.lea.sch.uk a persistent identifier across different services eduPersonEntitlement enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource
20、 e.g. “entitled to access financial accounts” Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but.,For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient,Executive Liaison: a senior rol
21、e within the LA,SCS certificates available from UKERNA,Management Liaison: authorised to register entities,More information,UK federation http:/www.ukfederation.org.uk High level info on Bectas site http:/schools.becta.org.uk/index.php?rid=11277 http:/industry.becta.org.uk/display.cfm?resID=14598 Shibboleth http:/shibboleth.internet2.edu/ (main site) http:/spaces.internet2.edu/display/SHIB/ (wiki),
