to identity federation and beyond! josh howlett janet(uk) heanet 2008

To identity federationand beyond!

Josh HowlettJANET(UK)

HEAnet 2008

Identity Federations

Key characteristics

Composed of self-governing regions Research & Education Institutions Research & Education Institutions and organisations that serve them

Coming together to solve common problems Network connectivity Access management

Governed by a common constitution Acceptable Use and other Policies Federation agreement

Realised and enforced through common instruments Network infrastructure and norms (routers, naming, numbering, etc) Identity infrastructure and norms (trust, schema, protocols, etc)

FederationsHEAnet

Trust

Assertion

How does federated identity work?

You already do ‘federated identity’

• Visiting academics

• ERASMUS students

• Library visitors

• These tend to be ad hoc systems, relying on separate processes that may take days or weeks to complete.

• Wouldn’t it be handy if there was a single way to manage federated identity?

SAML

• Security Assertion Mark-up Language• August 2002: SAML 1.0• November 2003: SAML 1.1

– Liberty Alliance ‘Identity Federation Framework’

– Internet2 ‘Shibboleth’ Project, Profile and Software

• March 2005: SAML 2.0• November 2008: Microsoft ‘Genesis’

About the UK federation

• The Athens service• Interest in FAM from both JISC and Becta• UK federation established in Nov 2006• Over 600 member organisations

– Almost all Higher Education Institutions– Half of all Further Education Colleges– About half of the Schools sector

• ~30,000 schools regional aggregation

– Several million users

About the UK federation

• Why federate access management?

– Privacy

– Single sign-on

– Common technology supporting a broad range of applications, internal and external.

– Integrates easily into existing identity infrastructure

Participation

• Eligible to all education and research organisations, and those that serve them.

• Rules of Membership– Legally binding agreement– User accountability

• Technical Recommendations– SAML 1.1– Shibboleth 1.3

To identity federation…

…and beyond?

• Beyond national boundaries– Considerable interest in ‘inter-federation’ and

‘confederation’.– eduGAIN

• Beyond the Web– non-Web infrastructure and services– federated filestore, consoles, network access,

etc…

Conclusions

• You already do federated identity, even if you don’t call it that!

• SAML is a well-established and widely deployed technology.

• Federated Access Management is acceptable to Institutions.

Thank you for your attention

Any questions?