The UK Access Management Federation for education and research

John Chapman, Project Adviser, Technical Policy & Standards

Problems we are trying to solve

• Multiple usernames and passwords• Multiple copies of personal data held by third

parties• Duplication of effort across multiple

institutions• Publishers and network providers having to

interface with multiple systems• Difficulty in sharing resources between

institutions

2003 2004 2005 2006 2007 2008 2009 2010

Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology

WMnet & LGfL pilots prove Shibboleth works in UK school sector

JISC announce its intention to support federated access management for UK FE/HE.

Becta’s business case accepted by DfES

Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research – launched 30 November

LGfL continues regional federation as a production service

Personalised online learning space Integrated learning &

management systems

All LAs members

of the federation?

Standards Fund Grant 121 (and 121a)

Shibboleth

• Neither an authentication or authorisation system

• Secure exchange of messages between two parties (Identity Provider and Service Provider)

• Authentication handled by institution/LA/RBC (devolved authentication)

• Authorisation achieved by an exchange of attributes (such as ‘member of an institution’)

• Providers need to sign up to a ‘trust’ agreement

• An implementation of SAML (Security Assertion Mark-Up Language)

Benefits of simplified sign-on and the UK federation

• For the learner:– Easier access to resources– Privacy preserving– Facilitates anytime, anywhere learning

• For the institution:– Reduction in administrative burdens for managers and users in

schools• For the LA/RBC:

– Allow for greater aggregation of purchasing content– Facilitate secure sharing of content between authorities

• For the education sector: – Shared, cross-sector infrastructure– Facilitate access to e-portfolios

• For the Government:– Strong collaboration between Becta and JISC– Centrally provided services for best possible value

The UK Access Management Federation

• A group of member organisations who sign up to a set of rules

• An independent body, managing the trust relationships between members

• End user organisations act as ‘identity providers’ (IdPs) and optionally ‘service providers’ (SPs)

• Publishers and resource providers act as ‘service providers’ (SPs)

Organisational Structure

• Funded by DfES & JISC• Provided for Schools, FE & HE • Operational management by UKERNA• Policy & Governance Board

– 3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mike Kendal)

– 3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore)

– ‘Neutral’ Chair (Professor Sir David Watson)• Technical Advisory Group

– JISC, Becta, RBC, LA, University and College representation

What the service provides

• A set of Rules that binds members:– Make accurate statements to other members– Keep federation systems and data secure– Use personal data correctly (inc. DPA1998)– Resolve problems within the Federation

• Not by legal action• Guidance, examples, support

– How to comply with the Rules– How to work with other members

• Common definitions, etc.

What the service provides

• Operational management– Registration mechanism for SPs and IdPs– Adding new members to the federation & updating

existing members’ metadata– Fault finding and trouble shooting – Compatibility testing of server certificates and CA

Qualification– Technical and operational documentation– Ongoing federation development– Reporting

Res

ou

rce

WAYF

Identity ProviderService Provider

Web Site

1

Assertion Service

I don’t know you.Not even which home

org you are from.I redirect your request

to the WAYF32

Please tell me where are you from?

HS

5

6

I don’t know you.Please authenticateUsing WEBLOGIN

7

User DB

Credentials

OK, I know you now.I redirect your requestto the target, together

with a handle

4

OK, I redirect yourrequest now to

the Handle Service of your home org.

Requester

Handle

Handle8

I don’t know theattributes of this user.Let’s ask the Attribute

Authority

Handle9AA

Let’s pass over the attributes the userhas allowed me to

release

Attributes 10

Res

ou

rce

Man

ag

er

Attributes

OK, based on theattributes, I grant

access to the resource

© SWITCH

Birmingham’s walkthrough

SPBGfL+

IdPBGfL

Identity Provider

UK Access ManagementFederation

LA/RBC roadmap to join the UK federation

1. LA/RBC audit – Review readiness to adopt federated access management.

2. Directory Development – Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the eduPerson specification.

3. Authentication Development – Choose and implement a local/regional authentication, or single sign-on system.

4. Implement IdP – Implement Shibboleth Identity Provider software.5. Join Federation – All organisations who wish to participate will

need to join the UK federation by registering and agreeing to observe federation policy.

6. Institutional Roll-out – On becoming a member of the federation, the institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms.

Core attributes• eduPersonScopedAffiliation – does this institution subscribe

to the service in question? e.g. member@netherhall.cambs.sch.uk, or student@keele.ac.uk

– student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member

(comprises all the previous categories), affiliate (relationship short of full member), alum (ex

pupil/alumnus)

• eduPersonTargetedID – persistent opaque identifier – can provide personalisation & usage monitoring across sessions

• eduPersonPrincipalName – the ‘NetID’ of the user, e.g. user@school.lea.sch.uk – a persistent identifier across different services

• eduPersonEntitlement – enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource e.g. “entitled to access financial accounts”

• Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but...

For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID

will be sufficient

Executive Liaison: a senior role within the

LASCS

certificates available

from UKERNA

Management Liaison:

authorised to register entities

More information

• UK federation– http://www.ukfederation.org.uk

• High level info on Becta’s site– http://schools.becta.org.uk/index.php?rid=11277

– http://industry.becta.org.uk/display.cfm?resID=14598

• Shibboleth– http://shibboleth.internet2.edu/ (main site)– http://spaces.internet2.edu/display/SHIB/ (wiki)