the uk access management federation

16
The UK Access Management Federation John Chapman Project Adviser – Becta

Upload: donagh

Post on 23-Jan-2016

33 views

Category:

Documents


0 download

DESCRIPTION

The UK Access Management Federation. John Chapman Project Adviser – Becta. UK Access Management Federation for Education and Research. Supported by JISC and Becta, and operated by UKERNA - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: The UK Access Management Federation

The UK Access Management Federation

John ChapmanProject Adviser – Becta

Page 2: The UK Access Management Federation

UK Access Management Federation for Education and Research

• Supported by JISC and Becta, and operated by UKERNA

• Provides a single solution to access online resources and services for all education and research in UK including schools, colleges and universities

• Live 30 November 2006

Page 3: The UK Access Management Federation

Federation Stats: 13th April 2007

• 50 members

• 113 entities (two dual in nature): – 51 Identity Providers– 64 Service Providers

• 29 ‘core’ university/college members

• 3 ‘core’ school sector members

• Potentially >600 IdPs with more than 10,000,000 users...

• Or even more if we include parents...

Page 4: The UK Access Management Federation

UK Federation Services

Page 5: The UK Access Management Federation

• Rules of Membership

• Recommendations for Use of Personal Data

• Technical Recommendations for Participants

• Federation Technical Specifications

• Federation Operator Procedures

Page 6: The UK Access Management Federation

• Registration mechanism for SPs and IdPs• Adding new members to the federation &

updating existing members’ metadata• Fault finding and trouble shooting • Compatibility testing of server certificates

and CA Qualification• Technical and operational documentation• Ongoing federation development• Reporting

Page 7: The UK Access Management Federation

• Discovery Service– Resilient WAYF

• Hosting of metadata

• Monitoring of SPs and IdPs

• Test environment

• Federation web site: www.ukfederation.org.uk

Page 8: The UK Access Management Federation

• Guidance and advice to IdPs& SPs

• Configuration guides

• Training courses

• Online training material

• Workshops to help organisations join the UK Federation

Page 9: The UK Access Management Federation

Policy Document 1: Rules of Membership

– Definitions– Rules for all

members– Specific rules for

IdPs and SPs– Data Protection and

Privacy– User Accountability– Liability

– Audit and Compliance

– Termination– Membership

Cessation– Changes to Rules– Dispute Resolution

•The basic contractual framework for trust

•Covers:

Page 10: The UK Access Management Federation

Policy Document 2:Recommendations for Use of Personal Data • Recommendations for use of personal data• Covers legal requirements – Data Protection Act 1998• practical use of attributes:

– eduPersonScopedAffiliaton: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions.

– eduPersonTargetedID: designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity.

“For most applications a combination of the attributes eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.”

– eduPersonPrincipleName comes under the personal data guidelines of DP Act.

– eduPersonEntitlement: may be possible to determine Identity from entitlement so again governed by DP Act.

Page 11: The UK Access Management Federation

Policy Document 3: Technical Recommendations for Participants

• Specifies the technical architecture for Federation and participants

• Choice of IdP / SP software (UK is neutral but must be SAML compliant and tested by Federation)

• Authentication response profiles• Metadata processes• Digital Certificate processes• ‘Discovery’ processes – to WAYF or not to WAYF• Attribute usage• Includes Future Directions for each area of work

Page 12: The UK Access Management Federation

UK Federation Required Attributes plus subsidiary attributes

TECHNICAL ATTRIBUTE NAME WHAT THIS REALLY MEANS

eduPersonScopedAffiliation([email protected]

or [email protected])UK specific controlled vocabulary

Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute.

eduPersonTargetedID(r001xf4rg2ss)

opaque string defined by institution‘A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity.

eduPersonPrincipalName(harrisnv)

defined by institution – login nameUsed when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute.

eduPersonEntitlement(expressed as an agreed URI)

mutually agreed by institution and serviceUsed when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module, entitled to access financial records.

Page 13: The UK Access Management Federation

Policy Document 4: Federation Technical Specification and

Policy Document 5: Federation Operator Procedures

• Federation Technical Specification:– High level document about trust fabrics and

how the UK Access Management Federation achieves trust.

• Federation Operator Procedures:– The procedures actually undertaken by the

Federation Operator (UKERNA): • Enrolment• CA Qualification• Support • Monitoring / Audit

Page 14: The UK Access Management Federation

Upcoming…in Policy

More practical documents related to baseline Federation such as Identity Provider deployment.

• More advice and policy as developments move to service:– Levels of assurance– Virtual organisation support– Virtual ‘orphanage’ (SDSS already offering

TypeKey and ProtectNetwork solutions) – Detailed policies for outsourced identity

providers and outsourced service providers

Page 15: The UK Access Management Federation

Levels of Authentication• FAME-PERMIS

– 1 January 2005 – 31 December 2006– Develop middleware extensions to facilitate multi-factor authentication and

authentication strength linked fine-grained access control supporting a wide range of authentication methods

– Allow users to choose the right authentication token to achieve a required level of authentication strength and feed this LoA to the PERMIS decision engine to facilitate LoA linked fine-grained user authorisation and access control.

• ES-LoA: e-infrastructure security levels of assurance– 1 November 2006 – 31 October 2007– JISC-funded project to examine existing definitions of authentication levels of

assurance, both at UK and international levels, building consensus and making proposals regarding standard definitions for use in the UK education and research community. 

• JISC Identity Project – www.identity-project.info – Research into and establish consensus in the current practice and future needs

of UK academic institutions in Identity Management– Issues that will be addressed include Grid use, Shibboleth installations, inter-

institutional collaborations, internal and shared dynamic virtual organisations, classes of users, library access schemes, and NHS involvement.

• DfES Identity Management Scoping study• Becta Schools Interoperability Framework: 2nd PoC and Pilot