1 / 16

The UK Access Management Federation

The UK Access Management Federation. John Chapman Project Adviser – Becta. UK Access Management Federation for Education and Research. Supported by JISC and Becta, and operated by UKERNA

donagh
Download Presentation

The UK Access Management Federation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The UK Access Management Federation John Chapman Project Adviser – Becta

  2. UK Access Management Federation for Education and Research • Supported by JISC and Becta, and operated by UKERNA • Provides a single solution to access online resources and services for all education and research in UK including schools, colleges and universities • Live 30 November 2006

  3. Federation Stats: 13th April 2007 • 50 members • 113 entities (two dual in nature): • 51 Identity Providers • 64 Service Providers • 29 ‘core’ university/college members • 3 ‘core’ school sector members • Potentially >600 IdPs with more than 10,000,000 users... • Or even more if we include parents...

  4. UK Federation Services

  5. Rules of Membership • Recommendations for Use of Personal Data • Technical Recommendations for Participants • Federation Technical Specifications • Federation Operator Procedures

  6. Registration mechanism for SPs and IdPs • Adding new members to the federation & updating existing members’ metadata • Fault finding and trouble shooting • Compatibility testing of server certificates and CA Qualification • Technical and operational documentation • Ongoing federation development • Reporting

  7. Discovery Service • Resilient WAYF • Hosting of metadata • Monitoring of SPs and IdPs • Test environment • Federation web site: www.ukfederation.org.uk

  8. Guidance and advice to IdPs& SPs • Configuration guides • Training courses • Online training material • Workshops to help organisations join the UK Federation

  9. Definitions Rules for all members Specific rules for IdPs and SPs Data Protection and Privacy User Accountability Liability Audit and Compliance Termination Membership Cessation Changes to Rules Dispute Resolution Policy Document 1: Rules of Membership The basic contractual framework for trust Covers:

  10. Policy Document 2:Recommendations for Use of Personal Data • Recommendations for use of personal data • Covers legal requirements – Data Protection Act 1998 • practical use of attributes: • eduPersonScopedAffiliaton: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions. • eduPersonTargetedID: designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity. “For most applications a combination of the attributes eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.” • eduPersonPrincipleName comes under the personal data guidelines of DP Act. • eduPersonEntitlement: may be possible to determine Identity from entitlement so again governed by DP Act.

  11. Policy Document 3: Technical Recommendations for Participants • Specifies the technical architecture for Federation and participants • Choice of IdP / SP software (UK is neutral but must be SAML compliant and tested by Federation) • Authentication response profiles • Metadata processes • Digital Certificate processes • ‘Discovery’ processes – to WAYF or not to WAYF • Attribute usage • Includes Future Directions for each area of work

  12. UK Federation Required Attributes plus subsidiary attributes

  13. Policy Document 4: Federation Technical Specification and Policy Document 5: Federation Operator Procedures • Federation Technical Specification: • High level document about trust fabrics and how the UK Access Management Federation achieves trust. • Federation Operator Procedures: • The procedures actually undertaken by the Federation Operator (UKERNA): • Enrolment • CA Qualification • Support • Monitoring / Audit

  14. Upcoming…in Policy More practical documents related to baseline Federation such as Identity Provider deployment. • More advice and policy as developments move to service: • Levels of assurance • Virtual organisation support • Virtual ‘orphanage’ (SDSS already offering TypeKey and ProtectNetwork solutions) • Detailed policies for outsourced identity providers and outsourced service providers

  15. Levels of Authentication • FAME-PERMIS • 1 January 2005 – 31 December 2006 • Develop middleware extensions to facilitate multi-factor authentication and authentication strength linked fine-grained access control supporting a wide range of authentication methods • Allow users to choose the right authentication token to achieve a required level of authentication strength and feed this LoA to the PERMIS decision engine to facilitate LoA linked fine-grained user authorisation and access control. • ES-LoA: e-infrastructure security levels of assurance • 1 November 2006 – 31 October 2007 • JISC-funded project to examine existing definitions of authentication levels of assurance, both at UK and international levels, building consensus and making proposals regarding standard definitions for use in the UK education and research community.  • JISC Identity Project • www.identity-project.info • Research into and establish consensus in the current practice and future needs of UK academic institutions in Identity Management • Issues that will be addressed include Grid use, Shibboleth installations, inter-institutional collaborations, internal and shared dynamic virtual organisations, classes of users, library access schemes, and NHS involvement. • DfES Identity Management Scoping study • Becta Schools Interoperability Framework: 2nd PoC and Pilot

  16. www.ukfederation.org.uk www.jisc.ac.uk/federation.html n.harris@jisc.ac.uk j.farnhill@jisc.ac.uk

More Related