The UK Access Management Federation for education and

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards

Problems we are trying to solve • Multiple usernames and passwords • Multiple copies of personal data held by third parties • Duplication of effort across multiple institutions • Publishers and network providers having to interface with multiple systems • Difficulty in sharing resources between institutions

JISC announce its intention to support federated access management for UK FE/HE. WMnet & LGf. L pilots prove Shibboleth works in UK school sector Personalised online learning space Becta’s business case accepted by Df. ES LGf. L continues regional federation as a production service Workshops, strategy paper & laboratory test led to recommendation of implementing Shibboleth technology 2003 2004 All LAs members of the federation? Integrated learning & management systems Standards Fund Grant 121 (and 121 a) Work with JISC & UKERNA to establish the UK Access Management Federation for Education and Research – launched 30 November 2005 2006 2007 2008 2009 2010

Shibboleth • Neither an authentication or authorisation system • Secure exchange of messages between two parties (Identity Provider and Service Provider) • Authentication handled by institution/LA/RBC (devolved authentication) • Authorisation achieved by an exchange of attributes (such as ‘member of an institution’) • Providers need to sign up to a ‘trust’ agreement • An implementation of SAML (Security Assertion Mark-Up Language)

Benefits of simplified sign-on and the UK federation • For the learner: – Easier access to resources – Privacy preserving – Facilitates anytime, anywhere learning • For the institution: – Reduction in administrative burdens for managers and users in schools • For the LA/RBC: – Allow for greater aggregation of purchasing content – Facilitate secure sharing of content between authorities • For the education sector: – Shared, cross-sector infrastructure – Facilitate access to e-portfolios • For the Government: – Strong collaboration between Becta and JISC – Centrally provided services for best possible value

The UK Access Management Federation • A group of member organisations who sign up to a set of rules • An independent body, managing the trust relationships between members • End user organisations act as ‘identity providers’ (Id. Ps) and optionally ‘service providers’ (SPs) • Publishers and resource providers act as ‘service providers’ (SPs)

Organisational Structure • • Funded by Df. ES & JISC Provided for Schools, FE & HE Operational management by UKERNA Policy & Governance Board – 3 Becta nominated members (Paul Shoesmith, Andy Tyerman, Mike Kendal) – 3 JISC nominated members (John Robinson, Iain Stinson, Brian Gilmore) – ‘Neutral’ Chair (Professor Sir David Watson) • Technical Advisory Group – JISC, Becta, RBC, LA, University and College representation

What the service provides • A set of Rules that binds members: – – Make accurate statements to other members Keep federation systems and data secure Use personal data correctly (inc. DPA 1998) Resolve problems within the Federation • Not by legal action • Guidance, examples, support – How to comply with the Rules – How to work with other members • Common definitions, etc.

What the service provides • Operational management – Registration mechanism for SPs and Id. Ps – Adding new members to the federation & updating existing members’ metadata – Fault finding and trouble shooting – Compatibility testing of server certificates and CA Qualification – Technical and operational documentation – Ongoing federation development – Reporting

© SWITCH OK, I redirect your request now to the Handle Service of your home org. Please tell me where are you from? I don’t know you. Not even which home org you are from. I redirect your request to the WAYF I don’t know you. Please authenticate Using WEBLOGIN 2 4 3 5 6 Identity Provider 1 Service Provider Web Site 7 Credentials HS 9 AA Attributes Handle Requester 10 Resource Handle User DB OK, I know you now. I redirect your request to the target, together with a handle Assertion Service Resource Manager Handle 8 Attributes Let’s pass over the attributes the user has allowed me to release I don’t know the attributes of this user. Let’s ask the Attribute Authority OK, based on the attributes, I grant access to the resource

Birmingham’s walkthrough SP BGf. L+ UK Access Management Federation Id. P BGf. L Identity Provider

LA/RBC roadmap to join the UK federation 1. 2. 3. 4. 5. 6. LA/RBC audit – Review readiness to adopt federated access management. Directory Development – Identify or implement a suitable local/regional directory. Directories need to be correctly populated with attributes about pupils and staff that meet the federation standard, known as the edu. Person specification. Authentication Development – Choose and implement a local/regional authentication, or single sign-on system. Implement Id. P – Implement Shibboleth Identity Provider software. Join Federation – All organisations who wish to participate will need to join the UK federation by registering and agreeing to observe federation policy. Institutional Roll-out – On becoming a member of the federation, the institution/LA/RBC will need to roll out the new system. This may include new user guides, training and support mechanisms.

Core attributes • edu. Person. Scoped. Affiliation – does this institution subscribe to the service in question? e. g. member@netherhall. cambs. sch. uk, or student@keele. ac. uk – student (learner), staff (non-teaching staff), faculty (teaching staff), employee (all staff), member (comprises all the previous categories), affiliate (relationship short of full member), alum (ex pupil/alumnus) • edu. Person. Targeted. ID – persistent opaque identifier – can provide personalisation & usage monitoring across sessions • edu. Person. Principal. Name – the ‘Net. ID’ of the user, e. g. user@school. lea. sch. uk – a persistent identifier across For most different services applications a combination of • edu. Person. Scoped. Affiliation and institution to assert that a edu. Person. Entitlement – enables an edu. Person. Targeted. ID user satisfies an additionalbe sufficient conditions that will set of specific apply for access to a particular resource e. g. “entitled to access financial accounts” • Where extra attributes are required, the federation has a process for the addition of subsidiary attributes, but. . .

Executive Liaison: a senior role within the Management SCS LA Liaison: certificates authorised to available register from entities UKERNA

More information • UK federation – http: //www. ukfederation. org. uk • High level info on Becta’s site – http: //schools. becta. org. uk/index. php? rid=11277 – http: //industry. becta. org. uk/display. cfm? res. ID=14598 • Shibboleth – http: //shibboleth. internet 2. edu/ (main site) – http: //spaces. internet 2. edu/display/SHIB/ (wiki)