Presentation on theme: "Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,"— Presentation transcript:
Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager, JISC
Joint Information Systems Committee Connecting People to Resources OVERVIEW
Joint Information Systems Committee A summary JISC has published its intention to centrally support federated access management from July 2008 as the preferred access management system within UK Higher and Further education. This will be enabled by the UK Access Management Federation, to be run by UKERNA: The federation is ‘technology neutral’ in terms of what systems an institution uses as long as it is SAML compliant: Shibboleth, Guanxi, AthensIM, Athens gateways (but potentially iChain and other commercial systems). JISC will fund Athens until July 2008, after which institutions will be required to pay a subscription for ‘classic’ Athens and AthensDA (and other new Athens resources such as ‘Atacama’). JISC is funding Eduserv to provide gateways between Athens and the UK Access Management Federation to allow Service Providers and Institutions to continue using Athens if they so chose. Authentication is devolved to the institution: the institution needs to be able to authenticate every user who is entitled to access institutional resources. Authorisation is handled by an exchange of information between an institution and service provider: the institution needs to know exactly what each and every user is entitled to access.
Joint Information Systems Committee Why federated access management? Moves closer to the single sign-on ideal. Users need not remember so many passwords as they use their institutional username and password to access external, internal and collaborative resources Aligns with international convergence on Shibboleth/SAML - wider market for suppliers Avoids the need to maintain a central Athens-type database of registered users - by JISC/Eduserv and by participating libraries Open Source tools are available - so tools can be developed by participants and shared Commercial tools are available - for those who do not wish to use open source solutions Can be used for collaborative access to institutional resources - solves problem of how you allow access to your resources to other institutions WITHOUT having to register people as members of your institution. Free at the point of use for all members of the UK Access Management Federation.
Joint Information Systems Committee Why Has JISC Chosen this Route? Extensive research proved this to be the most appropriate technology. Meets the defined criteria for an access management system within the UK: –Internal (intra-institutional) applications (mostly through SSO system) –Management of access to third-party digital library-type resources (as now) –Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e-learning scenarios) –Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs) International take-up secures future of development and support. International take-up provides economies of scale through work in partnership.
Joint Information Systems Committee Why Is this Strategically Important? Key Messages Federated access management system key deliverable within the current JISC strategy. Implementation will require institutional effort, and should be recognised within institutional IT strategies. Federated access management is required to meet other strategic requirements: –DfES e-Strategy and e-Learning goals (such as e-Portfolios and e-Learning collaborations) –HEFCE e-Learning Strategies –Science and Innovation Investment Framework National take-up: interaction with BECTA and the schools sector, and increasingly with NHS. International take-up: importance of cross-working with Europe, US and Australia.
Joint Information Systems Committee IMPACT CHANGE –JISC support for Athens will not be available to institutions after July INSTITUTIONAL / SERVICE PROVIDER EFFORT –To put in place the relevant parts of the system to allow devolved authentication. CHOICE –Of technologies. The federated access management system will not dictate the choice of single sign-on, directory system or environment in which you work. JOIN-UP –Across domains (e-Learning, e-Research and Information Environments) and across systems (for internal, external and collaborative access management) IMPROVEMENTS –Standards based approach to access management improving flexibility. –Real single sign-on, improved directory systems, foundation blocks for secure collaboration.
Joint Information Systems Committee Connecting People to Resources STATISTICS
Joint Information Systems Committee Reviewing Readiness: Independent Review How many institutions will adopt federated access by July 2008? (FE figures: Scotland, Wales and Northern Ireland only) “ The Sunday Times University Guide was used as a measure of the top 20 Universities. Of the top 20, information on institutional position was obtained for 18. Of the 18, 8 are early adopters of FAM, 9 plan to adopt by July 2008, 1 is interested but has no current plans to adopt. “
Joint Information Systems Committee Federation Stats: 16 th April MEMBERS. 29 ‘Core’ Institutional Members.
Joint Information Systems Committee Predicted Adoption Adopter TypeAdoption MilestonePercentageNo. Institutions innovators01/04/ %2 early adopters31/05/20076%39 early majority (1)01/11/200713%83 early majority (2)01/11/200820%128 late majority01/11/ %207 laggardsnot set28.40%182
Joint Information Systems Committee Connecting People to Resources CHOICES
Joint Information Systems Committee Option 1 and 2: Roadmap for Institutions
Joint Information Systems Committee Choices for Service Providers Become a full member of the UK Access Management Federation, using community-supported tools BENEFITS No ongoing subscription costs, compliance with international standards and institutional requirements COSTS Internal effort to implement software, join federation and manage provider attributes Become a full member of the UK Access Management Federation, using tools with paid-for support BENEFITS Full support in implementation, compliance with international standards and institutional requirements COSTS Cost of support from supplier and internal effort in liaison between supplier and Federation Decide not to implement Shibboleth Continue with Athens or other access management solution BENEFITS Athens providers will have access to the Federation through the ‘gateway’, funded by the JISC at least until July 2008 COSTS Providers using Athens will continue to pay current subscription and licence costs to Eduserv
Joint Information Systems Committee Option 3: The Gateways ATHENS INSTITUTION UK ACCESS MANAGEMENT FEDERATION FEDERATED INSTITUTION ATHENS CENTRAL ATHENS PROTECTED RESOURCE FEDERATED RESOURCE IdP Gateway SP Gateway
Joint Information Systems Committee UK Federation Core Attributes TECHNICAL ATTRIBUTE NAMEWHAT THIS REALLY MEANS eduPersonScopedAffiliation UK specific controlled Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute. eduPersonTargetedID (r001xf4rg2ss) opaque string defined by institution ‘A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity. eduPersonPrincipalName (harrisnv) defined by institution – login name Used when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute. eduPersonEntitlement (expressed as an agreed URI) mutually agreed by institution and service Used when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module.
Joint Information Systems Committee Gateway Attributes Athens Identity Providers accessing Shibboleth Service Providers can use: –eduPersonScopedAffiliation. –eduPersonTargetedID. Shibboleth Identity Providers accessing Athens Service Providers can use: –eduPersonTargetedID. –eduPersonEntitlement (full permission set). All other scenarios can make use of appropriate attributes as required. Not limited to core set.
Joint Information Systems Committee Connecting People to Resources EXAMPLES
Joint Information Systems Committee Connecting People to Resources INDEX TO THE TIMES: EDINA
Joint Information Systems Committee Shibboleth Access via a WAYF for external services User knows URL of resource and that Shibboleth is usedURL And where they are from
Joint Information Systems Committee Connecting People to Resources JSTOR
Joint Information Systems Committee JSTOR Example: Service Provider Developed WAYF
Joint Information Systems Committee Connecting People to Resources SCIENCE DIRECT
Joint Information Systems Committee Shibboleth behind a library portal for external services Alternatively, on or off campus, you could just go to the list of e- resources in the library’s portal. In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system: …but it could just be a list on a ‘hand-crafted’ web page
Joint Information Systems Committee Shibboleth behind the library portal The expanded list shows a link direct to the Service Provider, in this case ElsevierElsevier
Joint Information Systems Committee Shibboleth behind the library portal After clicking link in library portal:
Joint Information Systems Committee Connecting People to Resources LANDMAP: MIMAS With thanks to Ross Macintyre
Joint Information Systems Committee
Connecting People to Resources SUPPORT
Joint Information Systems Committee Support Resources and ‘shib-enable-vendor’ lists: contact Jane JISC for more information. Briefing Paper – available on the JISC stand. Federated Access Management Animation. Service Provider process map: available on the JISC website.