Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.

Published byCecil Parsons Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA."— Presentation transcript:

1 Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA

2 Copyright JNT Association 20052Optional www.ukfederation.org.uk Copyright JNT Association 2007 2 Overview Life before the federation Federated v Non-Federated Technology trials Cross sector approach The federation service Policy framework Scaling challenges: discovery (WAYF) Membership statistics Development roadmap

3 Copyright JNT Association 20053Optional www.ukfederation.org.uk Copyright JNT Association 2007 3 Before the federation: schools IP address based checks Ad-hoc bilateral arrangements between IdP and SP Multiple usernames and passwords Multiple copies of personal data held by third parties Duplication of effort across multiple institutions Publishers and network providers having to interface with multiple systems Difficulty in sharing resources between institutions IP address based checks Ad-hoc bilateral arrangements between IdP and SP Multiple usernames and passwords Multiple copies of personal data held by third parties Duplication of effort across multiple institutions Publishers and network providers having to interface with multiple systems Difficulty in sharing resources between institutions

4 Copyright JNT Association 20054Optional www.ukfederation.org.uk Copyright JNT Association 2007 4 Before the federation: HE/FE Ad-hoc bilateral arrangements & Athens Classic Athens - a centralised service: –Institution provides identity info about users to Athens. –Athens brokers both authentication and authorisation with service providers on behalf of the organisation. –Info can only be managed by site Athens Administrators. Athens database contains a lot of information about users and about the services to which institutions have subscribed

5 Copyright JNT Association 20055Optional www.ukfederation.org.uk Copyright JNT Association 2007 5 Legacy access management User’s identity and personal data are known to all Publisher knows more than it wants and less than it needs Organisation’s precious credentials given to all publishers I’m “AJones/T,t<*?I1” Site Licence Are you a licensed user? ? Service Provider (SP)Identity Provider (IdP)

6 Copyright JNT Association 20056Optional www.ukfederation.org.uk Copyright JNT Association 2007 6 Site Licence I’m “AJones/T,t<*?I1”, am I? Federated access management User’s identity and personal data are protected Publisher knows exactly what it needs Distribution of credentials is reduced Are you a licensed user? They say I’m licensed Yes, you’re licensed OK! Identity Provider (IdP)Service Provider (SP)

7 Copyright JNT Association 20057Optional www.ukfederation.org.uk Copyright JNT Association 2007 7 Technology trials: schools Becta: Workshops, strategy paper & laboratory test 2003 - 2004 2 pilots: WMnet & LGfL 2004 - 2005

8 Copyright JNT Association 20058Optional www.ukfederation.org.uk Copyright JNT Association 2007 8 Technology trials: HE/FE JISC Core Middleware Development Programme selected Shibboleth and started in April 2004 Established Shibboleth Development and Support Service (SDSS) federation JISC early adopters (MATU)

9 Copyright JNT Association 20059Optional www.ukfederation.org.uk Copyright JNT Association 2007 9 Shibboleth selected Individually chosen by JISC and Becta as most suitable option Government steer towards collaborative services to avoid duplication of resources Agreement for UKERNA to proceed with a joint approach March 2006 Aim for one federation…

10 Copyright JNT Association 200510Optional www.ukfederation.org.uk Copyright JNT Association 2007 10 The benefits Provides consistency across the whole of education for AuthN & AuthZ Improves the user experience Pooling of experience and expertise Economies of scale for both sectors Facilitates sharing of content and collaboration across sectors

11 Copyright JNT Association 200511Optional www.ukfederation.org.uk Copyright JNT Association 2007 11

12 Copyright JNT Association 200512Optional www.ukfederation.org.uk Copyright JNT Association 2007 12 What is the UK federation? A set of Rules that binds members: –Make accurate statements to other members –Keep federation systems and data secure –Use personal data correctly (inc. DPA1998) –Resolve problems within the federation Not by legal action –Assist federation operator and other members

13 Copyright JNT Association 200513Optional www.ukfederation.org.uk Copyright JNT Association 2007 13 The UK federation Launched November 2006. For UK research, FE, HE and schools. Organisations and institutions providing services to these sectors.

14 Copyright JNT Association 200514Optional www.ukfederation.org.uk Copyright JNT Association 2007 14 Organisational Structure Joint funded by Becta & JISC Operational management by UKERNA Policy & Governance Board - Rules of Membership Technical Advisory Group - Technical specifications & recommendations

15 Copyright JNT Association 200515Optional www.ukfederation.org.uk Copyright JNT Association 2007 15 Federation infrastructure Discovery Service - Resilient WAYF Hosting of metadata Monitoring of SPs and IdPs Test environment Federation web site - www.ukfederation.org.uk www.ukfederation.org.uk

16 Copyright JNT Association 200516Optional www.ukfederation.org.uk Copyright JNT Association 2007 16 Guidance, examples, support How to comply with the Rules How to interoperate with other members - Common definitions, etc. Help in planning the transition Experiences of early adopters Reference software downloads

17 Copyright JNT Association 200517Optional www.ukfederation.org.uk Copyright JNT Association 2007 17 Support Guidance and advice to IdPs & SPs Configuration guides Training courses Workshops to help organisations join the UK federation FAQs

18 Copyright JNT Association 200518Optional www.ukfederation.org.uk Copyright JNT Association 2007 18 Policy framework 1.Rules of membership: Mandatory 2.Recommendations for use of personal data 3.Technical recommendations } Advisory 4.Technical specifications 5.Federation operator procedures

19 Copyright JNT Association 200519Optional www.ukfederation.org.uk Copyright JNT Association 2007 19 1. Rules of Membership –Definitions –Rules for all members –Specific rules for IdPs and SPs –Data Protection and Privacy –User Accountability –Liability –Audit and Compliance –Termination –Membership Cessation –Changes to Rules –Dispute Resolution The basic contractual framework for trust

20 Copyright JNT Association 200520Optional www.ukfederation.org.uk Copyright JNT Association 2007 20 2. Recommendations for Use of Personal Data Suggests how to satisfy legal requirements UK Data Protection Act, 1998: eight data protection principles Responsibility of those collecting or using data concerning children to inform responsible adults, obtain valid consent or prevent inappropriate use of data by those handling it Not the responsibility of the UK federation Recommends a core set of attributes

21 Copyright JNT Association 200521Optional www.ukfederation.org.uk Copyright JNT Association 2007 21 Four Core Attributes –eduPersonScopedAffiliation : represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions. –eduPersonTargetedID : designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity. –eduPersonPrincipalName: comes under the personal data guidelines of UK Data Protection Act. –eduPersonEntitlement: may be possible to determine Identity from entitlement, so governed b UK Data Protection Act. “For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.”

22 Copyright JNT Association 200522Optional www.ukfederation.org.uk Copyright JNT Association 2007 22 3. Technical Recommendations for Participants Specifies the technical architecture for federation and participants Contains choices of IdP/SP software (UK is neutral but must be SAML compliant and tested by federation) Authentication response profiles Metadata processes Digital Certificate processes Attribute usage Includes future directions for each area of work

23 Copyright JNT Association 200523Optional www.ukfederation.org.uk Copyright JNT Association 2007 23 4. Federation Technical Specification Federation Technical Specification: –How the UK Access Management Federation achieves trust. 5. Federation Operator Procedures Federation Operator Procedures: –The procedures actually undertaken by the federation operator (UKERNA): Enrolment CA Qualification Support Monitoring / Audit

24 Copyright JNT Association 200524Optional www.ukfederation.org.uk Copyright JNT Association 2007 24 Scale – approx. 12–18 million eligible end users – hundreds of member organisations – hundreds or thousands of entities Deployment Challenges

25 Copyright JNT Association 200525Optional www.ukfederation.org.uk Copyright JNT Association 2007 25 Discovery Challenges Institutional portal avoids the issue SP can perform discoverylocally – Good option in many cases: – SP often knows itscommunity of users – Particularly true for licensed content, where a real-world contract will exist – Also true for resources built around small collaborations

26 Copyright JNT Association 200526Optional www.ukfederation.org.uk Copyright JNT Association 2007 26 Example: Elsevier ScienceDirect

27 Copyright JNT Association 200527Optional www.ukfederation.org.uk Copyright JNT Association 2007 27 Central WAYF UK Federation provides central “Where Are You From” service as backstop Production WAYF servers work from federation metadata – three identical machines – geographically distributed in multiple data centres – https:// as anti-spoofing measure

28 Copyright JNT Association 200528Optional www.ukfederation.org.uk Copyright JNT Association 2007 28 UK federation WAYF

29 Copyright JNT Association 200529Optional www.ukfederation.org.uk Copyright JNT Association 2007 29 UK federation statistics (18 May 07) 62 full member organisations – ≈5 more still migrating from SDSS Federation 114 SAML entities – 49 identity providers – 65 service providers Software: – 88% Shibboleth 1.3 – 6% Shibboleth 1.2 – 5% other/unknown

30 Copyright JNT Association 200530Optional www.ukfederation.org.uk Copyright JNT Association 2007 30 What’s next…? Phase Two: Development Roadmap Confederations Federation peering Convergence of local, network and application sign-in NHS, other public funded bodies

31 Copyright JNT Association 200531Optional www.ukfederation.org.uk Copyright JNT Association 2007 31 Conclusion Federation launched – great! Lots of potential to exploit: enhance usability, additional functionality, increase participation… Job done…? Actually, it’s just beginning!

32 Copyright JNT Association 200532Optional www.ukfederation.org.uk Copyright JNT Association 2007 32 Questions?

Download ppt "Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA."

Similar presentations

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.

Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Where next…. Stakeholder workshop, 29 Jan 2003. To the end of the project.

Where next…. Stakeholder workshop, 29 Jan To the end of the project.
A centre of expertise in digital information management A QA Framework To Support Your Library Web Site Review Brian Kelly UKOLN University of Bath Bath.

A centre of expertise in digital information management A QA Framework To Support Your Library Web Site Review Brian Kelly UKOLN University of Bath Bath.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.

1 The Challenges of Creating an Identity Management Infrastructure for the University of California David Walker Karl Heins Office of the President University.
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.

Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,

Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,
Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Similar presentations

Ads by Google