the uk federation

32
Copyright JNT Association 2005 1 Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA

Upload: thuong

Post on 12-Jan-2016

39 views

Category:

Documents


1 download

DESCRIPTION

The UK federation. TNC - 22 nd May 2007 Mark Tysom, UKERNA. Overview. Life before the federation Federated v Non-Federated Technology trials Cross sector approach The federation service Policy framework Scaling challenges: discovery (WAYF) Membership statistics Development roadmap. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: The UK federation

Copyright JNT Association 2005 1Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 1

The UK federation

TNC - 22nd May 2007

Mark Tysom, UKERNA

Page 2: The UK federation

Copyright JNT Association 2005 2Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 2

Overview• Life before the federation• Federated v Non-Federated• Technology trials• Cross sector approach• The federation service• Policy framework• Scaling challenges: discovery (WAYF)• Membership statistics• Development roadmap

Page 3: The UK federation

Copyright JNT Association 2005 3Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 3

Before the federation: schools

• IP address based checks• Ad-hoc bilateral arrangements between IdP and SP• Multiple usernames and passwords• Multiple copies of personal data held by third

parties• Duplication of effort across multiple institutions• Publishers and network providers having to interface

with multiple systems• Difficulty in sharing resources between institutions

• IP address based checks• Ad-hoc bilateral arrangements between IdP and SP• Multiple usernames and passwords• Multiple copies of personal data held by third

parties• Duplication of effort across multiple institutions• Publishers and network providers having to interface

with multiple systems• Difficulty in sharing resources between institutions

Page 4: The UK federation

Copyright JNT Association 2005 4Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 4

Before the federation: HE/FE

• Ad-hoc bilateral arrangements & Athens• Classic Athens - a centralised service:

– Institution provides identity info about users to Athens.

– Athens brokers both authentication and authorisation with service providers on behalf of the organisation.

– Info can only be managed by site Athens Administrators.

• Athens database contains a lot of information about users and about the services to which institutions have subscribed

Page 5: The UK federation

Copyright JNT Association 2005 5Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 5

Legacy access management

• User’s identity and personal data are known to all• Publisher knows more than it wants and less than it needs

• Organisation’s precious credentials given to all publishers

I’m “AJones/T,t<*?I1”

Site Licence

Are you a licensed user?

?Service Provider (SP)Identity Provider (IdP)

Page 6: The UK federation

Copyright JNT Association 2005 6Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 6

Site Licence

I’m “AJones/T,t<*?I1”, am I?

Federated access management

• User’s identity and personal data are protected• Publisher knows exactly what it needs• Distribution of credentials is reduced

Are you a licensed user?

They say I’m licensedYes, you’re licensed

OK!Identity Provider (IdP) Service Provider (SP)

Page 7: The UK federation

Copyright JNT Association 2005 7Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 7

Technology trials: schools

• Becta: Workshops, strategy paper & laboratory test 2003 - 2004

• 2 pilots: WMnet & LGfL 2004 - 2005

Page 8: The UK federation

Copyright JNT Association 2005 8Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 8

Technology trials: HE/FE

• JISC Core Middleware Development Programme selected Shibboleth and started in April 2004

• Established Shibboleth Development and Support Service (SDSS) federation

• JISC early adopters (MATU)

Page 9: The UK federation

Copyright JNT Association 2005 9Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 9

Shibboleth selected

• Individually chosen by JISC and Becta as most suitable option

• Government steer towards collaborative services to avoid duplication of resources

• Agreement for UKERNA to proceed with a joint approach March 2006

• Aim for one federation…

Page 10: The UK federation

Copyright JNT Association 2005 10Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 10

The benefits

• Provides consistency across the whole of education for AuthN & AuthZ

• Improves the user experience • Pooling of experience and expertise• Economies of scale for both sectors• Facilitates sharing of content and

collaboration across sectors

Page 11: The UK federation

Copyright JNT Association 2005 11Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 11

Page 12: The UK federation

Copyright JNT Association 2005 12Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 12

What is the UK federation?

• A set of Rules that binds members:– Make accurate statements to other members– Keep federation systems and data secure– Use personal data correctly (inc. DPA1998)– Resolve problems within the federation

• Not by legal action

– Assist federation operator and other members

Page 13: The UK federation

Copyright JNT Association 2005 13Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 13

The UK federation

• Launched November 2006.

• For UK research, FE, HE and schools.

• Organisations and institutions providing services to these sectors.

Page 14: The UK federation

Copyright JNT Association 2005 14Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 14

Organisational Structure

• Joint funded by Becta & JISC

• Operational management by UKERNA

• Policy & Governance Board

- Rules of Membership

• Technical Advisory Group- Technical specifications & recommendations

Page 15: The UK federation

Copyright JNT Association 2005 15Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 15

Federation infrastructure

• Discovery Service- Resilient WAYF

• Hosting of metadata• Monitoring of SPs and IdPs • Test environment • Federation web site

- www.ukfederation.org.uk

Page 16: The UK federation

Copyright JNT Association 2005 16Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 16

Guidance, examples, support

• How to comply with the Rules

• How to interoperate with other members- Common definitions, etc.

• Help in planning the transition

• Experiences of early adopters

• Reference software downloads

Page 17: The UK federation

Copyright JNT Association 2005 17Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 17

Support

• Guidance and advice to IdPs & SPs

• Configuration guides

• Training courses

• Workshops to help organisations join the UK federation

• FAQs

Page 18: The UK federation

Copyright JNT Association 2005 18Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 18

Policy framework

1. Rules of membership: Mandatory

2. Recommendations for use of personal data

3. Technical recommendations } Advisory

4. Technical specifications

5. Federation operator procedures

Page 19: The UK federation

Copyright JNT Association 2005 19Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 19

1. Rules of Membership

– Definitions– Rules for all members– Specific rules for IdPs and

SPs– Data Protection and

Privacy– User Accountability– Liability

– Audit and Compliance

– Termination

– Membership Cessation

– Changes to Rules

– Dispute Resolution

•The basic contractual framework for trust

Page 20: The UK federation

Copyright JNT Association 2005 20Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 20

2. Recommendations for Use of Personal Data • Suggests how to satisfy legal requirements • UK Data Protection Act, 1998: eight data protection principles• Responsibility of those collecting or using data concerning children

to inform responsible adults, obtain valid consent or prevent inappropriate use of data by those handling it

• Not the responsibility of the UK federation• Recommends a core set of attributes

Page 21: The UK federation

Copyright JNT Association 2005 21Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 21

Four Core Attributes

– eduPersonScopedAffiliation: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions.

– eduPersonTargetedID: designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity.

– eduPersonPrincipalName: comes under the personal data guidelines of UK Data Protection Act.

– eduPersonEntitlement: may be possible to determine Identity from entitlement, so governed b UK Data Protection Act.

“For most applications a combination of eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.”

Page 22: The UK federation

Copyright JNT Association 2005 22Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 22

3. Technical Recommendations for Participants

• Specifies the technical architecture for federation and participants

• Contains choices of IdP/SP software (UK is neutral but must be SAML compliant and tested by federation)

• Authentication response profiles• Metadata processes• Digital Certificate processes• Attribute usage• Includes future directions for each area of work

Page 23: The UK federation

Copyright JNT Association 2005 23Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 23

4. Federation Technical Specification

• Federation Technical Specification:– How the UK Access Management

Federation achieves trust. 5. Federation Operator Procedures

• Federation Operator Procedures:– The procedures actually undertaken by the

federation operator (UKERNA): • Enrolment• CA Qualification• Support • Monitoring / Audit

Page 24: The UK federation

Copyright JNT Association 2005 24Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 24

• Scale

– approx. 12–18 million eligible end users

– hundreds of member organisations

– hundreds or thousands of entities

Deployment Challenges

Page 25: The UK federation

Copyright JNT Association 2005 25Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 25

Discovery Challenges

• Institutional portal avoids the issue

• SP can perform discovery locally

– Good option in many cases:

– SP often knows its community of users

– Particularly true for licensed content, where a real-world contract will exist

– Also true for resources built around small collaborations

Page 26: The UK federation

Copyright JNT Association 2005 26Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 26

Example: Elsevier ScienceDirect

Page 27: The UK federation

Copyright JNT Association 2005 27Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 27

Central WAYF• UK Federation provides central “Where Are

You From” service as backstop• Production WAYF servers work from

federation metadata– three identical machines– geographically distributed in multiple data

centres– https:// as anti-spoofing measure

Page 28: The UK federation

Copyright JNT Association 2005 28Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 28

UK federation WAYF

Page 29: The UK federation

Copyright JNT Association 2005 29Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 29

UK federation statistics (18 May 07)

• 62 full member organisations– ≈5 more still migrating from SDSS Federation

• 114 SAML entities– 49 identity providers– 65 service providers

• Software:– 88% Shibboleth 1.3– 6% Shibboleth 1.2– 5% other/unknown

Page 30: The UK federation

Copyright JNT Association 2005 30Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 30

What’s next…?

• Phase Two: Development Roadmap

• Confederations

• Federation peering

• Convergence of local, network and application sign-in

• NHS, other public funded bodies

Page 31: The UK federation

Copyright JNT Association 2005 31Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 31

Conclusion

• Federation launched – great!

• Lots of potential to exploit:enhance usability,

additional functionality,

increase participation…

• Job done…?

• Actually, it’s just beginning!

Page 32: The UK federation

Copyright JNT Association 2005 32Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 32

Questions?