• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Federated Access Management (SFEU)
 

Federated Access Management (SFEU)

on

  • 3,182 views

Outlines the institutional requirements for Access Management (from London School of Economics); and (from JISC) the process of implementating the UK Access Management Federation, supporting ...

Outlines the institutional requirements for Access Management (from London School of Economics); and (from JISC) the process of implementating the UK Access Management Federation, supporting institutions; and the decisions that UK FE and HE institutions need to make. Prepared for and presented at Scottish Further Education Unit "Librarians' Community of Practice Event", on 16-May-2007, Stirling, Scotland.

Statistics

Views

Total Views
3,182
Views on SlideShare
3,182
Embed Views
0

Actions

Likes
2
Downloads
13
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Federated Access Management (SFEU) Federated Access Management (SFEU) Presentation Transcript

    • What Universities & Colleges Need from Access Management … and How the UK Access Management Federation will provide it John Paschoud InfoSystems Engineer, LSE Library London School of Economics & Political Science, UK [email_address] Copyright John Paschoud 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. The intellectual property of others in all contributed and referenced material is acknowledged.
    • Our Situation
      • We’re a world-class university, teaching & researching in a specialised field (Social Sciences)
      • Our staff & students frequently work off-campus - but they still want access to all the services & information sources we provide
      • Our Library (the world’s largest specialising in the Social Sciences) is also used by researchers from many other universities, governments, and other organisations
      • …but what we need to do about Access Management isn’t so different from any other university or college.
    • What do Our Users Want?
      • Single Sign-On (as far as possible)
        • to our own services, and to all the resources we subscribe on their behalf
        • no need to remember so many passwords for different services
      • Access from Anywhere
        • from home, travelling, or working at other institutions or libraries
      • Improved Privacy
        • of personal information, and of research being pursued
    • What do We want?
      • (“We” being the people whose job is to provide institutional information services)
      • Improved security for licensed resources, so publishers we deal with are happy (and generous!)
      • Good privacy-protection for users, to meet our legal obligations
      • Low-hassle support for our on-campus and mobile users
      • Opportunity for ‘fine-grain’ authorization control, so we can know (and manage) Who-Has-Access-to-What
      • Access for visiting users to whatever they are entitled
        • by their home institutions
        • …which we don’t need to know about!
    • Costs and Benefits of adopting Federated Access Management?
      • Costs:
      • Institution’s directory must be in good shape and set up to support an Identity Provider (IdP) service
        • (just as it does for “AthensDA”)
      • IdP middleware needs installing and maintaining
        • (or subscribed-to from an external provider)
      • Benefits:
      • Reduced overheads in password support
      • No difference in on-campus and off-campus access
      • More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource
      • Access control maintenance for different internal services (most with role-based access) is eliminated !
    • Appropriate Division of Labour
      • With Federated Access Management, functions are carried out by appropriate parties:
      • Identity Provider (typically a university) does Authentication (of it’s own registered users)
        • “ IdP”
      • Service Provider (typically a publisher) does Authorization ideally based on a common role (“student”) and affiliation (“lse.ac.uk”)
        • “ SP”
      • Federation provides trust framework between parties, operates ‘Where Are You From’ (“WAYF”) service
    • The Institution as Service Provider (too)
      • We can share resources in collaborations within the academic community
        • providing controlled access to users from other institutions, without needing to administer usernames/passwords for them
        • as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART)
      • We can set up our repository, e-learning or any other service as a Service Provider
        • as LSE has done for Exam Papers and other ‘members only’ collections
    • Access to internal resources: LSE Exam Papers collection
    • Access via a library portal to external resources
      • A user can just go to the list of e-resources in the library’s portal.
      • In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:
      • … but it could just be a list of links on a ‘hand-crafted’ web page
    • Access via a library portal to external resources The expanded list shows a link direct to the Service Provider, in this case Elsevier
    • Access via a library portal to external resources After clicking link in library portal:
    • Demonstration: What does FAM look like to an end-user?
      • Elsevier Science Direct – an ‘early-adopting’ publisher
        • … dealing with a global customer base
        • … needs-to-know only whether user is from a licensed institution
        • www.sciencedirect.com
      • LSE Projects wiki – a highly-restricted institutional resource
        • … with users spread across 10+ HE institutions (current project partners)
        • … needs to know personal identity and other user attributes
        • https://gabriel.lse.ac.uk/twiki/bin/logon/Restricted/WebHome
    • What Universities & Colleges Need from Access Management …and How the UK Access Management Federation will provide it John Paschoud JISC Access Management Outreach Team [email_address] (with grateful acknowledgement to Nicole Harris & Masha Garibyan for some of the following material) Copyright John Paschoud 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. The intellectual property of others in all contributed and referenced material is acknowledged.
    • Animation
    • Transition from funded Athens service to Federated Access Management
      • JISC has published its intention to centrally support federated access management from July 2008 as the preferred access management system within UK Higher and Further education
      • This will be enabled by the UK Access Management Federation, to be run by UKERNA
      • The federation is ‘technology neutral’ in terms of what systems an institution uses as long as it is SAML compliant: Shibboleth, Guanxi, AthensIM, Athens gateways (but potentially iChain and other commercial systems too)
      • JISC will fund Athens until July 2008, after which institutions will be required to pay a subscription for ‘classic’ Athens and AthensDA (and other new Athens resources such as ‘Atacama’)
      • JISC is funding Eduserv to provide gateways between Athens and the UK Access Management Federation to allow Service Providers and Institutions to continue using Athens if they so chose
      • Authentication is devolved to the institution: the institution needs to be able to authenticate every user who is entitled to access institutional (including licensed) resources
      • Authorisation is handled by an exchange of information between an institution and service provider: the institution needs to know exactly what each and every user is entitled to access
    • Why Federated Access Management?
      • Moves closer to the single sign-on ideal. Users need not remember so many passwords as they use their institutional username and password to access external, internal and collaborative resources
      • Aligns with international convergence on Shibboleth/SAML - wider market for suppliers
      • Avoids the need to maintain a central Athens-type database of registered users - by JISC/Eduserv and by participating libraries
      • Open Source tools are available - so tools can be developed by participants and shared
      • Commercial tools are available - for those who do not wish to use open source solutions
      • Can be used for collaborative access to institutional resources - solves problem of how you allow access to your resources to other institutions WITHOUT having to register people as members of your institution.
      • Free at the point of use for all members of the UK Access Management Federation.
    • Why has JISC chosen this Route?
      • Extensive research proved this to be the most appropriate technology
        • (SAML standard, Shibboleth-compliant implementation profile)
      • Meets the defined criteria for an access management system within the UK:
        • Internal (intra-institutional) applications (mostly through SSO system)
        • Management of access to third-party digital library-type resources (as now)
        • Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e-learning materials & courses)
        • Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs)
      • International take-up secures future of development and support.
      • International take-up provides economies of scale through work in partnership
    • Why Is this Strategically Important for UK Education?
      • Federated access management infrastructure is a key deliverable within the current JISC strategy
      • Implementation will require institutional effort, and should be recognised within institutional IT strategies
      • Federated access management is needed to meet other strategic requirements:
        • DfES e-Strategy and e-Learning goals (such as e-Portfolios and e-Learning collaborations)
        • HEFCE e-Learning Strategies
        • Science and Innovation Investment Framework
      • National take-up: interaction with BECTA and the schools sector, and increasingly with NHS
      • International take-up: importance of cross-working with Europe, US and Australia
    • UK Access Management Federation
      • Launched 30 th November 2006 , building on the successful UK pilot federation that has been available since March 2004 (SDSS)
      • (51 members signed-up as of 16 th April 2007)
      • Operated by UKERNA , funded by JISC and governed by an independent body
      • The federation manages the trust relationships between Identity Providers and Service Providers
      • Members sign up to federation policy forming a ‘fabric of trust’
      • The federation service also:
        • Checks new members (password management, etc)
        • Maintains a list of members
        • Provides a discovery service (“Where Are You From”, or WAYF)
        • Agrees technical standards
        • Provides policy control
        • Provides support and advice
    • Access Management Transition Programme
      • Builds on two previous JISC-funded programmes:
        • Technology Development and Infrastructure
      • Moving from a ‘working’ infrastructure (running in the UK since March 2004) to a full production federation (with critical mass of users)
      • Main workpackages:
        • Funding the current UK service (Athens) until July 2008
        • Funding for the Federation  Athens Gateways
          • Allowing Athens authenticated users to access Shibboleth protected resources (Athens as “super Identity Provider”)
          • Allowing institutionally authenticated (via Shibboleth) users to access Athens protected resources (Athens as “super Service Provider”)
        • Funding for the Federation operator
        • Communications and outreach
        • Assisted Take-Up: Support for institutions and publishers
        • National and International liaison
    • Giving Institutions Choices
      • BECOME A FULL MEMBER OF THE FEDERATION USING COMMUNITY SUPPORTED TOOLS
        • COSTS: Institutional effort to implement software, join federation and enhance institutional directories
        • BENEFITS: Full institutional control, skilled staff and access management solution for internal, external and collaborative resources
      • BECOME A FULL MEMBER OF THE FEDERATION USING TOOLS WITH PAID-FOR SUPPORT
        • COSTS: Cost of support from supplier and institutional effort in liaison with supplier and Federation
        • BENEFITS: Full support in implementation and access management solution for internal, external and collaborative resources
      • SUBSCRIBE TO AN ‘OUTSOURCED IDENTITY PROVIDER’ TO WORK THROUGH THE FEDERATION ON YOUR BEHALF (SUCH AS USE OF CLASSIC ATHENS WITH THE GATEWAYS)
        • COSTS: Subscription costs to external supplier (from July 2008) and internal administration role
        • BENEFITS: Minimum institutional effort to achieve access to external resources only
    • Support for Institutions and Resource suppliers
      • Outreach
        • Programme Manager, plus 2 Outreach Coordinators with specific outreach responsibilities for Institutions and Service Providers
        • Additional support commissioned from pioneer adopters, such as the PERSEUS Project at LSE
        • Continued communication with other national federation initiatives
      • Whole-sector Assisted Take-up Service
        • Website (part of the Federation website)
        • Practical training on all aspects of implementation of the new federated mgmt system (covering the three possible routes and a range of institutional scenarios)
        • Onsite support
        • Helpdesk and mailing list support
        • Repository of project outputs
        • Documentation and toolkits to support decision making, training, project mgmt, software implementation etc
    • The job’s not over!
      • Recognising gaps in support for institutions, as experience is gained
        • Better presentation of practical guides
        • Identity Management by institutions
        • Levels of Assurance for different resources
      • The Identity Project
        • Undertaking a national survey of (all 641) institutions
        • Producing a model for institutional IdM audits
        • Reporting on issues for Health, National Grid Service and others
        • (Make sure your institution has completed the Identity Management survey at www.identity-project.info !)
      • The ES-LoA Project
        • Analysing levels of AuthN and AuthZ required for different services
        • Recommending how these can be expressed in Federation-approved attributes
    • IMPACT
      • CHANGE
        • JISC support for Athens will not be available after July 2008
      • INSTITUTIONAL EFFORT
        • To put in place the relevant parts of the system to allow devolved authentication
      • CHOICE
        • Of technologies. The federated access management system will not dictate the choice of single sign-on, directory system or environment in which you work
      • JOIN-UP
        • Across domains (e-Learning, e-Research and Information Environments) and across systems (for internal, external and collaborative access management)
      • IMPROVEMENTS
        • Real single sign-on, improved directory systems, foundation blocks for secure collaboration
    • www.ukfederation.org.uk www.jisc.ac.uk/federation.html www.identity-project.info [email_address] [email_address]