• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Federation Policy

Federation Policy



This presentation gives an overview of the policy developed for the UK Access Management Federation

This presentation gives an overview of the policy developed for the UK Access Management Federation



Total Views
Views on SlideShare
Embed Views



1 Embed 2

http://www.slideshare.net 2



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

CC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike LicenseCC Attribution-NonCommercial-ShareAlike License

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Federation Policy Federation Policy Presentation Transcript

    • Federation Policy Issues The UK Perspective Nicole Harris Programme Manager – JISC
    • Issues from the UK
      • Experience from the UK highlights the importance of:
        • Making the move from a pilot to full service
        • Getting it right for your national requirements
        • Mapping requirements across the UK educational sector
        • Managing ‘outsourced identity providers’
        • Managing ‘outsourced service providers’
        • Not just the Federation and Policies but outreach, assisted take-up, vendor liaison
    • Moving from SDSS to the UK Access Management Federation UKERNA EDINA National Data Centre Home National Programme Scale Ongoing 3 years Duration Service Project Status UK federation SDSS federation
    • Differences for Users in Transition from SDSS
      • Very little:
        • Metadata recommendations have been preserved
        • SDSS team in place to provide second-line support for the foreseeable future
        • Communication: pushing people to use SDSS in the interim (don’t wait!)
        • Communication: explaining the changeover process
        • Formalising: actually signing formal policy documents rather than pilot recommendations can be scary / institutionally difficult
        • Athens “gateways” will be live and in service:
          • Athens will join the Federation as an outsourced Identity Provider and represent many institutions that have not made the move to full federated access management
          • Athens will join the Federation as an outsourced Service Provider and represent many resource owners that have not made the move to full federated access management
    • Federation Stats: 13 th April 2007
      • 50 MEMBERS.
      • 113 ENTITIES (two dual in nature):
        • 51 Identity Providers
        • 64 Service Providers
      • 29 ‘Core’ Institutional Members.
    • Policy Document 1: Rules of Membership
      • The basic contractual framework for trust.
      • Covers:
        • Definitions
        • Rules for all members
        • Specific rules for IdPs and SPs
        • Data Protection and Privacy
        • User Accountability
        • Liability
        • Audit and Compliance
        • Termination
        • Membership Cessation
        • Changes to Rules
        • Dispute Resolution
    • Policy Document 2:Recommendations for Use of Personal Data
      • Recommendations for use of personal data
      • Covers legal requirements – Data Protection Act 1998
      • practical use of attributes:
        • eduPersonScopedAffiliaton: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions.
        • eduPersonTargetedID:designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity.
        • “ For most applications a combination of the attributes eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.”
        • eduPersonPrincipleName comes under the personal data guidelines of DP Act.
        • eduPersonEntitlement: may be possible to determine Identity from entitlement so again governed by DP Act.
    • Policy Document 3: Technical Recommendations for Participants
      • Specifies the technical architecture for Federation and participants.
      • Choice of IdP / SP software (UK is neutral but must be SAML compliant and tested by Federation)
      • Authentication response profiles
      • Metadata processes
      • Digital Certificate processes
      • ‘ Discovery’ processes - to WAYF or not to WAYF
      • Attribute usage
      • Includes Future Directions for each area of work
    • UK Federation Required Attributes Used when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module. eduPersonEntitlement (expressed as an agreed URI) mutually agreed by institution and service Used when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute. eduPersonPrincipalName (harrisnv) defined by institution – login name ‘ A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity. eduPersonTargetedID (r001xf4rg2ss) opaque string defined by institution Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute. eduPersonScopedAffiliation ( [email_address] ) UK specific controlled vocabulary WHAT THIS REALLY MEANS TECHNICAL ATTRIBUTE NAME
    • Policy Document 4: Federation Technical Specification and Policy Document 5: Federation Operator Procedures
      • Federation Technical Specification:
        • High level document about trust fabrics and how the UK Access Management Federation achieves trust.
      • Federation Operator Procedures:
        • The procedures actually undertaken by the Federation Operator (UKERNA):
          • Enrolment
          • CA Qualification
          • Support
          • Monitoring / Audit
    • Upcoming…in Policy
      • More practical documents related to baseline Federation such as Identity Provider deployment.
      • More advice and policy as developments move to service:
        • Levels of assurance
        • Virtual organisation support
        • Virtual ‘orphanage’ (SDSS already offering TypeKey and ProtectNetwork solutions)
        • Detailed policies for outsourced identity providers and outsourced service providers
      • www.ukfederation.org.uk
      • www.jisc.ac.uk/federation.html
      • [email_address]
      • [email_address]