Access Management Transition Programme Meeting Access Management Futures: JISC and International Development Strategy Nicole Harris Senior Services Transition Manager, JISC

A Little Background

Some Background 1995: Athens developed by NISS (National Information Services and Systems) at University of Bath as an in-house system. 1996: eLib Study ‘Technologies to Support Authentication in Higher Education’ identified Athens as a potential solution for all JISC Services. 1997: Athens in use in all JISC Data Centres and rolled out across HEIs / FEIs over the next two years. 1998: CNI White Paper on AAA requirements. JISC commits to using as a basis for next-generation technologies. 1997 – 2000: three year contract for Athens provision with University of Bath and then Eduserv. 2000 – 2008: two three year plus one two year contract with Eduserv for Athens provision. 2000: Alan Robiette and JCAS scope requirements for next generation access management system (ANGEL project starts testing Shibboleth and PAPI technologies). 2002 – 2004: AAA Programme – audit of next generation technologies and ratification of requirements. 2004 – 2007: Core Middleware Programmes. JISC decision to support federated access management. 2006 – 2009: Access Management: Transition Programme. Roll-out and embedding.

1995: Athens developed by NISS (National Information Services and Systems) at University of Bath as an in-house system.

1996: eLib Study ‘Technologies to Support Authentication in Higher Education’ identified Athens as a potential solution for all JISC Services.

1997: Athens in use in all JISC Data Centres and rolled out across HEIs / FEIs over the next two years.

1998: CNI White Paper on AAA requirements. JISC commits to using as a basis for next-generation technologies.

1997 – 2000: three year contract for Athens provision with University of Bath and then Eduserv.

2000 – 2008: two three year plus one two year contract with Eduserv for Athens provision.

2000: Alan Robiette and JCAS scope requirements for next generation access management system (ANGEL project starts testing Shibboleth and PAPI technologies).

2002 – 2004: AAA Programme – audit of next generation technologies and ratification of requirements.

2004 – 2007: Core Middleware Programmes. JISC decision to support federated access management.

2006 – 2009: Access Management: Transition Programme. Roll-out and embedding.

The Requirements A single access management system for: Intra-institutional resources. Third party digital library type resources. Inter-institutional resources for secure long-term collaboration. Inter-institutional resources for ad-hoc (virtual organisation) collaboration. Evolving strategy: Where possible, JISC should focus on fostering development and use of standards rather than specific technologies. Institutions should have the widest possible range of options, from full open source to commercial support. Solutions should be in line with international developments in the field. Solution must provide real benefits to institutions and service providers.

A single access management system for:

Intra-institutional resources.

Third party digital library type resources.

Inter-institutional resources for secure long-term collaboration.

Inter-institutional resources for ad-hoc (virtual organisation) collaboration.

Evolving strategy:

Where possible, JISC should focus on fostering development and use of standards rather than specific technologies.

Institutions should have the widest possible range of options, from full open source to commercial support.

Solutions should be in line with international developments in the field.

Solution must provide real benefits to institutions and service providers.

Not just about preventing.. Copyright: Getty Images from the Education Image Gallery

..but about collaborating and sharing Copyright: Getty Images from the Education Image Gallery

The UK Development Landscape Athens Gateways CA Bridge eduRoam Gateway Development Level of Assurance – FAME project Identity Management – inter- and intra- NHS / Government N-tier Developments – SPIE project Authorisation Tools - PERMIS, DYVOSE (Authority Delegation) Interfaces / User Tools Virtual Home for Identities Federation Tools Identity / Service Providers outreach support federation Federation Services

JISC Plans

Access Management Transition Programme!

Access Management Transition Programme!

e-Infrastructure Programme Continued support for integration of UK federation and Grid. Levels of Assurance: ES-LOA. Identity Project. Federated tools: 5 new projects. Federated Identities and virtual organisations with Grouper Virtual Organisations and management of organisations objects Integrated Authorisation for Shibboleth/Grid. Integrating VOMS and PERMIS Virtual Organisation tools Upcoming ITTs / Calls / other work in the areas of…

Continued support for integration of UK federation and Grid.

Levels of Assurance: ES-LOA.

Identity Project.

Federated tools: 5 new projects.

Federated Identities and virtual organisations with Grouper

Virtual Organisations and management of organisations objects

Integrated Authorisation for Shibboleth/Grid.

Integrating VOMS and PERMIS

Virtual Organisation tools

Upcoming ITTs / Calls / other work in the areas of…

Orphans American evangelist Dwight Lyman Moody (1837 - 1899) with a group of orphans at one of his Chicago missions. Courtesy of the Education Image Gallery Copyright: Getty Images

Identity Management outside Institutions

Multiple Affiliations

Attributes and Personalisation Copyright: HEFCE

e-Research Access Management for complex data Flexible Service Provider models for virtual organisations Ongoing work with the National Grid Service, including the CA Copyright: Getty Images Education Image Gallery

Access Management for complex data

Flexible Service Provider models for virtual organisations

Ongoing work with the National Grid Service, including the CA

Copyright: Getty Images

Education Image Gallery

Federated Tools such as ShARPE

Internet2 Plans

SAML 2.0 Scott Cantor: technical editor of SAML 2.0 specification and lead Shibboleth architect. SC describes it as a ‘vulcan mind-meld’ of SAML 1.1, Shibboleth and Liberty ID-FF 1.2. You can expect in the long-term: Focus on federated identity management. Single log-out. Account linking / management. More features / more complexity. Copyright: Getty Images Education Image Gallery

Scott Cantor: technical editor of SAML 2.0 specification and lead Shibboleth architect.

SC describes it as a ‘vulcan mind-meld’ of SAML 1.1, Shibboleth and Liberty ID-FF 1.2.

You can expect in the long-term:

Focus on federated identity management.

Single log-out.

Account linking / management.

More features / more complexity.

Shibboleth 2.0 Major changes: New and broadening concepts New configuration files Metadata updates Minor installation differences Partial SAML 2.0 support (AuthnRequest, AttributeQuery, SingleLogout). Better session management Better authentication packaged with Shib Better attribute management – particularly attribute filter policy Focus on SP side discovery service (the future?) Better audit and access logs Java Service Provider https://spaces.internet2.edu/display/SHIB/ShibTwoRoadmap .

Major changes:

New and broadening concepts

New configuration files

Metadata updates

Minor installation differences

Partial SAML 2.0 support (AuthnRequest, AttributeQuery, SingleLogout).

Better session management

Better authentication packaged with Shib

Better attribute management – particularly attribute filter policy

Focus on SP side discovery service (the future?)

Better audit and access logs

Java Service Provider

https://spaces.internet2.edu/display/SHIB/ShibTwoRoadmap .

Other Internet2 Stuff More work in collaborative scenarios: virtual organisations etc. Application integration with infrastructure: wikis, SharePoint, Sakai, mailing lists etc. Integrated application providers: yahoo, google, e-bay etc. Easier install IdPs. Information card integration including CardSpace (in place now). Open Liberty Integration

More work in collaborative scenarios: virtual organisations etc.

Application integration with infrastructure: wikis, SharePoint, Sakai, mailing lists etc.

Integrated application providers: yahoo, google, e-bay etc.

Easier install IdPs.

Information card integration including CardSpace (in place now).

Open Liberty Integration

International Plans

Work with our International Partners International Vendor Liaison, with specific emphasis on work with SURF and Internet2. Directory Schema work with TERENA through TF-EMC2. Inter-federation and licensing work with Knowledge Exchange Partners in Netherlands, Germany and Denmark. Inter-federation work with TERENA, Internet2 and DEST. Contributions to the Shibboleth code-base through team at EDINA. Continued international dialogue

International Vendor Liaison, with specific emphasis on work with SURF and Internet2.

Directory Schema work with TERENA through TF-EMC2.

Inter-federation and licensing work with Knowledge Exchange Partners in Netherlands, Germany and Denmark.

Inter-federation work with TERENA, Internet2 and DEST.

Contributions to the Shibboleth code-base through team at EDINA.

Continued international dialogue

and developing the UK federation… (see Josh Howlett presentation)