Federated Access Managment: Making the Business Case

Connecting People to Resources Federated Access: Building the Business Case Nicole Harris Programme Manager

JISC Announcement

In March 2006, JISC formally announced its intention to support federated access management as the preferred access management solution for UK Further and Higher Education

JISC will continue funding the Athens service until July 2008

Athens will be available via a subscription model post July 2008

The UK Access Management Federation will launch in November 2006, with early adopters joining in August 2006

The Federation is a combined venture between JISC and BECTA

All members of the successful pilot federation (SDSS) will be seamlessly moved to the UK Access Management Federation

A full support service will be made available to the JISC community to support the transition to the new service

What is Federated Access Management?

Current Athens service is a centralised service:

Institution provides information about users to Athens (identity information).

Athens brokers both authentication and authorisation on the part of the institution with service providers.

Federated Access Management devolves authentication back to the institution:

Authentication achieved through normal institutional log-on.

Service Providers trust institutions to appropriately authenticate.

Service Providers and institutions exchange information about users to determine what they can access (attributes: staff, student, law).

Same system can be used for internal, external and collaborative access (e-learning partnerships with other institutions, e-portfolios).

The Gateways ATHENS INSTITUTION UK ACCESS MANAGEMENT FEDERATION FEDERATED INSTITUTION ATHENS CENTRAL ATHENS PROTECTED RESOURCE FEDERATED RESOURCE IdP Gateway SP Gateway

The JISC Roadmap

Reviewing Readiness How many institutions will adopt federated access by July 2008? (FE figures: Scotland, Wales and Northern Ireland only)

Federated Access: Developing a Business Case Writing the Business Case

JISC InfoNet Toolkits

JISC InfoNet: Example Business Case Example of Electronic and Document Management System Business Case Development

NMI-EDIT Enterprise Directory Implementation Roadmap

Alpha University Business Case

NMI Enterprise Authentication Roadmap

Elements of a Business Case

Strategic Fit: making the strategic case.

Inputs and background, institutional strategy drivers (information strategy), other strategic drivers (external), timing implications, critical success factors.

Options Appraisal: the economic case.

Including costs and benefits analysis for each option.

Commercial aspects: the financial case (1).

Looks specifically at outsourcing and procurement issues.

Affordability: the financial case (2).

Funds available for project (implementation) and ongoing running.

Achievability: the project management case.

Can this be achieved within the organisation’s current capability and capacity?

Federated Access: Developing a Business Case The Strategic Case

The Strategic Case: Questions to Ask

Are there institutional drivers for:

The implementation of an enterprise directory / identity management solution?

Need to manage ‘non-standard’ users more efficiently, need to manage all users more efficiently!

Single (simplified) sign-on / devolved authentication?

System for both internal and external resources.

Collaborative access to resources within other institutions?

HE / FE collaboration; franchises in other countries.

Research collaboration? Private sector collaboration?

‘Virtual Organisation’ support; third-stream funding opportunities.

Strategic Case: Example – Kings College London

VISION STATEMENT: “Using a single password, postgraduate students can access not only King’s own electronic resources but also those of other universities and institutions by co-operative agreements.

VISION STATEMENT: “Provide services which reduce the burden of administration and information management.”

VISION STATEMENT: “Provide services which facilitate scholarly communication, collaboration and research

Federated access management allows not only single sign-on internally using an institutional password, but also allows users to access resources (such as VLEs) at other institutions using that same password (i.e. no need to register elsewhere).

Devolved authentication means that institution do not have to administer Athens accounts and single sign-on reduces the need for libraries to manage people as well as resources.

Federated access management supports the adoption of ‘virtual organisations and key research tools (such as open access repositories) have been ‘federated’.

Federated Access: Developing a Business Case The Options Appraisal

Institutional Options

BECOME A FULL MEMBER OF THE FEDERATION USING COMMUNITY SUPPORTED TOOLS

COSTS: Institutional effort to implement software, join federation and enhance institutional directories

BENEFITS: Full institutional control, skilled staff and access management solution for internal, external and collaborative resources

BECOME A FULL MEMBER OF THE FEDERATION USING TOOLS WITH PAID-FOR SUPPORT

COSTS: Cost of support from supplier and institutional effort in liaison with supplier and Federation

BENEFITS: Full support in implementation and access management solution for internal, external and collaborative resources

SUBSCRIBE TO AN ‘OUTSOURCED IDENTITY PROVIDER’ TO WORK THROUGH THE FEDERATION ON YOUR BEHALF (SUCH AS USE OF CLASSIC ATHENS WITH THE GATEWAYS)

COSTS: Subscription costs to external supplier (from July 2008) and internal administration role

BENEFITS: Minimum institutional effort to achieve access to external resources only

JISC Options

Options appraisal for Services taken at the point where technology, capability and requirements of the community had been fully established through JISC Development programmes.

Move Athens to subscription model, no future development .

Continue funding Athens, no future development .

Continue funding Athens, continue funding development .

Transition to federated service, no continued Athens funding .

Transition to federated service, limited Athens support .

Transition to federated service, continued Athens support .

Options Appraisal: JISC example Not recommended as a strategically sound direction for JISC. Recommendation

Fails to meet JISC Strategy on several fronts – ceasing to be innovative and world class status; failing to be economic and efficient in terms of services offered.

Negative reaction from community.

Access Management a core function of service provision within the strategy. Failure to support will impact on all areas of JISC.

Lack of innovation affects UK / JISC International standing.

Risks

Release of JISC service funds.

Meets approach of the JISC Development – Service model in terms of moving robust services to subscription models.

Benefits Eduserv have announced that they will charge a maximum of 50p per account per institution per annum for continued provision of the Athens service. At current service provision (3.5 million user accounts), the cost to UK Higher and Further Education Institutions will be £1,750,000. This represents an increase in cost of the community of £1,120,000 above the JISC managed solution currently supplied. Cost This option would amount to JISC taking the decision to cease financially supporting access management solutions for the community. It presumes that the Athens service is now a stable and self-sustaining model, and that an appropriate subscription model can be applied across HEIs, FEIs and Service Providers. Overview

Federated Access: Developing a Business Case The Financial Case

Federated Access: Developing a Business Case The Project Management Case

Technical Capability / Management Buy-In

Achievability: Skill Set (with thanks to Swish!) Setting up a CVS Repository; Populating (importing) new data;Check out/in. CVS Profiles, bindings and extensions SAML Format and content of XML files ; Namespace (xmlns) definition and use ; XML Schema definitions XML Log4j and log4cpp configuration options ; Analyzing stack traces and locating configuration errors. Java Configuration files: server.xml, workers2.properties, tomcat-users.xml Application WAR deployment ; Use of conf, webapps, WEB-INF and classes directories. Mod_jk use and Tomcat modification to use it ; “ant command” and editing build.properties and build.xml files.Build WAR and dist files. Tomcat Writing simple web pages ; Meaning of every HTTP code ; CSS authoring HTTP and HTML PKI ; Use of the openssl command and every option Trust stores and certificate stores Obtaining certificates, installing them, converting to/from different encoded methods. Building certificate chains. SSL Knowledge of the configuration files for the webserver and being able to correctly specify values for all directives. Virtual host configuration with SSL. Adding modules, building modules Configuring a content management system to host documentation about procedures and configuration file changes. Webserver (Apache, IIS) Security policy management for controlling port use . Where to install applications, configuration files. Syslogd operation, writing startup services, obtaining and inspecting packet dumps, writing scripts to monitor and control multiple log files in many windows and using filtering, sorting and pattern matching to reformat output. Operating System Minimum requirements Skill area

In Summary