Mark Williams Services Outreach, JISC [email_address] federated access management

www.bricktestament.com www.bricktestament.com

Update Shibboleth update

Shibboleth update

Update Shibboleth update Focus on Federated Access Management Shibboleth just one of / part of the technologies

Shibboleth update

Focus on Federated Access Management

Shibboleth just one of / part of the technologies

Introduction What is access management? The Situation The Choices The business case The Support Discussion

What is access management?

The Situation

The Choices

The business case

The Support

Discussion

Explaining federated access management Video highlights: Issues Advantages Situation Video Audience: SMT Curriculum LRC Tool for YOU to use

Video highlights:

Issues

Advantages

Situation

Video Audience:

SMT

Curriculum

LRC

The Situation: JISC Announcement In March 2006, JISC formally announced its intention to support federated access management as the preferred access management solution for UK Further and Higher Education JISC will continue funding the Athens service until July 2008 Athens will be available via a subscription model post July 2008 Institutions will have to Join the Federation to access JISC funded resources The UK Access Management Federation launched in November 2006, with early adopters joining in August 2006 The Federation is a combined venture between JISC and BECTA A full support service will be made available to the JISC community to support the transition to the new service

In March 2006, JISC formally announced its intention to support federated access management as the preferred access management solution for UK Further and Higher Education

JISC will continue funding the Athens service until July 2008

Athens will be available via a subscription model post July 2008

Institutions will have to Join the Federation to access JISC funded resources

The UK Access Management Federation launched in November 2006, with early adopters joining in August 2006

The Federation is a combined venture between JISC and BECTA

A full support service will be made available to the JISC community to support the transition to the new service

What is Federated Access Management? Current Athens service is a centralised service: Institution provides information about users to Athens (identity information). Athens brokers both authentication and authorisation on the part of the institution with service providers. Federated Access Management devolves authentication back to the institution: Authentication achieved through normal institutional log-on. Service Providers trust institutions to appropriately authenticate. Service Providers and institutions exchange information about users to determine what they can access (attributes: staff, student, law). Same system can be used for internal, external and collaborative access (e-learning partnerships with other institutions, e-portfolios).

Current Athens service is a centralised service:

Institution provides information about users to Athens (identity information).

Athens brokers both authentication and authorisation on the part of the institution with service providers.

Federated Access Management devolves authentication back to the institution:

Authentication achieved through normal institutional log-on.

Service Providers trust institutions to appropriately authenticate.

Service Providers and institutions exchange information about users to determine what they can access (attributes: staff, student, law).

Same system can be used for internal, external and collaborative access (e-learning partnerships with other institutions, e-portfolios).

The Push JISC Collections access Athens pricing structure Focus on legitimate use – Emphasis on correct use- non sharing of passwords etc Expiry policy Policy for populating user directory http://www.eduserv.org.uk/upload/athens/pdf/openathens_pricing_0307.pdf

JISC Collections access

Athens pricing structure

Focus on legitimate use – Emphasis on correct use- non sharing of passwords etc

Expiry policy

Policy for populating user directory

The Pull Capability – institution – staff – students International gold standard Longevity: JISC supporting solution – Gateway developed to enable Eduserve solution International – In common etc

Capability – institution – staff – students

International gold standard

Longevity: JISC supporting solution – Gateway developed to enable Eduserve solution

International – In common etc

Institutional Options BECOME A FULL MEMBER OF THE FEDERATION USING COMMUNITY SUPPORTED TOOLS COSTS: Institutional effort to implement software, join federation and enhance institutional directories BENEFITS: Full institutional control, skilled staff and access management solution for internal, external and collaborative resources BECOME A FULL MEMBER OF THE FEDERATION USING TOOLS WITH PAID-FOR SUPPORT COSTS: Cost of support from supplier and institutional effort in liaison with supplier and Federation BENEFITS: Full support in implementation and access management solution for internal, external and collaborative resources SUBSCRIBE TO AN ‘OUTSOURCED IDENTITY PROVIDER’ TO WORK THROUGH THE FEDERATION ON YOUR BEHALF (SUCH AS USE OF CLASSIC ATHENS WITH THE GATEWAYS) COSTS: Subscription costs to external supplier (from July 2008) and internal administration role BENEFITS: Minimum institutional effort to achieve access to external resources only

BECOME A FULL MEMBER OF THE FEDERATION USING COMMUNITY SUPPORTED TOOLS

COSTS: Institutional effort to implement software, join federation and enhance institutional directories

BENEFITS: Full institutional control, skilled staff and access management solution for internal, external and collaborative resources

BECOME A FULL MEMBER OF THE FEDERATION USING TOOLS WITH PAID-FOR SUPPORT

COSTS: Cost of support from supplier and institutional effort in liaison with supplier and Federation

BENEFITS: Full support in implementation and access management solution for internal, external and collaborative resources

SUBSCRIBE TO AN ‘OUTSOURCED IDENTITY PROVIDER’ TO WORK THROUGH THE FEDERATION ON YOUR BEHALF (SUCH AS USE OF CLASSIC ATHENS WITH THE GATEWAYS)

COSTS: Subscription costs to external supplier (from July 2008) and internal administration role

BENEFITS: Minimum institutional effort to achieve access to external resources only

The Gateways ATHENS INSTITUTION UK ACCESS MANAGEMENT FEDERATION FEDERATED INSTITUTION ATHENS CENTRAL ATHENS PROTECTED RESOURCE FEDERATED RESOURCE IdP Gateway SP Gateway

Strategic Case: Example – Rummidge College Vision statement VISION STATEMENT: “Using a single password, students can access not only Rummidge College own electronic resources but also those of other universities, Colleges and institutions by co-operative agreements. VISION STATEMENT: “Provide services which reduce the burden of administration and information management.” VISION STATEMENT: “Provide services which facilitate scholarly communication, collaboration and research Federated access management allows not only single sign-on internally using an institutional password, but also allows users to access resources (such as VLEs) at other institutions using that same password (i.e. no need to register elsewhere). Devolved authentication means that institution do not have to administer Athens accounts and single sign-on reduces the need for libraries to manage people as well as resources. Federated access management supports the adoption of ‘virtual organisations and key research tools (such as open access repositories) have been ‘federated’. 24/7 Collaboration Lifelong learning Workbased learning Remote learning Regional Partnership

VISION STATEMENT: “Using a single password, students can access not only Rummidge College own electronic resources but also those of other universities, Colleges and institutions by co-operative agreements.

VISION STATEMENT: “Provide services which reduce the burden of administration and information management.”

VISION STATEMENT: “Provide services which facilitate scholarly communication, collaboration and research

Federated access management allows not only single sign-on internally using an institutional password, but also allows users to access resources (such as VLEs) at other institutions using that same password (i.e. no need to register elsewhere).

Devolved authentication means that institution do not have to administer Athens accounts and single sign-on reduces the need for libraries to manage people as well as resources.

Federated access management supports the adoption of ‘virtual organisations and key research tools (such as open access repositories) have been ‘federated’.

The Strategic Case: Questions to Ask Are there institutional drivers for: The implementation of an enterprise directory / identity management solution? Need to manage ‘non-standard’ users more efficiently, need to manage all users more efficiently! Single (simplified) sign-on / devolved authentication? System for both internal and external resources. Collaborative access to resources within other institutions? HE / FE collaboration; franchises in other countries. Research collaboration? Private sector collaboration? ‘Virtual Organisation’ support; third-stream funding opportunities.

Are there institutional drivers for:

The implementation of an enterprise directory / identity management solution?

Need to manage ‘non-standard’ users more efficiently, need to manage all users more efficiently!

Single (simplified) sign-on / devolved authentication?

System for both internal and external resources.

Collaborative access to resources within other institutions?

HE / FE collaboration; franchises in other countries.

Research collaboration? Private sector collaboration?

‘Virtual Organisation’ support; third-stream funding opportunities.

Options appraisal

Institutional Audit Strategic fit: Aims of the College Mission statement, Capability, Staff up-skilling, Collaboration, Costs Options appraisal: which choice meets business need How many resources do you access? What do you want to do? Affordability Capability What will your choice solve?

Strategic fit: Aims of the College

Mission statement, Capability, Staff up-skilling, Collaboration, Costs

Options appraisal: which choice meets business need

How many resources do you access?

What do you want to do?

Affordability

Capability

What will your choice solve?

Making the decision SMT LRC IT

Making the decision SMT Strategic plans? LRC How much resource use? Cost? IT Capability? State of directory services?

Making the decision SMT Strategic plans? LRC How much resource use? Cost? IT Capability? State of directory services? Realising the benefits of federated access management requires a business change project rather than a technology project .

The JISC Roadmap

Elements of the toolkit Strategic fit : identifying strategic issues and drivers for access management Options appraisal : considering the range of access management options available and conducting an options appraisal to identify which option best meets the business need Affordability : assessing the affordability of the option identified by considering available funding, existing commitments and estimating whole-life project and operating costs. Where the identified option requires an external procurement, the commercial arrangement should be assessed to ensure value for money can be obtained. Achievability : assessing the achievability of the option identified, within current capability and capacity and the intended business change.

Strategic fit : identifying strategic issues and drivers for access management

Options appraisal : considering the range of access management options available and conducting an options appraisal to identify which option best meets the business need

Affordability : assessing the affordability of the option identified by considering available funding, existing commitments and estimating whole-life project and operating costs. Where the identified option requires an external procurement, the commercial arrangement should be assessed to ensure value for money can be obtained.

Achievability : assessing the achievability of the option identified, within current capability and capacity and the intended business change.

Affordability: commercial Can value for money be obtained from the proposed partner or supplier? Is the through-life cost understood? Are likely support costs clear? Are there “hidden costs” like supplier lock-in or restrictive terms and conditions? Is current and future pricing agreed? If not, can the project be made attractive to a wider market? Is there sufficient competition to get a good deal? What controls on release and use of identity information are there? Are they consistent with institutional strategy? Are the skills in place to deal with the commercial aspects? Is it an existing, trusted supplier?

Can value for money be obtained from the proposed partner or supplier?

Is the through-life cost understood?

Are likely support costs clear?

Are there “hidden costs” like supplier lock-in or restrictive terms and conditions?

Is current and future pricing agreed?

If not, can the project be made attractive to a wider market?

Is there sufficient competition to get a good deal?

What controls on release and use of identity information are there?

Are they consistent with institutional strategy?

Are the skills in place to deal with the commercial aspects?

Is it an existing, trusted supplier?

Options Grid - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Conclusion Effect on Revenue budget Non-Financial cost Risk Benefit Cost Option

Skills Setting up a CVS Repository. Populating (importing) new data Check out/in. CVS Profiles, bindings and extensions SAML Format and content of XML files Namespace (xmlns) definition and use XML Schema definitions XML Log4j and log4cpp configuration options Analyzing stack traces and locating configuration errors. Java Configuration files: server.xml, workers2.properties, tomcat-users.xml Application WAR deployment Use of conf, webapps, WEB-INF and classes directories. Mod_jk use and Tomcat modification to use it “ ant command” and editing build.properties and build.xml files. Build WAR and dist files. Tomcat Writing simple web pages Meaning of every HTTP code CSS authoring HTTP and HTML PKI Use of the openssl command and every option Trust stores and certificate stores Obtaining certificates, installing them, converting to/from different encoded methods. Building certificate chains. SSL Knowledge of the configuration files for the webserver and being able to correctly specify values for all directives. Virtual host configuration with SSL. Adding modules, building modules Configuring a content management system to host documentation about procedures and configuration file changes. Webserver (Apache, IIS) Security policy management for controlling port use Where to install applications, configuration files. Syslogd operation, writing startup services, obtaining and inspecting packet dumps, writing scripts to monitor and control multiple log files in many windows and using filtering, sorting and pattern matching to reformat output. Operating System Minimum requirements Skill area

Federation official documentation http://www.ukfederation.org.uk/ Support: UK Federation Website

Federation official documentation

http://www.ukfederation.org.uk/

JISC Website Case studies Business case (May) Awareness events Netskills training Institutional audit support Mailing list Support: JISC Website

JISC Website

Case studies

Business case (May)

Awareness events

Netskills training

Institutional audit support

Mailing list

Outreach Team [email_address] – FE [email_address] – Resource Providers LSE team – implementation casestudies Third party players Eduserve Kidderminster / Salford Others UKERNA, NetSkills,

Team

[email_address] – FE

[email_address] – Resource Providers

LSE team – implementation casestudies

Third party players

Eduserve

Kidderminster / Salford

Others

UKERNA, NetSkills,

Access Management: Transition Programme Meeting 29th - 30th May 2007 Aston, Birmingham Intended as a discussion platform for those who are adopting, or considering adopting, federated access management within the UK. Senior managers, technical and library staff http://www.jisc.ac.uk/whatwedo/programmes/programme_am_transition/amtppm FREE! LUNCH AND CLOSE 12.30 - 1.30 PLENARY 11.30 - 12.30 Service Provider update Technologies Update Policy Update 10.30 - 11.30 COFFEE BREAK 10.15 - 10.30 FUTURES: FEDERATION / SAML AND JISC STRATEGY 9.15 - 10.15 END OF DAY ONE DRINKS AT 7.30 / DINNER AT 8.00 Library BoF Technical BoF Institutional Audit BoF 4.00 - 5.00 COFFEE BREAK / SUPPLIERS POSTERS 3.30 - 4.00 OPTIONS FOR JOINING THE FEDERATION 2.15 - 3.30 WELCOME 200 - 2.15 LUNCH 1.00 - 2.00

29th - 30th May 2007

Aston, Birmingham

Intended as a discussion platform for those who are adopting, or considering adopting, federated access management within the UK.

Senior managers, technical and library staff

http://www.jisc.ac.uk/whatwedo/programmes/programme_am_transition/amtppm

FREE!

Casestudies

Casestudies

Casestudies

FEDERATION – does need to be addressed sooner or later Don’t let that happen to your institution Issue not forced on Colleges but highlighted Solutions offered not chosen www.jisc.ac.uk/federation

Discussion Obstacles? Help?

Obstacles?

Help?