Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

'Connecting poeple to resources' by Nicole Harris at UKSG 2007


Published on

presentation given at UKSG 2007

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

'Connecting poeple to resources' by Nicole Harris at UKSG 2007

  1. 1. Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager, JISC
  2. 2. Connecting People to Resources OVERVIEW
  3. 3. A summary <ul><li>JISC has published its intention to centrally support federated access management from July 2008 as the preferred access management system within UK Higher and Further education. </li></ul><ul><li>This will be enabled by the UK Access Management Federation, to be run by UKERNA: . </li></ul><ul><li>The federation is ‘technology neutral’ in terms of what systems an institution uses as long as it is SAML compliant: Shibboleth, Guanxi, AthensIM, Athens gateways (but potentially iChain and other commercial systems). </li></ul><ul><li>JISC will fund Athens until July 2008, after which institutions will be required to pay a subscription for ‘classic’ Athens and AthensDA (and other new Athens resources such as ‘Atacama’). </li></ul><ul><li>JISC is funding Eduserv to provide gateways between Athens and the UK Access Management Federation to allow Service Providers and Institutions to continue using Athens if they so chose. </li></ul><ul><li>Authentication is devolved to the institution: the institution needs to be able to authenticate every user who is entitled to access institutional resources. </li></ul><ul><li>Authorisation is handled by an exchange of information between an institution and service provider: the institution needs to know exactly what each and every user is entitled to access. </li></ul>
  4. 4. Why federated access management? <ul><li>Moves closer to the single sign-on ideal. Users need not remember so many passwords as they use their institutional username and password to access external, internal and collaborative resources </li></ul><ul><li>Aligns with international convergence on Shibboleth/SAML - wider market for suppliers </li></ul><ul><li>Avoids the need to maintain a central Athens-type database of registered users - by JISC/Eduserv and by participating libraries </li></ul><ul><li>Open Source tools are available - so tools can be developed by participants and shared </li></ul><ul><li>Commercial tools are available - for those who do not wish to use open source solutions </li></ul><ul><li>Can be used for collaborative access to institutional resources - solves problem of how you allow access to your resources to other institutions WITHOUT having to register people as members of your institution. </li></ul><ul><li>Free at the point of use for all members of the UK Access Management Federation. </li></ul>
  5. 5. Why Has JISC Chosen this Route? <ul><li>Extensive research proved this to be the most appropriate technology. Meets the defined criteria for an access management system within the UK: </li></ul><ul><ul><li>Internal (intra-institutional) applications (mostly through SSO system) </li></ul></ul><ul><ul><li>Management of access to third-party digital library-type resources (as now) </li></ul></ul><ul><ul><li>Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e-learning scenarios) </li></ul></ul><ul><ul><li>Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs) </li></ul></ul><ul><li>International take-up secures future of development and support. </li></ul><ul><li>International take-up provides economies of scale through work in partnership. </li></ul>
  6. 6. Why Is this Strategically Important? Key Messages <ul><li>Federated access management system key deliverable within the current JISC strategy. </li></ul><ul><li>Implementation will require institutional effort, and should be recognised within institutional IT strategies. </li></ul><ul><li>Federated access management is required to meet other strategic requirements: </li></ul><ul><ul><li>DfES e-Strategy and e-Learning goals (such as e-Portfolios and e-Learning collaborations) </li></ul></ul><ul><ul><li>HEFCE e-Learning Strategies </li></ul></ul><ul><ul><li>Science and Innovation Investment Framework </li></ul></ul><ul><li>National take-up: interaction with BECTA and the schools sector, and increasingly with NHS. </li></ul><ul><li>International take-up: importance of cross-working with Europe, US and Australia. </li></ul>
  7. 7. IMPACT <ul><li>CHANGE </li></ul><ul><ul><li>JISC support for Athens will not be available to institutions after July 2008. </li></ul></ul><ul><li>INSTITUTIONAL / SERVICE PROVIDER EFFORT </li></ul><ul><ul><li>To put in place the relevant parts of the system to allow devolved authentication. </li></ul></ul><ul><li>CHOICE </li></ul><ul><ul><li>Of technologies. The federated access management system will not dictate the choice of single sign-on, directory system or environment in which you work. </li></ul></ul><ul><li>JOIN-UP </li></ul><ul><ul><li>Across domains (e-Learning, e-Research and Information Environments) and across systems (for internal, external and collaborative access management) </li></ul></ul><ul><li>IMPROVEMENTS </li></ul><ul><ul><li>Standards based approach to access management improving flexibility. </li></ul></ul><ul><ul><li>Real single sign-on, improved directory systems, foundation blocks for secure collaboration. </li></ul></ul>
  8. 8. Connecting People to Resources STATISTICS
  9. 9. Reviewing Readiness: Independent Review How many institutions will adopt federated access by July 2008? (FE figures: Scotland, Wales and Northern Ireland only) “ The Sunday Times University Guide was used as a measure of the top 20 Universities. Of the top 20, information on institutional position was obtained for 18. Of the 18, 8 are early adopters of FAM, 9 plan to adopt by July 2008, 1 is interested but has no current plans to adopt. “
  10. 10. Federation Stats: 16 th April 2007 <ul><li>51 MEMBERS. </li></ul><ul><li>29 ‘Core’ Institutional Members. </li></ul>
  11. 11. Predicted Adoption 182 28.40% not set laggards 207 32.30% 01/11/2009 late majority 128 20% 01/11/2008 early majority (2) 83 13% 01/11/2007 early majority (1) 39 6% 31/05/2007 early adopters 2 0.30% 01/04/2004 innovators No. Institutions Percentage Adoption Milestone Adopter Type
  12. 12. Connecting People to Resources CHOICES
  13. 13. Option 1 and 2: Roadmap for Institutions
  14. 14. Choices for Service Providers COSTS Providers using Athens will continue to pay current subscription and licence costs to Eduserv BENEFITS Athens providers will have access to the Federation through the ‘gateway’, funded by the JISC at least until July 2008 Decide not to implement Shibboleth Continue with Athens or other access management solution COSTS Cost of support from supplier and internal effort in liaison between supplier and Federation BENEFITS Full support in implementation, compliance with international standards and institutional requirements Become a full member of the UK Access Management Federation, using tools with paid-for support COSTS Internal effort to implement software, join federation and manage provider attributes BENEFITS No ongoing subscription costs, compliance with international standards and institutional requirements Become a full member of the UK Access Management Federation, using community-supported tools
  16. 16. UK Federation Core Attributes Used when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module. eduPersonEntitlement (expressed as an agreed URI) mutually agreed by institution and service Used when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute. eduPersonPrincipalName (harrisnv) defined by institution – login name ‘ A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity. eduPersonTargetedID (r001xf4rg2ss) opaque string defined by institution Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute. eduPersonScopedAffiliation ( [email_address] ) UK specific controlled vocabulary WHAT THIS REALLY MEANS TECHNICAL ATTRIBUTE NAME
  17. 17. Gateway Attributes <ul><li>Athens Identity Providers accessing Shibboleth Service Providers can use: </li></ul><ul><ul><li>eduPersonScopedAffiliation. </li></ul></ul><ul><ul><li>eduPersonTargetedID. </li></ul></ul><ul><li>Shibboleth Identity Providers accessing Athens Service Providers can use: </li></ul><ul><ul><li>eduPersonTargetedID. </li></ul></ul><ul><ul><li>eduPersonEntitlement (full permission set). </li></ul></ul><ul><li>All other scenarios can make use of appropriate attributes as required. Not limited to core set. </li></ul>
  18. 18. Connecting People to Resources EXAMPLES
  19. 19. Connecting People to Resources INDEX TO THE TIMES: EDINA
  20. 20. Shibboleth Access via a WAYF for external services And where they are from User knows URL of resource and that Shibboleth is used
  21. 21. Connecting People to Resources JSTOR
  22. 22. JSTOR Example: Service Provider Developed WAYF
  23. 23. Connecting People to Resources SCIENCE DIRECT
  24. 24. Shibboleth behind a library portal for external services <ul><li>Alternatively, on or off campus, you could just go to the list of e-resources in the library’s portal. </li></ul><ul><li>In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system: </li></ul><ul><li>… but it could just be a list on a ‘hand-crafted’ web page </li></ul>
  25. 25. Shibboleth behind the library portal The expanded list shows a link direct to the Service Provider, in this case Elsevier
  26. 26. Shibboleth behind the library portal After clicking link in library portal:
  27. 27. Connecting People to Resources LANDMAP: MIMAS With thanks to Ross Macintyre
  28. 40. Connecting People to Resources SUPPORT
  29. 41. Support Resources <ul><li> and </li></ul><ul><li>‘ shib-enable-vendor’ lists: contact Jane Charlton @ JISC for more information. </li></ul><ul><li>Briefing Paper – available on the JISC stand. </li></ul><ul><li>Federated Access Management Animation. </li></ul><ul><li>Service Provider process map: available on the JISC website. </li></ul>
  30. 42. <ul><li> </li></ul><ul><li> </li></ul><ul><li>[email_address] </li></ul><ul><li>[email_address] </li></ul>