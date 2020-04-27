Successfully reported this slideshow.
Trust and identity: Enabling intra- and inter-organisational authentication and authorisation Dr Rhys Smith, chief technic...
• Dr Rhys Smith – Chief technical architect, Trust and identity (Jisc) • Mark Williams – UK federation service manager (Ji...
• What’s the main aim of Jisc’s Trust and identity portfolio? • What are Jisc’s Trust and identity services and what do th...
“Easy and secure access to anything, anywhere, anytime” All of Jisc’s Trust and identity services revolve around enabling ...
Jisc’s Trust and identity services UKfederation Assent Shibboleth Managedservices Certificateservice Studentvoter Helpdesk...
Federation services Enabling intra- and inter-organisational authentication and authorisation6 • These are underlying trus...
Identity and access Enabling intra- and inter-organisational authentication and authorisation7 • Software and services to ...
Verification Enabling intra- and inter-organisational authentication and authorisation8 • Ensures the secure validation of...
Member and professional services Enabling intra- and inter-organisational authentication and authorisation9 • Providing he...
Quality assurance and information security Enabling intra- and inter-organisational authentication and authorisation10 All...
Federation services
UK Access Management Federation 12 Enabling intra- and inter-organisational authentication and authorisation Web single si...
Assent 13 Enabling intra- and inter-organisational authentication and authorisation Non-web single sign-on federation • Cr...
Identity and access
Shibboleth 15 Enabling intra- and inter-organisational authentication and authorisation Open source, standards based, soft...
Managed services 16 Enabling intra- and inter-organisational authentication and authorisation Currently in development… Wa...
Verification services
Certificate service 18 Enabling intra- and inter-organisational authentication and authorisation Verifies: Web services • ...
Student voter registration 19 Enabling intra- and inter-organisational authentication and authorisation Verifies: Student ...
Domain Registry 20 Enabling intra- and inter-organisational authentication and authorisation Verifies: DNS names • Jisc is...
VerifID 21 Enabling intra- and inter-organisational authentication and authorisation Verifies: Studentness! • Commercial v...
Member and professional services
T&I helpdesk 23 Enabling intra- and inter-organisational authentication and authorisation Free support and guidance • Prov...
T&I consultancy 24 Enabling intra- and inter-organisational authentication and authorisation Paid-for bespoke support • Fo...
Jisc trust and identity services and Covid-19
Covid-19 and Jisc’s T&I services Enabling intra- and inter-organisational authentication and authorisation26 Largely busin...
Specific changes Enabling intra- and inter-organisational authentication and authorisation27 However, some tweaking was de...
Some advice and guidance Enabling intra- and inter-organisational authentication and authorisation28 Across the services •...
• Free health-check for UK federation Shibboleth IdPs - Offered on a first-come-first-served basis, Shib IdP v3+ only - Us...
Discussion and Q&A Facilitated by Mark Williams
Dr Rhys Smith Chief technical architect, trust and identity rhys.smith@jisc.ac.uk 4 Portwall Lane, Bristol, BS1 6NB Thanky...
Trust and identity - enabling intra- and inter-organisational authentication and authorisation

15 views

Published on

A presentation from Networkshop48 by Rhys Smith, chief technical architect, trust and identity, Jisc and Mark Williams, UK Access Management Federation manager, Jisc.

Jisc has a range of trust and identity services that enable intra- and inter-organisational authentication and authorisation. These already play a key part in enabling on- and off- campus access to both internal resources (such as VLEs) and external resources (e-books, journals, collaboration tools). In these extraordinary times, these are more important than ever.

Published in: Technology
License: CC Attribution-NonCommercial-NoDerivs License
Trust and identity - enabling intra- and inter-organisational authentication and authorisation

  1. 1. Trust and identity: Enabling intra- and inter-organisational authentication and authorisation Dr Rhys Smith, chief technical architect, Trust and identity, Jisc
  2. 2. • Dr Rhys Smith – Chief technical architect, Trust and identity (Jisc) • Mark Williams – UK federation service manager (Jisc) Speakers Enabling intra- and inter-organisational authentication and authorisation2
  3. 3. • What’s the main aim of Jisc’s Trust and identity portfolio? • What are Jisc’s Trust and identity services and what do they do? • Which services can help during the Covid-19 crisis, and how? • Q&A and community discussion Agenda Enabling intra- and inter-organisational authentication and authorisation3
  4. 4. “Easy and secure access to anything, anywhere, anytime” All of Jisc’s Trust and identity services revolve around enabling all aspects of this proposition.
  5. 5. Jisc’s Trust and identity services UKfederation Assent Shibboleth Managedservices Certificateservice Studentvoter Helpdesk VerifID Consultancy Member and professional services Federation Identity and access Domainregistry Verification Enabling intra- and inter-organisational authentication and authorisation5
  6. 6. Federation services Enabling intra- and inter-organisational authentication and authorisation6 • These are underlying trust infrastructure to enable federated authentication / authorisation between members - Solves the problem of N2 interactions • At the business and at the technical level UKfederation Assent Federation
  7. 7. Identity and access Enabling intra- and inter-organisational authentication and authorisation7 • Software and services to help members make use of our services, where appropriate Shibboleth ManagedServices Identity and access
  8. 8. Verification Enabling intra- and inter-organisational authentication and authorisation8 • Ensures the secure validation of various aspects of our membership’s interactions with each other Certificateservice Studentvoter VerifID DomainregistryVerification
  9. 9. Member and professional services Enabling intra- and inter-organisational authentication and authorisation9 • Providing help, support and guidance on the use of all of our services Helpdesk Consultancy Member and professional services
  10. 10. Quality assurance and information security Enabling intra- and inter-organisational authentication and authorisation10 All of the T&I services are included within Jisc’s ISO 9001 and 27001 scopes
  11. 11. Federation services
  12. 12. UK Access Management Federation 12 Enabling intra- and inter-organisational authentication and authorisation Web single sign-on federation • Cross-organizational SSO to web resources • Est. 2006, part of the Jisc core subscription • Vendor-agnostic (SAML based) • ~1200 members, ~2,500 entities - 100% of HE, ~80% of FE, also schools, government, libraries, NHS, etc • Global Inter-federation with 68 other countries via eduGAIN - ~7,000 entities total
  13. 13. Assent 13 Enabling intra- and inter-organisational authentication and authorisation Non-web single sign-on federation • Cross-organisational access to non- web resources (eg SSH) • Est. 2015, part of the Jisc core subscription • Vendor-agnostic (ABFAB based) • Primarily aimed at research and complex virtual organisations with complex services and requirements
  14. 14. Identity and access
  15. 15. Shibboleth 15 Enabling intra- and inter-organisational authentication and authorisation Open source, standards based, software • Jisc is a board member and Principal Member of the Shibboleth Consortium on behalf of our community • The consortium ensures the development, maintenance and sustainability of the Shibboleth software • Software is free to use and open source • ~70% of entities in the UK federation use Shibboleth
  16. 16. Managed services 16 Enabling intra- and inter-organisational authentication and authorisation Currently in development… Watch this space
  17. 17. Verification services
  18. 18. Certificate service 18 Enabling intra- and inter-organisational authentication and authorisation Verifies: Web services • We are a registration authority for issuing SSL (TLS) and email certificates to secure web services • Provides significant discount and cost- savings for our members • Free to join, per-certificate cost at present • Issued hundreds of thousands of certs • Reprocuring this year – watch this space for exciting news!
  19. 19. Student voter registration 19 Enabling intra- and inter-organisational authentication and authorisation Verifies: Student voter enrolment • Promotes civic engagement and helps an organisation meet its statutory requirements from the OfS • Shared service for students to register their term-time and home-time address to government to be able to vote in local and national elections • Additional paid-for service over and above Jisc membership
  20. 20. Domain Registry 20 Enabling intra- and inter-organisational authentication and authorisation Verifies: DNS names • Jisc is the domain registrar for: - .ac.uk - .gov.uk (on behalf of Cabinet Office) - .gov.scot (on behalf of Scottish Government) - .gov.wales / llyw.cymru (on behalf of Welsh Government) • Free to join, per-domain cost • Tens of thousands of domains managed • We verify all requests and therefore the underlying trust framework • (Jisc also runs the DNS itself)
  21. 21. VerifID 21 Enabling intra- and inter-organisational authentication and authorisation Verifies: Studentness! • Commercial verification of student status • Uses UK federation as source of data • Currently mostly used by providers of student discount • Paid-for service (by providers), per verification • Helps subsidise the UK federation • To ensure optimal student experience: - Ensure you are releasing “student” affiliation value as appropriate
  22. 22. Member and professional services
  23. 23. T&I helpdesk 23 Enabling intra- and inter-organisational authentication and authorisation Free support and guidance • Provides help, support and guidance for using any of the T&I services • Email trustandidentity@jisc.ac.uk or call 0300 300 2212.
  24. 24. T&I consultancy 24 Enabling intra- and inter-organisational authentication and authorisation Paid-for bespoke support • For those with needs beyond our free helpdesk support • Targeted bespoke support, advice, training • Remote or in-person • One-off engagements through to retained expertise • Covers UK federation, Assent, eduroam, govroam, Identity Management, etc
  25. 25. Jisc trust and identity services and Covid-19
  26. 26. Covid-19 and Jisc’s T&I services Enabling intra- and inter-organisational authentication and authorisation26 Largely business as usual • Our trust and identity services are designed to facilitate easy and secure access to anything, anywhere, anytime • Importance of the services has increased, but general requirements are the same • All staff now working from home, of course, but hasn’t impacted any of our service or helpdesk offerings due to extensive pre-existing BCP planning
  27. 27. Specific changes Enabling intra- and inter-organisational authentication and authorisation27 However, some tweaking was desirable • Instituted service-wide change freeze during lockdown - Stability and reliable of services is paramount while membership adapts to new circumstances • UK federation metadata validity period temporarily increased - To ensure additional time to respond to issues in the management processes • Increased priority of support for gov.uk domain registry - Primary source of interaction between public and government • Domain suspension/expiry policy temporarily relaxed - Ensuring domains don’t “accidentally” expire (may be missed in the mayhem)
  28. 28. Some advice and guidance Enabling intra- and inter-organisational authentication and authorisation28 Across the services • Secure SSO to internal and external resources now of paramount importance - Ensure your UK federation IdP (whatever flavour) is up to date and configured correctly - Consider adopting R&S support in your IdP to enable your researchers to more easily collaborate on Covid-19 related research • Users are now primarily off-premise, BYOD usage increased - If you have any internally signed certificates, consider swapping for properly supported certs via our certificate service for fewer issues on non-managed devices
  29. 29. • Free health-check for UK federation Shibboleth IdPs - Offered on a first-come-first-served basis, Shib IdP v3+ only - Usually undertaken remotely via our consultancy service - Ensure your Shib IdP is fully functioning and safe (OS patch state and IdP version checking, attribute and attribute release configuration check, resource checking, etc) • Free three hours consultancy to help deal with any simple issues highlighted in the health-check • To register your interest, email trustandidentity@jisc.ac.uk Offerings to the membership Enabling intra- and inter-organisational authentication and authorisation29
  30. 30. Discussion and Q&A Facilitated by Mark Williams
  31. 31. Dr Rhys Smith Chief technical architect, trust and identity rhys.smith@jisc.ac.uk 4 Portwall Lane, Bristol, BS1 6NB Thankyou customerservices@jisc.ac.uk jisc.ac.uk

