FAM The Basics 13 Feb08

591 views

Published on

An overview of the position facing colleges in UK prior to the introduction of the UK Access Management Federation - created in Feb 08

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
591
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

FAM The Basics 13 Feb08

  1. 1. Federated Access Management The Basics 13 February 2008 Mike Moran RSCni
  2. 2. LR Forum Mike Moran RSCni <ul><li>Access Management in College Libraries – Some Basics </li></ul><ul><li>Suppliers (licence providers) require: </li></ul><ul><li>A sound system for identifying users of the service so that they can: </li></ul><ul><ul><li>Ensure that the fees charged are correct; </li></ul></ul><ul><ul><li>That the users are legitimate members of the college; and </li></ul></ul><ul><ul><li>So that the management of colleges can be held accountable for breaches of licence conditions – including infringement of copyright. </li></ul></ul><ul><li>Colleges require: </li></ul><ul><li>An effective connection system between the individual user and the supplier. </li></ul>
  3. 3. LR Forum Mike Moran RSCni <ul><li>Solutions Tried So Far: </li></ul><ul><li>Authentication of users by checking the IP address of their computer </li></ul><ul><li>Authentication by using directories of users specific to the library of the college </li></ul><ul><li>Authentication using the overall directory structures of the college network – of which the library users are a defined community </li></ul><ul><li>Limitations for users and suppliers: </li></ul><ul><li>If more than one person normally uses a computer (or server), the supplier cannot accurately count the number of users and cannot be sure that each user is legitimate </li></ul><ul><li>The users have to sign on separately to use the online services of the library – multiple usernames and passwords per person </li></ul><ul><li>Though you can move to Single Sign On, the directory structure requires careful construction and updating to make sure library users remain up to date – not every college member is necessarily a legitimate user of the licensed services </li></ul>
  4. 4. LR Forum <ul><li>So – along comes Federated Access Management </li></ul><ul><li>Its features: </li></ul><ul><li>Based upon the principle of trust between suppliers and users </li></ul><ul><li>Trust could operate on a 1:1 basis between a college and a supplier </li></ul><ul><li>But – this would mean large costs for the supplier to maintain a large number of individual relationships with colleges – costs that would be passed on to the users </li></ul><ul><li>So – if users can form groups ( Federations ) and the group as a whole can be trusted by the suppliers, then the individual admin costs are reduced and the potential for savings to both parties are made real </li></ul><ul><li>The working relationship is then dependent upon three components: </li></ul><ul><ul><li>The licensed service on offer from the supplier(s); </li></ul></ul><ul><ul><li>The constructed identities of the client college; and </li></ul></ul><ul><ul><li>A piece of software that provides to the supplier those identities that are legitimately connected to the college before releasing the service to the user each time. </li></ul></ul>Mike Moran RSCni
  5. 5. The Gateways ATHENS INSTITUTION UK ACCESS MANAGEMENT FEDERATION FEDERATED INSTITUTION ATHENS CENTRAL ATHENS PROTECTED RESOURCE FEDERATED RESOURCE IdP Gateway SP Gateway LR Forum Note: Athens is referred to here simply for comparison with many existing situations
  6. 6. LR Forum Mike Moran RSCni IdP Gateway SP Gateway Identity Provider Gateway Outputs the data that confirms that the user requesting service is a registered student or staff member of the college concerned. This can be done with the minimum amount of personal information transferring directly to the supplier. Service Provider Gateway Confirms that the IdP data sent by the college matches the rights to access that the college has paid for (even if this is a FREE service) and causes the release of the item.
  7. 7. LR Forum Mike Moran RSCni See handout for explanation Shibboleth Flow Diagram User Service Provider (SP) Identity Provider (IdP) = College or Its Agent Where Are You From (WAYF) 1 2 3 4 5 6 7 8 Amount of information provided here can be managed by College
  8. 8. LR Forum Shibboleth Flow Diagram <ul><li>The previous diagram shows the flows which can occur during a typical Shibboleth-enabled transaction, with the browser user arriving at the Service Provider site without an existing session and without any information about the user's home institution being known by the Service Provider. There are many variations on this flow, most of them a lot simpler. In addition, later versions of Shibboleth will be able to operate in other ways; and the terminology used to refer to components is subject to change. However, this is offered as a starting point. </li></ul><ul><li>The User attempts to access a Shibboleth-protected resource on the Service Provider site. </li></ul><ul><li>The User is redirected to the federation WAYF. </li></ul><ul><li>The User select his or her home institution ( *Identity Provider ) from the list presented by the WAYF. </li></ul><ul><li>The Identity Provider, by whatever means it deems appropriate, ensures that the User is authenticated. </li></ul><ul><li>After successful authentication, a one-time Handle (session identifier) is generated for this User session and is sent to the Service Provider – think of it like a ticket at the deli counter . </li></ul><ul><li>The Service Provider uses the Handle to request attribute information from the Identity Provider for this user. </li></ul><ul><li>The Identity Provider, on the basis of its Attribute Release Policy, allows or denies attribute information to be made available to this Service Provider. </li></ul><ul><li>Based on the attribute information available to it, the Service Provider allows or refuses the User access to the resource. </li></ul><ul><li>* Although the User's home institution is taken in the above summary to be equivalent to the Identity Provider, in fact an institution may choose to outsource the Identity Provider function to another organisation. However, this does not affect the principle of operation. </li></ul>Mike Moran RSCni
  9. 9. LR Forum Mike Moran RSCni Why did we go down this Shibboleth route at all? Posted by nicole [ Harris ] on January 23rd, 2008 “ There has obviously been a lot of debate in the last two days surrounding the regrettable announcement that JISC will no longer be funding the Federation Gateway Services [ through a contract with Eduserv (Athens) ]. This has led to people asking questions such as ‘why did we go down this Shibboleth route at all?’. I thought it might be useful to go back to the beginning. Below is the vision statement (we are very MSP here) for the Access Management Transition Programme. I think it sums things up quite nicely. The JISC Access Management Transition Programme aims to change the access management landscape within UK Further and Higher Education from a system predominantly based on proprietary systems to one with open standards at its core. The primary enabler of this change will be the introduction of federation access management and a strong recommendation to all institutions and organisations involved in education to implement access management solutions based on the SAML (Security Assertion Mark-Up Language) standard.
  10. 10. LR Forum Mike Moran RSCni <ul><li>“ In supporting an open standards approach, rather than any particular technology, JISC hopes to: </li></ul><ul><li>Improve the business decisions made by institutions in relation to identity, access and resource management </li></ul><ul><li>Increase the commercial choice to institutions in relation to identity and access management technologies. </li></ul><ul><li>Reduce the impact and cost of vendor lock-in within the JISC community. </li></ul><ul><li>Embed knowledge within the community, rather than within any one organisation. </li></ul><ul><li>Place the principles of the JISC Information Environment at the core of the implementation of access management within its community. </li></ul><ul><li>Move towards a single sign-on environment for UK Further and Higher Education institutions across internal, external, and collaborative resources. </li></ul>The JISC Access Management Transition Programme runs from July 2006 – December 2008 , and is funded and supported by the JISC Integrated Information Environment Committee (JIIE). Funding of £2.2 million has been allocated to this programme. “
  11. 11. <ul><li>JISC ‘Institutional Preparedness’ Study [Mar 2007](170 institutions): </li></ul><ul><li>Directory Services: </li></ul><ul><ul><li>66% HE / 69% FE use Active Directory </li></ul></ul><ul><ul><li>31% HE / 13% FE use Novell eDirectory </li></ul></ul><ul><ul><li>27% HE / 31 % FE use OpenLDAP * </li></ul></ul><ul><li>Outsourcing / Delegation of Identity Management: </li></ul><ul><ul><li>2% of HE / 0% FE outsource directory / identity management </li></ul></ul><ul><ul><li>25% HE allow departmental control of identity management </li></ul></ul><ul><li>Current use of Athens: </li></ul><ul><ul><li>Classic Athens: 57% HE / 78% FE </li></ul></ul><ul><ul><li>AthensDA: 35% HE / 7% FE </li></ul></ul><ul><li>* LDAP = Lightweight Directory Access Protocol – a standard for user directories </li></ul>07/08/09 | slide LR Forum
  12. 12. LR Forum Mike Moran RSCni Benefits of joining the UK Access Management Federation <ul><li>Benefits for Identity Providers (IdP) </li></ul><ul><li>– typically Schools / FE Institutions / HE Institutes / Research Institutes </li></ul><ul><li>Easier to comply with regulatory requirements (Data Protection Act 1998, etc. </li></ul><ul><li>Better service offered to users (more control) </li></ul><ul><li>Can integrate with existing access management systems </li></ul><ul><li>Can use the same access control for all resources – both internal and external </li></ul><ul><li>This means that it can be used for managing access to internal college repositories as well as external services </li></ul><ul><li>Fewer support problems (can all be controlled centrally) </li></ul><ul><li>Benefits for End Users </li></ul><ul><li>Much less need to disclose your identity </li></ul><ul><li>Personal data kept between you and your home organisation </li></ul><ul><li>Publishers can tailor services better (preferences, special groups of users etc) </li></ul><ul><li>(At least) one less password to remember </li></ul>
  13. 13. LR Forum Mike Moran RSCni Benefits of joining the UK Access Management Federation <ul><li>Benefits for Educational Sectors </li></ul><ul><li>Provides consistency across the whole of education for federated (distributed) authentication and authorisation </li></ul><ul><li>Improves the user experience </li></ul><ul><li>Pools experience and expertise </li></ul><ul><li>Provides economies of scale for all sectors </li></ul><ul><li>Facilitates sharing of content and collaboration across sectors </li></ul>
  14. 14. LR Forum Mike Moran RSCni <ul><li>In March 2006, JISC formally announced its intention to support federated access management as the preferred access management solution for UK Further and Higher Education </li></ul><ul><li>Institutions will have to Join the UK Federation to access JISC funded resources </li></ul><ul><li>The Federation is a combined venture between JISC and BECTA (and therefore will extend to schools as well as colleges) </li></ul><ul><li>JISC will continue funding the Athens service until 31 July 2008 </li></ul><ul><li>Athens will be available via a subscription model post July 2008 </li></ul><ul><li>Recent announcement by JISC means that Athens is no longer the partner organisation for Federation IdP functions – other options can be considered by colleges </li></ul><ul><li>A full support service will be made available to the JISC community to support the transition to the new service </li></ul>The JISC Position on the UK Federation
  15. 15. LR Forum Mike Moran RSCni
  16. 16. Institutional Options <ul><li>BECOME A FULL MEMBER OF THE FEDERATION USING COMMUNITY SUPPORTED TOOLS </li></ul><ul><ul><li>COSTS: Institutional effort to implement software, join federation and enhance institutional directories </li></ul></ul><ul><ul><li>BENEFITS: Full institutional control, skilled staff and access management solution for internal, external and collaborative resources </li></ul></ul><ul><li>BECOME A FULL MEMBER OF THE FEDERATION USING TOOLS WITH PAID-FOR SUPPORT </li></ul><ul><ul><li>COSTS: Cost of support from supplier and institutional effort in liaison with supplier and Federation </li></ul></ul><ul><ul><li>BENEFITS: Full support in implementation and access management solution for internal, external and collaborative resources </li></ul></ul><ul><li>SUBSCRIBE TO AN ‘OUTSOURCED IDENTITY PROVIDER’ TO WORK THROUGH THE FEDERATION ON YOUR BEHALF </li></ul><ul><ul><li>COSTS: Subscription costs to external supplier (from July 2008) and internal administration role </li></ul></ul><ul><ul><li>BENEFITS: Minimum institutional effort to achieve access to external resources only </li></ul></ul>07/08/09 | slide LR Forum
  17. 17. LR Forum Mike Moran RSCni <ul><li>11. How can I join the UK federation as an Identity Provider? </li></ul><ul><li>A potential Identity Provider (ie College) will need to carry out the following activities: </li></ul><ul><li>Review the information structure within its institutional directory and ensure that it meets the required standards for exchanging information. </li></ul><ul><li>Adopt a Single Sign-On or Common ID Solution for authentication. </li></ul><ul><li>Implement Identity Provider software. </li></ul><ul><li>Join the Federation (see the Federation website ). </li></ul><ul><li>Roll-out the service within the institution. </li></ul><ul><li>Help will be available for colleges – see below </li></ul>JISC Answers to some FAQs
  18. 18. LR Forum Mike Moran RSCni 18. What is the last point at which my institution can make a decision about joining the UK federation? If you are currently using Athens, you can join the UK Access Management Federation at any time from November 2006 onwards. There is no end date for the Athens service – but see below (Q19). 19. What will happen to Athens? Athens will continue as a fee-charging service. JISC is providing extensive support mechanisms for institutions wishing to adopt federated access management solutions. JISC will not be funding the Athens service beyond July 2008. JISC Answers to some FAQs
  19. 19. LR Forum Mike Moran RSCni So – what are the next steps for a college? Joining the UK federation as an Identity Provider? A potential Identity Provider (ie College) will need to carry out the following activities: <ul><li>Review the information structure within its institutional directory and ensure that it meets the required standards for exchanging information. </li></ul><ul><li>Adopt a Single Sign-On or Common ID Solution for authentication. </li></ul><ul><li>Implement Identity Provider software. </li></ul><ul><li>Join the Federation [ NO COST ] (see the Federation website ). </li></ul><ul><li>Roll-out the service within the institution. </li></ul>Apply for the support funding (if you haven’t already) Talk to managers and colleagues and ensure that your college sends someone to the Netskills workshop
  20. 20. LR Forum Mike Moran RSCni Does all of this have anything to do with re-structuring or selecting a Library Management System? Not directly – but there would be an advantage to sorting everything out at one time. Otherwise ,the directory structures created for the UK Federation may have to be re-visited when any new or re-configured LMS is installed.

×