This document provides an operational update on the UK Access Management Federation: 1) It has over 1,100 member organizations and 2,200 entities using web single sign-on based on SAML to solve the problem of N2 authentication interactions. 2) Recent growth has been linear with over 1,000 Shibboleth service providers and 500 Shibboleth identity providers, mainly from higher education. 3) New initiatives include moving to just-in-time metadata distribution (MDQ) for lower resource usage, planning for a self-service portal for entities, and improving metadata quality for better global interoperability.

1. UK Access
Management
Federation update
Rhys Smith,
Chief technical architect, trust and
identity, Jisc
Alex Stuart,
Principal technical support specialist,
Jisc

2. Operational update

3. >Web Single Sign-On based on SAML
>1131 member organisations; 2278 entities
>Research and Education: 100% HE, ~80% FE,
and representation from schools, government,
public libraries, NHS
>Federation to solve problem of N2 interactions*
>Interfederation through eduGAIN allows interoperability
with thousands more entities from
50 other federations*
Some numbers...
* some conditions apply

4. Data: 1-Mar-2018 00:00:00
Registered Entities by Type
Entities
0
300
600
900
1200
1500
Dec 06 Feb 08 Apr 09 Jun 10 Aug 11Oct 12Dec 13 Feb 15 Apr 16 Jun 17
SPs IdPs
Type of entities 1

5. >500 Shibboleth IdPs (66%) and
Open Athens (30%)
>Recent security advisories reported on
Shibboleth announce list:
>LDAPS connector using non-standard
configuration
>ROBOT
>Shibboleth IdP v2 to v3 transition, minority of
IdPs still on v2 (End of life was July 2016)
Type of
entities 2:
IdPs

6. >Publishers, collaboration tools, research project
sites, gateways to e-Infrastructures, business
apps, student sites, inventories...
>Linear growth “for ever”
>Over 1000 Shibboleth SPs (75%) with a long
tail of other types of software (many open
source libraries, some products)
>Security advisories in last 12 months distributed
on Shibboleth announce:
>XMLtooling x 2
>ROBOT
>MDQ client misconfiguration
Type of
entities 3:
SPs

7. >99% support SAML 2 so can we just turn off SAML 1?
>Unfortunately, support != use
>Using WAYF protocol with the Central Discovery
Service implies SAML 1, so in June 2017 we
deprecated the WAYF protocol
>MDUI support (primarily logos) at 30%
>Algorithmic agility for XML cryptography
Protocol support

8. New initiatives

9. MDQ: MD distribution 2.0

10. >Not really “new” any more - live for over a year
>What is it?
>Traditional MD distribution is regular syncing of the
MD aggregate – currently 36MB
>MDQ is just-in-time fetching of bits of metadata
instead
>FAR lower resource requirements for software
– IdP uses far less memory
– SP will startup far faster
>Currently ~10% of clients now using MDQ.
>But the traffic for that 10% is 0.0001% of total
MDQ

11. UKf metadata distribution

12. Discovery

13. >UKf CDS services ~4,000,000 CDS flows/month
>Very stable and reliable, but running on old code
>Currently deciding what to replace it with
>Awaiting results of RA21 working group
>Don’t worry – look and feel will remain as consistent
as possible (hopefully identical)
Central Discovery Service

14. UKf CDS usage

15. Self Service

16. >Web portal on the Jisc community website to manage
your own entities, domains, etc.
>Can still make use of helpdesk if you’re worried or
unsure about making changes!
>Coming later this year (finally)
Self Service

19. And various other things

20. >For example:
>Improving quality of UKf Metadata
>UKf Working with eduGAIN to improve quality of
international metadata – better global interoperability
>Managed Federation – rebuilding UKf backend
systems in a containerised deployable way, to let us
run other federation’s backend systems.
>Rebuilding distribution infrastructure for MFS – UKf
infrastructure should become even more resilient and
performant
>Tracking OIDC and other emerging technologies
Behind the scenes tweaking

21. Rhys Smith
Chief technical architect, trust and identity
rhys.smith@jisc.ac.uk
We have been...
service@ukfederation.org.uk
jisc.ac.uk/uk-federation
Alex Stuart
Principal technical support specialist (UK federation)
alex.stuart@jisc.ac.uk

22. Any questions? /
Thank you