Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems...

Australian Access Federation

Robert Hazeltine

Identity and Access Management

Enterprise Systems Office

Extending our reach• UWS staff and students now belong to

two networks - since 6 October 2009• UWS network

– Web sites and applications, and enterprise applications

• AAF network– participating universities and research

institutions and other national federations

Services• data collections and data grids

• scientific instruments, modelling and visualisation tools and computing resources

• collaboration environments and workspaces for virtual teams

• scholarly resources and publications

• e-learning resources and learning object collections

• national higher education and research administration schemes

How does it work ...

• Single sign on– local credentials

• Role based access control– Uses attributes and record keeping curtailed

• Pubic Key Infrastructure– Electronic passport

• Identity Provider– the software run by an organisation with users

wishing to access a restricted service

• Service Provider– the software run by the provider managing the

restricted service

• Federation– Where are you from = “WAYF”– Public key infrastructure– Privacy a key consideration

Shibboleth• Federated Single Sign On software

– The Shibboleth system is a standards based, open source software package for web single sign-on across or within organisational boundaries. It allows sites to make informed authorisation decisions for individual access of protected online resources in a privacy-preserving manner

• Shibboleth leverages the organisation’s identity and access management system, so that the individual’s relationship with the institution determines access rights to services that are hosted both on and off campus

• AAF site about the AAF– http://www.aaf.edu.au/

•UWS site about the AAF– http://www.uws.edu.au/

campuses_structure/cas/services_facilities/it/single_sign-on

• US Shibboleth site– http://shibboleth.internet2.edu/about.html

• Swiss equivalent of the AAF– http://www.switch.ch/aai/demo/easy.html

Your role in this

• Maybe no direct involvement yourself• Finding uses for it• Identifying your users as a group• Telling your ITS contact your needs• Giving us a little time to organise it• Becoming an advocate

How does UWS turn the technology to its advantage?

Thank you

AAF core attributes

• authenticationMethod

• o (organisation)

• eduPersonAffiliation

• eduPersonScopedAffiliation

• eduPersonEntitlement

• eduPersonAssurance

• eduPersonTargettedID

• auEduPersonSharedToken

• displayName

• cn (common name)

• mail

Identity Provider (Origin)• Log on to a web site or application• Shibboleth

– Use the AAF “WAYF” for federation sites– Use the AAF “WAYF” for local only sites– Use the technology for local sites only

• No password is exchanged with SP– Attributes are encrypted– Anonymous, pseudo-anonymous, identifier– Uses your UWS password

Service Providers (Target)

• Australian Access Federation itself• AAF member as service provider• Confluence• Library services• On line learning• No portal required

Enterprise Directory• Repository of attributes for various uses:

– Australian Access Federation– White and green pages– Online voting– Authentication and authorization– Course Approval and Publication System– VoIP (new phone system)– Faster on boarding