Australian Access Federation

Robert Hazeltine

Identity and Access Management

Enterprise Systems Office

Extending our reach• UWS staff and students now belong to

two networks - since 6 October 2009• UWS network

– Web sites and applications, and enterprise applications

• AAF network– participating universities and research

institutions and other national federations

Services• data collections and data grids

• scientific instruments, modelling and visualisation tools and computing resources

• collaboration environments and workspaces for virtual teams

• scholarly resources and publications

• e-learning resources and learning object collections

• national higher education and research administration schemes

How does it work ...

• Single sign on– local credentials

• Role based access control– Uses attributes and record keeping curtailed

• Pubic Key Infrastructure– Electronic passport

• Identity Provider– the software run by an organisation with users

wishing to access a restricted service

• Service Provider– the software run by the provider managing the

restricted service

• Federation– Where are you from = “WAYF”– Public key infrastructure– Privacy a key consideration

Shibboleth• Federated Single Sign On software

– The Shibboleth system is a standards based, open source software package for web single sign-on across or within organisational boundaries. It allows sites to make informed authorisation decisions for individual access of protected online resources in a privacy-preserving manner

• Shibboleth leverages the organisation’s identity and access management system, so that the individual’s relationship with the institution determines access rights to services that are hosted both on and off campus

• AAF site about the AAF– http://www.aaf.edu.au/

•UWS site about the AAF– http://www.uws.edu.au/

campuses_structure/cas/services_facilities/it/single_sign-on

• US Shibboleth site– http://shibboleth.internet2.edu/about.html

• Swiss equivalent of the AAF– http://www.switch.ch/aai/demo/easy.html

Your role in this

• Maybe no direct involvement yourself• Finding uses for it• Identifying your users as a group• Telling your ITS contact your needs• Giving us a little time to organise it• Becoming an advocate

How does UWS turn the technology to its advantage?

Thank you

AAF core attributes

• authenticationMethod

• o (organisation)

• eduPersonAffiliation

• eduPersonScopedAffiliation

• eduPersonEntitlement

• eduPersonAssurance

• eduPersonTargettedID

• auEduPersonSharedToken

• displayName

• cn (common name)

• mail

Identity Provider (Origin)• Log on to a web site or application• Shibboleth

– Use the AAF “WAYF” for federation sites– Use the AAF “WAYF” for local only sites– Use the technology for local sites only

• No password is exchanged with SP– Attributes are encrypted– Anonymous, pseudo-anonymous, identifier– Uses your UWS password

Service Providers (Target)

• Australian Access Federation itself• AAF member as service provider• Confluence• Library services• On line learning• No portal required

Enterprise Directory• Repository of attributes for various uses:

– Australian Access Federation– White and green pages– Online voting– Authentication and authorization– Course Approval and Publication System– VoIP (new phone system)– Faster on boarding