Copyright JNT Association 2005Copyright JNT Association 2008 An Introduction to Access Management and the UK Federation Simon Cooper

Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk

An Introduction to Access Management and the UK

Federation

Simon CooperJANET(UK)


Overview

• What is access management?• What is Shibboleth?• UK Access Management Federation• The Benefits• How to Apply• Participation options• Support• Membership


In this context = Controlling access to online resources

Authentication• Is a user who they say they are?

- IdentityAuthorisation• What is the user allowed to access?

- Rights

What is Access Management?


Legacy access management

• User’s identity and personal data are known to all• Publisher knows more than it wants and less than it needs

I’m “AJones/T,t<*?I1”

Site Licence

Are you a licensed user?

?Service Provider (SP)Identity Provider (IdP)


Site Licence

I’m “AJones/T,t<*?I1”, am I?

Federated Access Management

• User’s identity and personal data are protected• Publisher knows exactly what it needs

Are you a licensed user?

They say I’m licensedYes, you’re licensed

OK!Identity Provider (IdP) Service Provider (SP)


How is this achieved?

• Through the use of attributes

• Permits fine grained Authorisation

• “Law Student” or “Staff Member” not individual username and password

• Service Providers can only ask for what they need


What is Shibboleth?

• An open source, standards-based solution to meet the needs for organisations to exchange information about their users in a secure, privacy-preserving manner

• Recommended software for UK federation participation


What is the UK federation?

• A set of Rules that binds members

• For UK schools, FE, HE and research

• Organisations and institutions providing services to these sectors

• Joint funded by JISC and Becta

• Operational management by JANET(UK)


What is the UK federation?

A secure framework that allows:

• students to access protected online web resources based on information asserted by their home organisation.

• providers of online resources to control access to their services.


Benefits: for Users

• Much less need to disclose your identity• Personal data kept between you and your

home organisation• Service providers can tailor services better• (At least) one less password to remember• Access to online resources from anywhere


Benefits: for Organisations• Uses existing authentication infrastructure• Can be used to protect internal resources• No annual subscription fee• Software free to download and use• Easier to comply with regulatory requirements

– Data Protection Act 1998


Benefits: for Service Providers• No need to maintain your own user database

– Authentication is done for you by home organisation– Can authorise per institution, role, and/or entitlement

• Reduction in user support• No annual subscription fee• Software free to download and use• Reduced data protection compliance burden

– Less storage/processing of personal data

• Users take better care of credentials


How to apply?• Senior member of organisation signs up to

federation Rules of Membership

• JANET(UK) verify contact details

• Membership confirmed.

• Organisation (usually IT staff) registers participating servers with the federation


How to participate

1. a) In-house: run and support your own Identity Provider (IdP)

b) Hybrid: run your own IdP, provided and supported by a third party

2. Outsource: Third party run IdP under contracthttp://www.jisc.ac.uk/publications/publications/identityprovidersbpv1.aspx


In-house Approach

• Shibboleth IdP is a Java application– Runs on Linux, Unix, Windows, Mac.

• Installation is straightforward.

• Some configuration is required.

• Community support


Shibboleth on Windows

• Project Commenced March 08.

• Case Studies + documentation.

• Free to community.

• Release end of May.


Who does what?

• Internal Collaboration is essential• IT department must be involved from the

outset• Senior management may require a business

case (see JISC Business Case Toolkit)

• Senior management sign the membership agreement


What help is available?

– JANET(UK) helpdesk– Website: www.ukfederation.org.uk/– Mailing lists– Training courses: http://www.ja.net

/services/training/

http://www.netskills.ac.uk/content/products/workshops/range/accman.html

– Regional events (Brighton, 29th April)

Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk19

Who has joined?

• 247 members (10th March)

• Sector breakdown– 75 FE– 106 HE– 7 LA/RBC


What services are available?

• 47 Commercial Service Providers or Publishers

• Ovid, Elsevier, Microsoft, BBC, Digimap, JISCmail, JVCS Booking Services,

• Full list of Services: http://www.ukfederation.org.uk/content/Documents/AvailableServices

• Dialogue with Service Providershttp://access.jiscinvolve.org/federated-access-and-publishers


When should you join?

• Now! (get the admin out of the way)• Audit your existing infrastructure and assess

organisation’s readiness• Implement your IdP• Roll out within organisation• Consider federating internal services


Questions?More info:

www.ukfederation.org.uk

E-mail lists:[email protected]@jiscmail.ac.ukJISC-shibboleth@[email protected]