Embed Size (px)
Citation preview
27th September 2005 LGfL Project – workshop report 1Ray Collins
LGfL Project Report
Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure
(AAI)
27th September 2005 LGfL Project – workshop report 2Ray Collins
Session contents
• Drivers behind the project• Methodology of the project• Objectives & deliverables• Work packages• Participants• Production infrastructure• Issues to emerge• Recommendations to Becta from the project• Key stages for the National Strategy• Becta AAI Federation ... the foundations ...• National strategy ... work packages and service elements ...• Becta AAI Federation ... the structure ...• Becta AAI Federation ... the relationships ....• National Strategy ... Phasing option ...• Post-project developments
27th September 2005 LGfL Project – workshop report 3Ray Collins
Drivers behind the project
• Existing demand from LEAs and end-users– Educationally desirable for learning– Solution to overcome management issues
• Emerging demand from Government• Natural progression from previous projects
– Unified sign-on – LGfL– Proof of concept – Leeds / IBIS
• Proof of concept worked at a technical level, however– ‘in the lab’– single vendor only
• Needed evidence that concept worked ‘in the wild’
27th September 2005 LGfL Project – workshop report 4Ray Collins
Methodology of the project
• Prince 2 approach to project• Formalised project board• Project plan• Project objectives• Project deliverables• Work packages • Staged ‘work in progress’ demos at BETT & NAACE• Quality acceptance plan and tests• External evaluation report
27th September 2005 LGfL Project – workshop report 5Ray Collins
Objectives and deliverables
• Objectives: To examine the Shibboleth model in further depth in a ‘real world’
environment To provide additional evidence of the validity of the Shibboleth
model To identify issues arising out of this further examination
• Deliverables: a working production environment that implements the architecture
for the following Shibboleth entities: origin, target and WAYF public demonstrations of the working of this architecture two documents that will both evaluate the above environment and
identify issues that require addressing in the preparation and implementation phases of a national rollout of an AAA system based upon Shibboleth architecture
27th September 2005 LGfL Project – workshop report 6Ray Collins
Work packages
• 6 packages addressing:
– Production environment infrastructure– Requirements for suppliers of identity and service provider
services– Demonstrations at BETT and NAACE– Contractual matters around Escrow and SLAs– Issues of security, interoperability and strategy– External evaluation
27th September 2005 LGfL Project – workshop report 7Ray Collins
Participants
• Atomwide• Digitalbrain• LGfL• Becta• PenCompass• IBIS• 33 LGfL LEAs + LEAs in 9 other RBCs
• Plus contact / research:– Internet2, SWITCH, FEIDE, InCommon, JISC
27th September 2005 LGfL Project – workshop report 8Ray Collins
Production infrastructure
14th April 2005Topology, entities and relationships Version 1.8b
Shibboleth Architecture & Services
USOdatabase
LGfL.NETuser data
base
3rd-party IDP /SP supplier services
Orp
ing
ton
loc
atio
n
Tele
ho
use
NAS back-up
Content serverwww.lgfl.net
NAS back-up
Service Provider servercontent.lgfl.org.uk
WAYFwayf.org.uk(dedicated)
Identity Provider serveridp2.lgfl.org.uk
Paired & randomising with IDP1
Service Provider serversusers.lgfl.org.ukshib.lgfl.org.uk
USOdatabase
DNS serverdns2.lgfl.org.uk
(PRIMARY)
Tele
ho
use
Atomwide-delivered services
digitalbrain-delivered services
Tele
ho
use
Atomwide services
RBC / LEA / School / 3rd-party
Identity Provider serverANOx.YYY.co.uk
Service Provider serverANOcontent.YYY.co.uk
ANO userdatabase
ANOapplication(s)
UK
or in
tern
atio
nal
end-users' browser(Type & settings)
WAYFwayf.org.uk(dedicated)
Sto
ke o
n T
ren
t
SQL1
WAYFdatabase
UK
or in
tern
atio
nal
LGfLapplication(s)
LGfL.NETPortals
Identity Provider serveridp1.lgfl.org.uk
Paired & randomising with IDP2
Gateway / Service Provider servergateway.dbplc.com
Logical clustering
Med
way
WAYF - 'virtual'wayf.org.uk
NTP serverdns.lgfl.org.uk(SECONDARY)
WAYF - 'virtual'wayf.org.uk
(N)
WAYF - 'virtual'wayf.org.uk
(N)
LGfLapplication(s)
SQL2
Replicationservices
Federation services - delivered by Atomwide for the LGfL Trust
Identity Provider clustered serverlogin.digitalbrain.com
DNS serverdns7.qzxyz.com
27th September 2005 LGfL Project – workshop report 9Ray Collins
Issues to emerge
• UK school sector only participant at this sector level on the international Shibboleth stage
• UK school sector is fundamentally different from HE/FE• Shibboleth-compliant AAI does work in the schools’
market place• Design must be technically resilient and reliable • Trust between all participants is a major key to success• Successful implementation will not occur if left to existing
market forces• Insufficient mandate / resources within RBC / LEAs to
implement a national solution
27th September 2005 LGfL Project – workshop report 10Ray Collins
Recommendations to Becta fromthe project
• Adopt Shibboleth as the authentication & authorisation infrastructure for UK schools and LEAs
• Adhere strongly to the Internet2 version• Establish a Federation focussed on the schools’ sector• The Federation must be commercially vendor-independent• Becta should directly run or commission the Becta AAI Federation• All participating entities to be compelled to do so through a
formalised set of contracts• Participating entity processes and standards should be subject to
formal accreditation• All entities must comply with data and child protection principles
enforced through the contracts• Adopt the submitted implementation plan and costs for the rollout of
a national strategy by Becta
27th September 2005 LGfL Project – workshop report 11Ray Collins
Key stages for the National Strategy
The following key stages were identified by the project to Becta:
Statement of strategic direction Creation of the Becta AAI Federation as an entity Sourcing of sufficient resources to guarantee delivery Creation of the underlying services Creation of various legal documents Establishment of procedures Recruitment of stakeholders Entering into contractual agreements by various parties Ongoing development of the Federation’s services Interaction with national and international bodies Provision of the operational aspects of the Federation
27th September 2005 LGfL Project – workshop report 12Ray Collins
Becta AAI Federation... the foundations...
The project has submitted the following as possible foundations for the Becta AAI Federation:
– Implementation plan detailed down to individual tasks– Costed proposal derived from the above implementation plan– Outline work packages for the implementation programme– Federation structures– Contractual schematic– Opportunity to phase from ‘live’ regional Federation to national
roll-out
27th September 2005 LGfL Project – workshop report 13Ray Collins
National Strategy... work packages & services ...
• The work packages are:• Founding the Federation• Setting the Standards• Legal and Contractual• Federation Resourcing• Federation Services• Communications
• The service elements covered are: Infrastructure integration WAYF service Attribute Control Authority service Accreditation service Support services Management Contractual agreements
27th September 2005 LGfL Project – workshop report 14Ray Collins
Becta AAI Federation... the structure ...
27th September 2005 LGfL Project – workshop report 15Ray Collins
Becta AAI Federation... the relationships ...
LGfLaai Federation Matrix of agreements and schedules Dated: 21st September 2005 Version 0.7a
Documents VersionRegistration
bases Members End-userIdentity Provider
Service Provider LGfLaai LGfL
3rd party service delivery
Content producer
Member Service Agreement 1.3Structure and policy 1 Schedule Schedule ScheduleBasic service description 0.2 Schedule Schedule
20/03/2005 Schedule Schedule Schedule ScheduleAcceptable Use Policy 1.1 Procedural Schedule RB version Schedule Schedule ScheduleTerms of Use - revised 21/09/2005 Schedule ScheduleFair Processing Statement 21/09/2005 Procedural Schedule RB version ScheduleData Protection requirements 27/04/2005 Procedural Schedule ScheduleGlossary 21/06/2005 Procedural Schedule Schedule Schedule Schedule Schedule
Partner Service Agreement 0.3Partner Service Agreement 0.3
0.1 Schedule Schedule Schedule Schedule ScheduleB2B B2B B2B B2B
Resource Registry - 3rd-party Escrow Exists Schedule ScheduleAttribute Release Policy (ARP) 0.1 ScheduleAttribute Acceptance Policy (AAP) 0.1 Schedule ScheduleContent Licence Appendix 22/06/2005 Schedule Schedule Schedule
WAYF service description 0.1 Schedule Schedule Schedule Schedule ScheduleWAYF - GSA-3rd-party service delivery B2B B2B B2B B2BWAYF - 3rd-party Escrow Exists Schedule ScheduleWAYF service agreement 0.1 Schedule Schedule ScheduleWAYF service agreement 0.1 Schedule Schedule Schedule
Accreditation Service 0.2 Schedule Schedule Schedule Schedule Schedule ScheduleVirtual Registration Base Service ScheduleVirtual Registration Base policy
ContractSchedule Schedule to a contractProcedural Procedures / documents may need updatingB2B Back to back contract referenced in the service description
Still to be drafted
Partners
Software licences and copyright
Attribute Control Authority service Resource Registry - GSA-3rd-party
27th September 2005 LGfL Project – workshop report 16Ray Collins
National Strategy... Phasing option ...
LGfLaai Federation
Becta Project Board
BECTAaai Federation
Shadow windowApril 2005
Latest, 31st December 2005
2006
Earliest, 1st July 2005
27th September 2005 LGfL Project – workshop report 17Ray Collins
Post-projectdevelopments
• LGfLaai Federation is operating at a ‘regional’ level
• Further major development of the overall process, structures and documentation has taken place
• Business processes have been mapped
• Management database in operation
• On-line, web-based service to be launched which will minimise the potential ‘paper-chase’ / e-mail overload for participating entities
