Federation Policy

Joint Information Systems Committee 04/10/23 | | Slide 1

Federation Policy Issues

The UK Perspective Nicole HarrisProgramme Manager – JISC

Joint Information Systems Committee 04/10/23 | slide 2

Issues from the UK

Experience from the UK highlights the importance of:

– Making the move from a pilot to full service

– Getting it right for your national requirements

– Mapping requirements across the UK educational sector

– Managing ‘outsourced identity providers’

– Managing ‘outsourced service providers’

– Not just the Federation and Policies but outreach, assisted take-up, vendor liaison


Moving from SDSS to the UK Access Management Federation

SDSS federation UK federation

Status Project Service

Duration 3 years Ongoing

Scale Programme National

Home EDINA National Data Centre

UKERNA


Differences for Users in Transition from SDSS

Very little:

– Metadata recommendations have been preserved

– SDSS team in place to provide second-line support for the foreseeable future

– Communication: pushing people to use SDSS in the interim (don’t wait!)

– Communication: explaining the changeover process

– Formalising: actually signing formal policy documents rather than pilot recommendations can be scary / institutionally difficult

– Athens “gateways” will be live and in service:

• Athens will join the Federation as an outsourced Identity Provider and represent many institutions that have not made the move to full federated access management

• Athens will join the Federation as an outsourced Service Provider and represent many resource owners that have not made the move to full federated access management


Federation Stats: 13th April 2007

50 MEMBERS.

113 ENTITIES (two dual in nature):

– 51 Identity Providers

– 64 Service Providers

29 ‘Core’ Institutional Members.


Policy Document 1: Rules of Membership

The basic contractual framework for trust.

Covers:

– Definitions

– Rules for all members

– Specific rules for IdPs and SPs

– Data Protection and Privacy

– User Accountability

– Liability

– Audit and Compliance

– Termination

– Membership Cessation

– Changes to Rules

– Dispute Resolution


Policy Document 2:Recommendations for Use of Personal Data

Recommendations for use of personal data

Covers legal requirements – Data Protection Act 1998

practical use of attributes:

– eduPersonScopedAffiliaton: represents the least intrusion into the user’s privacy and is likely to be sufficient for many access control decisions.

– eduPersonTargetedID:designed to satisfy applications where the service provider needs to be able to recognise a returning user without revealing real identity.

“For most applications a combination of the attributes eduPersonScopedAffiliation and eduPersonTargetedID will be sufficient. A requirement to provide other attributes should be regarded as exceptional by both Identity and Service Providers and will involve considerable additional responsibilities for both.”

– eduPersonPrincipleName comes under the personal data guidelines of DP Act.

– eduPersonEntitlement: may be possible to determine Identity from entitlement so again governed by DP Act.


Policy Document 3: Technical Recommendations for Participants

Specifies the technical architecture for Federation and participants.

Choice of IdP / SP software (UK is neutral but must be SAML compliant and tested by Federation)

Authentication response profiles

Metadata processes

Digital Certificate processes

‘Discovery’ processes - to WAYF or not to WAYF

Attribute usage

Includes Future Directions for each area of work


UK Federation Required Attributes

TECHNICAL ATTRIBUTE NAME WHAT THIS REALLY MEANS

eduPersonScopedAffiliation([email protected])

UK specific controlled vocabulary

Establishes user’s relationship with institution – e.g. staff, student, member. Terms as used in JISC Model license. Most authorisation can be done against this attribute.

eduPersonTargetedID(r001xf4rg2ss)

opaque string defined by institution

‘A persistent user pseudonym’ to allow for service personalisation and usage monitoring across sessions. Not a real world identity.

eduPersonPrincipalName(harrisnv)

defined by institution – login name

Used when a persistent user identifier is required across services. Typically used in for internal institutional services. Real identity can be established from attribute.

eduPersonEntitlement(expressed as an agreed URI)

mutually agreed by institution and service

Used when a specific resource has a specific entitlement condition not covered elsewhere: must be over 21, must have completed foundation course module.


Policy Document 4: Federation Technical Specification and Policy Document 5: Federation Operator Procedures

Federation Technical Specification:

– High level document about trust fabrics and how the UK Access Management Federation achieves trust.

Federation Operator Procedures:

– The procedures actually undertaken by the Federation Operator (UKERNA):

• Enrolment

• CA Qualification

• Support

• Monitoring / Audit


Upcoming…in Policy

More practical documents related to baseline Federation such as Identity Provider deployment.

More advice and policy as developments move to service:

– Levels of assurance

– Virtual organisation support

– Virtual ‘orphanage’ (SDSS already offering TypeKey and ProtectNetwork solutions)

– Detailed policies for outsourced identity providers and outsourced service providers


The Gateways

ATHENS INSTITUTION

UK ACCESS

MANAGEMENT FEDERATION

FEDERATED INSTITUTION

ATHENS CENTRAL ATHENS

PROTECTED RESOURCE

FEDERATED RESOURCE

IdP

Gatew

ay

SP

Gatew

ay


www.ukfederation.org.uk

www.jisc.ac.uk/federation.html

[email protected]

[email protected]

Technology

Federation Policy