Date post: | 29-Dec-2015 |
Category: |
Documents |
Upload: | tiffany-watkins |
View: | 218 times |
Download: | 1 times |
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
An Introduction to Access Management and the UK
Federation
Simon CooperJANET(UK)
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Overview
• What is access management?• What is Shibboleth?• UK Access Management Federation• The Benefits• How to Apply• Participation options• Support• Membership
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
In this context = Controlling access to online resources
Authentication• Is a user who they say they are?
- IdentityAuthorisation• What is the user allowed to access?
- Rights
What is Access Management?
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Legacy access management
• User’s identity and personal data are known to all• Publisher knows more than it wants and less than it needs
I’m “AJones/T,t<*?I1”
Site Licence
Are you a licensed user?
?Service Provider (SP)Identity Provider (IdP)
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Site Licence
I’m “AJones/T,t<*?I1”, am I?
Federated Access Management
• User’s identity and personal data are protected• Publisher knows exactly what it needs
Are you a licensed user?
They say I’m licensedYes, you’re licensed
OK!Identity Provider (IdP) Service Provider (SP)
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
How is this achieved?
• Through the use of attributes
• Permits fine grained Authorisation
• “Law Student” or “Staff Member” not individual username and password
• Service Providers can only ask for what they need
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
What is Shibboleth?
• An open source, standards-based solution to meet the needs for organisations to exchange information about their users in a secure, privacy-preserving manner
• Recommended software for UK federation participation
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
What is the UK federation?
• A set of Rules that binds members
• For UK schools, FE, HE and research
• Organisations and institutions providing services to these sectors
• Joint funded by JISC and Becta
• Operational management by JANET(UK)
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
What is the UK federation?
A secure framework that allows:
• students to access protected online web resources based on information asserted by their home organisation.
• providers of online resources to control access to their services.
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Benefits: for Users
• Much less need to disclose your identity• Personal data kept between you and your
home organisation• Service providers can tailor services better• (At least) one less password to remember• Access to online resources from anywhere
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Benefits: for Organisations• Uses existing authentication infrastructure• Can be used to protect internal resources• No annual subscription fee• Software free to download and use• Easier to comply with regulatory requirements
– Data Protection Act 1998
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Benefits: for Service Providers• No need to maintain your own user database
– Authentication is done for you by home organisation– Can authorise per institution, role, and/or entitlement
• Reduction in user support• No annual subscription fee• Software free to download and use• Reduced data protection compliance burden
– Less storage/processing of personal data
• Users take better care of credentials
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
How to apply?• Senior member of organisation signs up to
federation Rules of Membership
• JANET(UK) verify contact details
• Membership confirmed.
• Organisation (usually IT staff) registers participating servers with the federation
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
How to participate
1. a) In-house: run and support your own Identity Provider (IdP)
b) Hybrid: run your own IdP, provided and supported by a third party
2. Outsource: Third party run IdP under contracthttp://www.jisc.ac.uk/publications/publications/identityprovidersbpv1.aspx
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
In-house Approach
• Shibboleth IdP is a Java application– Runs on Linux, Unix, Windows, Mac.
• Installation is straightforward.
• Some configuration is required.
• Community support
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Shibboleth on Windows
• Project Commenced March 08.
• Case Studies + documentation.
• Free to community.
• Release end of May.
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Who does what?
• Internal Collaboration is essential• IT department must be involved from the
outset• Senior management may require a business
case (see JISC Business Case Toolkit)
• Senior management sign the membership agreement
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
What help is available?
– JANET(UK) helpdesk– Website: www.ukfederation.org.uk/– Mailing lists– Training courses: http://www.ja.net
/services/training/
http://www.netskills.ac.uk/content/products/workshops/range/accman.html
– Regional events (Brighton, 29th April)
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk19
Who has joined?
• 247 members (10th March)
• Sector breakdown– 75 FE– 106 HE– 7 LA/RBC
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
What services are available?
• 47 Commercial Service Providers or Publishers
• Ovid, Elsevier, Microsoft, BBC, Digimap, JISCmail, JVCS Booking Services,
• Full list of Services: http://www.ukfederation.org.uk/content/Documents/AvailableServices
• Dialogue with Service Providershttp://access.jiscinvolve.org/federated-access-and-publishers
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
When should you join?
• Now! (get the admin out of the way)• Audit your existing infrastructure and assess
organisation’s readiness• Implement your IdP• Roll out within organisation• Consider federating internal services
Copyright JNT Association 2005Copyright JNT Association 2008 www.ukfederation.org.uk
Questions?More info:
www.ukfederation.org.uk
E-mail lists:[email protected]@jiscmail.ac.ukJISC-shibboleth@[email protected]