access management - the issues for fe colleges
DESCRIPTION
A simple overview of the steps that colleges need to take to join the UK Access Management FederationTRANSCRIPT
Mike Moran RSCni 1
LR Forum – Ulster UniversityJordanstown
13 February 2008
Mike Moran RSCni 2
LR ForumLR Forum
Access Management in College Libraries – Some BasicsAccess Management in College Libraries – Some Basics
Suppliers (licence providers) require:
A sound system for identifying users of the service so that they can:
Ensure that the fees charged are correct;
That the users are legitimate members of the college; and
So that the management of colleges can be held accountable for breaches of licence conditions – including infringement of copyright.
Colleges require:
An effective connection system between the individual user and the supplier.
Mike Moran RSCni 3
LR ForumLR Forum
Solutions Tried So Far:Solutions Tried So Far:
1. Authentication of users by checking the IP address of their computer
2. Authentication by using directories of users specific to the library of the college
3. Authentication using the overall directory structures of the college network – of which the library users are a defined community
Limitations for users and suppliers:
1. If more than one person normally uses a computer (or server), the supplier cannot accurately count the number of users and cannot be sure that each user is legitimate
2. The users have to sign on separately to use the online services of the library – multiple usernames and passwords per person
3. Though you can move to Single Sign On, the directory structure requires careful construction and updating to make sure library users remain up to date – not every college member is necessarily a legitimate user of the licensed services
Mike Moran RSCni 4
LR ForumLR Forum
So – along comes Federated Access ManagementSo – along comes Federated Access Management
Its features:• Based upon the principle of trust between suppliers and users
• Trust could operate on a 1:1 basis between a college and a supplier
• But – this would mean large costs for the supplier to maintain a large number of individual relationships with colleges – costs that would be passed on to the users
• So – if users can form groups (Federations) and the group as a whole can be trusted by the suppliers, then the individual admin costs are reduced and the potential for savings to both parties are made real
• The working relationship is then dependent upon three components:
1. The licensed service on offer from the supplier(s);
2. The constructed identities of the client college; and
3. A piece of software that provides to the supplier those identities that are legitimately connected to the college before releasing the service to the user each time.
Mike Moran RSCni 6
LR ForumLR Forum
IdP Gateway
SP Gateway
Identity Provider Gateway
Outputs the data that confirms that the user requesting service is a registered student or staff member of the college concerned. This can be done with the minimum amount of personal information transferring directly to the supplier.
Service Provider Gateway
Confirms that the IdP data sent by the college matches the rights to access that the college has paid for (even if this is a FREE service) and causes the release of the item.
LR ForumLR Forum
Mike Moran RSCni 7See handout for explanation
Shibboleth Flow Diagram
User
Service Provider
(SP)
Identity Provider
(IdP)
= College or
Its Agent
Where Are You From (WAYF)
1
2
34
5
6
7
8
Amount of information provided here can be managed by College
Mike Moran RSCni 8
LR ForumLR Forum Shibboleth Flow Diagram
The previous diagram shows the flows which can occur during a typical Shibboleth-enabled transaction, with the browser user arriving at the Service Provider site without an existing session and without any information about the user's home institution being known by the Service Provider. There are many variations on this flow, most of them a lot simpler. In addition, later versions of Shibboleth will be able to operate in other ways; and the terminology used to refer to components is subject to change. However, this is offered as a starting point.
1.The User attempts to access a Shibboleth-protected resource on the Service Provider site.
2.The User is redirected to the federation WAYF.
3.The User select his or her home institution (*Identity Provider) from the list presented by the WAYF.
4.The Identity Provider, by whatever means it deems appropriate, ensures that the User is authenticated.
5.After successful authentication, a one-time Handle (session identifier) is generated for this User session and is sent to the Service Provider – think of it like a ticket at the supermarket deli counter – it is discarded once it has been used.
6.The Service Provider uses the Handle to request attribute information from the Identity Provider for this user.
7.The Identity Provider, on the basis of its Attribute Release Policy, allows or denies attribute information to be made available to this Service Provider.
8.Based on the attribute information available to it, the Service Provider allows or refuses the User access to the resource.
* Although the User's home institution is taken in the above summary to be equivalent to the Identity Provider, in fact an institution may choose to outsource the Identity Provider function to another organisation. However, this does not affect the principle of operation.
LR ForumLR Forum
Mike Moran RSCni 9
Why did we go down this Shibboleth route at all?Posted by nicole [Harris] on January 23rd, 2008
“There has obviously been a lot of debate in the last two days surrounding the regrettable announcement that JISC will no longer be funding the Federation Gateway Services [through a contract with Eduserv (Athens)].
This has led to people asking questions such as ‘why did we go down this Shibboleth route at all?’. I thought it might be useful to go back to the beginning. Below is the vision statement (we are very MSP here) for the Access Management Transition Programme. I think it sums things up quite nicely.
The JISC Access Management Transition Programme aims to change the access management landscape within UK Further and Higher Education from a system predominantly based on proprietary systems to one with open standards at its core. The primary enabler of this change will be the introduction of federation access management and a strong recommendation to all institutions and organisations involved in education to implement access management solutions based on the SAML (Security Assertion Mark-Up Language) standard.
LR ForumLR Forum
Mike Moran RSCni 10
“In supporting an open standards approach, rather than any particular technology, JISC hopes to:
•Improve the business decisions made by institutions in relation to identity, access and resource management•Increase the commercial choice to institutions in relation to identity and access management technologies.•Reduce the impact and cost of vendor lock-in within the JISC community.•Embed knowledge within the community, rather than within any one organisation. •Place the principles of the JISC Information Environment at the core of the implementation of access management within its community.•Move towards a single sign-on environment for UK Further and Higher Education institutions across internal, external, and collaborative resources.
The JISC Access Management Transition Programme runs from July 2006 – December 2008, and is funded and supported by the JISC Integrated Information Environment Committee (JIIE). Funding of £2.2 million has been allocated to this programme. “
09/04/23 | slide 11
JISC ‘Institutional Preparedness’ Study [Mar 2007](170 institutions):
• Directory Services:
– 66% HE / 69% FE use Active Directory
– 31% HE / 13% FE use Novell eDirectory
– 27% HE / 31 % FE use OpenLDAP *
• Outsourcing / Delegation of Identity Management:
– 2% of HE / 0% FE outsource directory / identity management
– 25% HE allow departmental control of identity management
• Current use of Athens:
– Classic Athens: 57% HE / 78% FE
– AthensDA: 35% HE / 7% FE
* LDAP = Lightweight Directory Access Protocol – a standard for user directories
LR ForumLR Forum
LR ForumLR Forum
Mike Moran RSCni 12
Benefits of joining the UK Access Management Federation
Benefits for Identity Providers (IdP) – typically Schools / FE Institutions / HE Institutes / Research Institutes
• Easier to comply with regulatory requirements (Data Protection Act 1998, etc. • Better service offered to users (more control) • Can integrate with existing access management systems • Can use the same access control for all resources – both internal and
external• This means that it can be used for managing access to internal college
repositories as well as external services• Fewer support problems (can all be controlled centrally)
Benefits for End Users
• Much less need to disclose your identity • Personal data kept between you and your home organisation • Publishers can tailor services better (preferences, special groups of users etc) • (At least) one less password to remember
LR ForumLR Forum
Mike Moran RSCni 13
Benefits of joining the UK Access Management Federation
Benefits for Educational Sectors
• Provides consistency across the whole of education for federated (distributed) authentication and authorisation
• Improves the user experience • Pools experience and expertise • Provides economies of scale for all sectors • Facilitates sharing of content and collaboration across sectors
LR ForumLR Forum
Mike Moran RSCni 14
In March 2006, JISC formally announced its intention to support federated access management as the preferred access management solution for UK Further and Higher Education
Institutions will have to Join the UK Federation to access JISC funded resources
The Federation is a combined venture between JISC and BECTA (and therefore will extend to schools as well as colleges)
JISC will continue funding the Athens service until 31 July 2008 Athens will be available via a subscription model post July 2008 Recent announcement by JISC means that Athens is no longer the
partner organisation for Federation IdP functions – other options can be considered by colleges
A full support service will be made available to the JISC community to support the transition to the new service
The JISC Position on the UK Federation
LR ForumLR Forum
Mike Moran RSCni 15
09/04/23 | slide 16
Institutional Options
• BECOME A FULL MEMBER OF THE FEDERATION USING COMMUNITY SUPPORTED TOOLS
– COSTS: Institutional effort to implement software, join federation and enhance institutional directories
– BENEFITS: Full institutional control, skilled staff and access management solution for internal, external and collaborative resources
• BECOME A FULL MEMBER OF THE FEDERATION USING TOOLS WITH PAID-FOR SUPPORT
– COSTS: Cost of support from supplier and institutional effort in liaison with supplier and Federation
– BENEFITS: Full support in implementation and access management solution for internal, external and collaborative resources
• SUBSCRIBE TO AN ‘OUTSOURCED IDENTITY PROVIDER’ TO WORK THROUGH THE FEDERATION ON YOUR BEHALF
– COSTS: Subscription costs to external supplier (from July 2008) and internal administration role
– BENEFITS: Minimum institutional effort to achieve access to external resources only
LR ForumLR Forum
LR ForumLR Forum
Mike Moran RSCni 17
11. How can I join the UK federation as an Identity Provider?
A potential Identity Provider (ie College) will need to carry out the following activities:
1. Review the information structure within its institutional directory and ensure that it meets the required standards for exchanging information.
2. Adopt a Single Sign-On or Common ID Solution for authentication.
3. Implement Identity Provider software.
4. Join the Federation (see the Federation website41).
5. Roll-out the service within the institution.
Help will be available for colleges – see below
JISC Answers to some FAQs
LR ForumLR Forum
Mike Moran RSCni 18
18. What is the last point at which my institution can make a decision about joining the UK federation?
If you are currently using Athens, you can join the UK Access Management Federation at any time from November 2006 onwards. There is no end date for the Athens service – but see below (Q19).
19. What will happen to Athens?
Athens will continue as a fee-charging service. JISC is providing extensive support mechanisms for institutions wishing to adopt federated access management solutions. JISC will not be funding the Athens service beyond July 2008.
JISC Answers to some FAQs
LR ForumLR Forum
Mike Moran RSCni 19
That last set of answers seems too complicated for me and my colleagues. Where can I get help?
1. For small colleges – or those who were small scale users of online resources – there is help available through JISC JIAMSP funding to get advice on what you need to do to prepare for joining the Federation. JISC has agreed to deal with Northern Ireland FE Colleges on a pre-merger basis in relation to the above
2. For those charged with managing or executing the technical changes, there will be a series of 3-day Netskills practical workshops in various locations – with some subsidised fees for FE colleges. Its aim is to advise on the technical preparations that are needed before conversion to working within the UK Federation and to demonstrate how to do that.
LR ForumLR Forum
Mike Moran RSCni 20
So – what are the next steps for a college?So – what are the next steps for a college?
Joining the UK federation as an Identity Provider?
A potential Identity Provider (ie College) will need to carry out the following activities:
• Review the information structure within its institutional directory and ensure that it meets the required standards for exchanging information.
• Adopt a Single Sign-On or Common ID Solution for authentication. • Implement Identity Provider software. • Join the Federation [NO COST ] (see the Federation website). • Roll-out the service within the institution.
Apply for the support funding (if you haven’t already)
Talk to managers and colleagues and ensure that your college sends someone to the Netskills workshop
LR ForumLR Forum
Mike Moran RSCni 21
Does all of this have anything to do with re-structuring or selecting a Does all of this have anything to do with re-structuring or selecting a Library Management System?Library Management System?
Not directly – but there would be an advantage to sorting everything out at one time. Otherwise ,the directory structures created for the UK Federation may have to be re-visited when any new or re-configured LMS is installed.
Mike Moran RSCni 22
LR ForumLR Forum
That’s the end of the programme …
Any final questions?