• Home
  • News
  • Federated access management: Q&A answers questions
News

Federated access management: Q&A answers questions

Federated Access Management Q&A

Jisc is devoting significant funds to the development and implementation of the next generation access-management system based on Shibboleth technology. This will have sigificant implications for FE and HE institutions and this Q&A is designed to help advise institutions on the options available to them over the next two years and beyond.


What is Federated Access Management?

Federated Access Management builds a trust relationship between Identity Providers (IdP) and Service Providers (SP).  It devolves the responsibility for authentication to a user’s home institution, and establishes authorisation through the secure exchange of information (known as attributes) between the two parties.


What is Shibboleth?

Shibboleth is a technology that enables federated access management.  It both triggers the authentication process within an institution, and supports the secure exchange of information to establish authorisation.

Shibboleth is an implementation of an open standard known as SAML (Security Assertion Mark-Up Language).  There are other products available that can be used instead of Shibboleth, such as the AthensIM and Guanxi implementations. 

What is a ‘federation’?

A federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of resources and services. The federation combined with identity management software within institutions and organisations can be referred to as federated access management.

Why is a federation needed?

How authentication is carried out by the institution and how rights management is carried out by the service provider is left up to the respective parties. In doing so, Shibboleth depends on a certain level of trust. These trust agreements are managed by Federations. Federations are typically being established at a national level. For example, US higher education has established a federation known as InCommon.


How do I join a Federation as an Identity Provider?

Jisc recommends that all institutions carry out an institutional audit, and include these developments within the Information Strategy.  A potential Identity Provider will need to carry out the following activities:

  • Review the information structure within its institutional directory and ensure that it meets the required standards for exchanging information.
  • Adopt a Single Sign-On or Common ID Solution for authentication.
  • Implement Identity Provider software.
  • Join the Federation.
  • Roll-out the service within the institution. 

Information and support on all of these processes are available from Jisc and its Middleware Assisted Take-Up Service.

 


How do I join a Federation as a Service Provider?

A potential Service Provider will need to carry out the following activities:

  • Review the information structure within its organisational directories and databases and ensure that it meets the required standards for exchanging information.
  • Implement Service Provider software.


  • Join the Federation.
  • Roll-out the service to user groups.    

Information and support on all of these processes are available from Jisc and its Middleware Assisted Take-Up Service.


Can I use commercial products?

Institutions are free to choose both open-source or commercial products.  The products chosen must be SAML compliant, and meet the requirements of the Federation. Recommended product lists are available from the Middleware Assisted Take-Up Service.

Athens
 works very well in our institutions. Why do we need to change?

The Athens service will not cease so you are welcome to continue using it (see below). However, there are a number of advantages for institutions and users in adopting a federated access management system based on Shibboleth technology, in particular the evolving needs of e-learning and e-research communities for a single access management systems that supports a range of authentication scenarios, including access to internal resources, external resources and collaborative requirements.

In addition, while the UK has been using Athens, other countries have been developing their own solutions to the problem of accessing multiple resources with a single identity. Shibboleth, which is a product of the US’s Internet2 initiative, has emerged as the frontrunner for the most widely-adopted standards-based approach.

Shibboleth also separates authentication from authorisation. Authentication is controlled by the user’s home institution and authorisation is based on user attributes and controlled by the service provider. Users don’t have to acquire and remember a separate identity for accessing protected services – they simply use their local institutional username and password. This should increase the use of subscribed services.

What will be the benefits of Shibboleth?

Users will have a single sign-on using an institutional ID and password for a wide range of resources, as well as the assurance that their personal data will not be disclosed to third parties.

Librarians will be free of the burden of user name and password administration, and will have new tools for managing licenses and service subscriptions.

IT managers will have more control of the access management process through enhancements to enterprise directories, although this will require additional institutional effort in the short term.

Institutions will have a single service to meet the requirements of e-learning, e-research and library-managed resources.  Simplification of the authentication process has also proven to lead to increased use of subscribed services. 

Who will run the UK Federation?

The UK access management federation will be run by UKERNA, building on the experiences of a successful pilot federation at EDINA, a Jisc data centre.

What will be the costs of joining the Federation?

Membership of the Federation will be free at the point of use for both Identity Providers and Service Providers within or serving the UK HE and FE community.  Costs of implementing the federated access management solutions will depend on the model chosen by institutions or service providers.  There are two options:

  • Adopt technologies using community supported (or open-source) tools.  This will mainly involve internal costs in terms of the effort required to implement the solutions.
  • Adopt technologies using tools with paid-for support. 

What if my institution decides not to adopt Shibboleth technology?

There is a third option available and that is to subscribe to an ‘outsourced Identity provider’ to work through the federation on your institution’s behalf, such as continued use of Athens with the gateways. The costs of this option include the subscription costs to the external supplier (from July 2008) and internal administration.

How will Jisc support my institution to meet any of these costs?

Jisc is providing extensive support mechanisms for institutions wishing to adopt federated access management solutions.  Jisc is committed to funding both the current Athens service and the new Federated Access Management Service until 2008, and is funding the gateways between the two services to allow more options for institutions. 

What do I need to do now?

It is important to emphasise that institutions will have choices, and that these choices should be supported by informed decisions. The potential models for adoption are outlined above and in the briefing papers recently sent out to institutions. Institutions should now consider how well each of these models fits with their IT strategy. Case studies, reports and advice are all available from the Middleware Assisted Take-Up Service (www.matu.ac.uk) and these should be used to inform your institutional approach.

When will the UK Federation be launched?

In September 2006.

What is the last point at which my institution can make a decision about joining the UK federation?

If you are currently using Athens, you can join the Federation at any time from September 2006 onwards. There is no end date for the Athens service.

What will happen to Athens?

Jisc’s contract will be renewed in July 2006, and this will run for two years, until July 2008. Gateways will be in place in July 2006 that will enable Shibboleth institutions to access Athens-protected resources and vice versa.

What will happen to Athens after July 2008?

Athens will continue to be available to institutions beyond July 2008 on a subscription basis.

Is it the same for FE as it is for HE?

All of the services described are available to all Higher Education Institutions, and to Further Educations in Scotland, Wales and Northern Ireland.

The services described will be available to Further Education Institutions within England until July 2007.  Announcements regarding service provision post July 2007 will be made shortly. 

How can my institution get support and guidance about the transition?

Jisc is committed to support institutions in this changing environment. As well as funding the UK Federation, Jisc is:

  • funding the provision of the Athens service until July 2008
  • funding a Middleware Assisted Take-Up Service (MATU) to provide support for institutions. Further information is available at www.matu.ac.uk
  • providing case studies, reports, toolkits and advice from the work carried out in its ‘early adopter’ programmes (further information available on the MATU web site)
  • making the services hosted by MIMAS, EDINA and other Jisc services Shibboleth compliant
  • funding the development of the Athens Gateways to support inter-working between Shibboleth and Athens sites and service providers. These allow institutions that adopt Shibboleth to access resources protected by Athens. Sites continuing to use Athens will also be able to access Shibboleth-protected resources
  • providing roadmaps for educational institutions and publishers toclearly outline the choices that they have to make. These are available at:  Shibboleth options

What next?

The key milestones in the transition to Shibboleth are:

July 2006

renewal of the Athens contract and launch of the Athens Gateways

August 2006
the first early adopters will join the UK Federation
new Nesli2 and Jisc contracts with suppliers will specify Shibboleth compliance

September 2006

formal launch of the UK Federation

July 2008

end of current contract for Athens

 

See further information.