Federated Access Management: JISC Guide for Institutions
This is the third version of Federated Access Management: JISC Guide for Institutions, first published in February 2006
This document is addressed to institutional decision-makers, IT managers and librarians who are involved in planning institutional IT strategies. It describes the new federated access management infrastructure being implemented within the UK, the reason for its introduction and the actions required of institutions to benefit from the new system.
Introduction
In November 2006, the UK Access Management Federation for UK higher and further education (HE and FE) institutions was launched. Educational institutions throughout the UK have been invited to join the federation and adopt new technologies such as Shibboleth. This will provide institutions with a route to single sign-on to resources for users through the implementation of federated, devolved authentication.
What is a federation?
A federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of resources and services. The federation, combined with identity management software within institutions and organisations, can be referred to as federated access management.
Why Change?
There are a number of advantages for institutions and users in adopting a federated access management system based on Shibboleth technology:
- There is a proven need for a single access management system that supports a range of authentication scenarios, including access to internal and external resources, and collaborative requirements within e-learning and e-research
- It is based on international standards and can be implemented using freely available open source software
- It is achieving wide support in Australia, New Zealand, the USA, Japan and also in many European countries
- It separates authentication from authorisation. Authentication is controlled by the user’s home institution; authorisation is based on user-attributes and controlled by the resource provider
- Users don’t have to acquire and remember a separate identity for accessing protected services – they simply use their local institutional username and password. This should increase use of subscribed services
- It facilitates finely controlled access to services or resources, allowing for subscriptions by department and group or courseware to be targeted at individual classes
Benefits
The use of federated access management and the software available to support its implementation provides significant benefits to several user-groups:
For the user: single sign-on using an institutional ID and password, and assurance that personal data will not be disclosed to third parties.
For the librarian: freedom from the burden of username/password administration and new tools for managing licences and service subscriptions.
For the IT manager: more control of the access management process through enhancements to enterprise directories, although this will require additional institutional effort in the short term.
For the institution: a single service to meet the requirements of e-learning, e-research and library-managed resources.
Choice for Institutions
It is important to emphasise that institutions will have choices, and that these choices should be supported by informed decisions. The potential models for adoption by institutions are described in the table below and institutions should consider how well each of these models fits with their IT strategy. Case studies, reports and advice are all available from the JISC website.
JISC Support
JISC is committed to supporting institutions in this changing environment. As well as implementing the UK federation, JISC is:
- Funding the provision of the Athens service until July 2008
- Maintaining the JISC federation access management website to provide support for institutions
- Providing case studies, reports, toolkits and advice from the work carried out in its ‘early adopter’ programmes
- Making the services hosted by MIMAS, EDINA and other JISC services federation-compliant
Timescales
Key milestones are:
- July 2006: renewal of Athens contract and launch of the Federation Gateway Services
- August 2006: first early adopters joined UK federation
- Shibboleth compliance specified in new NESLi2 and other JISC contracts
- November 2006: formal launch of the UK federation
- July 2008: end of current JISC contract for Athens and JISC funding for the Federation Gateways
| 1. Become a full member of the UK Access Management Federation, using open source software with in-house technical support |
Costs
Institutional effort to implement software, join federation and enhance institutional directories |
Benefits
Full institutional control, skilled staff and access management solution for internal, external and collaborative resources |
| 2. Become a full member of the UK Access Management Federation, using open source software with paid-for technical support |
Costs
Cost of support from supplier and institutional effort in liaison with supplier and federation |
Benefits
Full support in implementation and access management solution for internal, external and collaborative resources |
| 3. Subscribe to an ‘outsourced Identity Provider’ to work through the UK federation on your behalf. Institutions will however be required to join the UK federation if they wish to access JISC-funded resources |
Costs
Subscription costs to external supplier (from July 2008) and internal administration role |
Benefits
Minimum institutional effort to achieve access to external resources only |
Further information and resources
UK federation information and support
Joining the UK federation
For further information please contact the JISC Access Management Team:
JISC-access-management@jiscmail.ac.uk
JISCmail lists (join at www.jiscmail.ac.uk)
Announcements:
UKFederation-announce@jiscmail.ac.uk
JISC-shibboleth-announce@jiscmail.ac.uk
Practical and technical information:
UKFederation-discuss@jiscmail.ac.uk
JISC-shibboleth@jiscmail.ac.uk
JISC-shibboleth-libraries@jiscmail.ac.uk