JISC

There is an increasing international awareness of the need to allow access to online resources with reliable user authentication, but without the need to supply privacy–infringing personal information. The challenge lies in being able to assert access rights accurately without revealing the identity of the user. The solution is to move to a system which relies on anonymous role-based authorisation asserted in a standard way by a reliable organisation. One technology which facilitates these secure internet transactions is Shibbolethi.

Executive Summary

Shibboleth technology originated in the USA, which led the world with the creation of the eduPersonii schema, as this new approach to access rights required a robust method of relating people to their roles.

The UK’s interest in the Shibboleth solution led to the consideration of the creation of a standard schema for the description of members of the UK academic communities. The UK however unlike the USA already had a tried and tested access management infrastructure in Athensiii. Thus much of the challenge for the UK lies in persuading the academic community to consider new technology. The UKeduPerson consultation exercise illustrated the depth of this problem and emphasised the need to raise national awareness and sponsor a national debate on the issues.

The UKeduPerson project followed three strands: an assessment of the international picture, a “bottom-up” assessment of potential requirements for a UKeduPerson schema and a consultation exercise with Shibboleth aware information vendors. The project resulted in the production of the UKeduPerson schemaiv and made recommendations to JISC for future development.

The consultation exercise was based around a questionnaire, but the project team made considerable efforts to extend the knowledge base via one-to-one meetings, email and telephone correspondence. A total of 30 institutions contributed to the research thus the team were confident in being able to report a representative view of large and small institutions from all over the UK. A focus group at the London School of Economics provided much valuable information and directed the project team towards currently available standard definitions (HESAv and ILRvi categories) and alternative technical solutions.

It had been expected that the UKeduPerson schema would be produced in LDAPvii as with the US eduPerson schema but input from the academic community led the project to consider the advantages of XMLviii. The principle impetus for this change of direction was the need to be able to define complex data describing users with multiple roles. Access rights need to be related to roles, not to individuals, and multiple roles present a challenge in LDAP. The technical solution to these challenges was to produce three versions of the schema; an XML version, a description of how to embed the information into the SAML standardix and an LDAP version for compatibility with legacy directory systems.

The project team recognise that the UKeduPerson schema will need updating and amending and that this should become the responsibility of a standards body. It is recommended that CETISx (the centre for educational technology interoperability standards) is offered this role. 

Read the final report below