JISC

Project Brief

The JISC currently provide an access management service called Athens, this is provided via a subcontract with Eduserv. However, this service is proprietary in nature and with the emergence of Shibboleth technology, based on SAML (Security Assertion Mark-up Language) there has been a migration to the use of this as a standards based technology. This technology provides a new approach to authentication and authorisation services, it is seen as more flexible, scalable and secure. In addition it will not require service providers to pay to use an authentication service as is currently the case with the Athens service. Federations are currently operating in the US (InCommon), Switzerland (SWITCH), Finland (HAKA) and the UK (SDSS). In the UK the SDSS Federation is considered experimental and was deployed to support the JISC’s early adopters’ programme for Shibboleth deployment.

JISC announced that they will cease to fund the Athens service past July 2008 as they wish to move to a more standards based approach to access management in line with activities in other countries.

Discussions held with DfES and Becta have helped to establish a joined up approach to access management provision across the education sector in the UK. This has resulted in UKERNA being asked to provide a single access management system across all education sectors.

Aims, Objectives and Scope

Aims

• Deploy an access management service, using Shibboleth technology itself based on SAML, to the education sector in the UK. The project aims to provide continuity of service to those organisations involved in the JISC early adopters’ programme.
• Provide clear transition paths for organisations new to access management and those transitioning from the existing JISC service.
• Establish a robust federation of trust for those using the service based on clear guidelines, policies and agreements. UKERNA will work closely with its partner organisations (in this case DfES, JISC and Becta) as well as co-ordinating with others working in this sector (LGfL, RBCs Technical Group, JISC early adopters programme, SDSS, Edina and Eduserv) to ensure that a cohesive message is sent to the education sector.

Objectives

• Build an access management infrastructure on JANET based on Shibboleth technology such that users can gain access to web-based content and services through the use of a single username and password.
• Establish policies, guidelines and agreements in order to build a framework of trust between Service Providers (SPs) and Identity Providers (IdPs).
  Establish a JANET Server Certificate Service based on the TERENA SCS Globalsign agreement.
• Communicate clearly to users, service providers and identity providers the functionality provided by the service, timescales on which the service will be provided and how they can make best use of it.
• Define and establish the structures, mechanisms and procedures necessary for the effective management of the service.
• Transition management of the production service to PSD by July 2009, should the technology, contractual framework, trust relationships, policies and the day to day operational service have matured to a point where this is sensible.

Scope

• Procure, build and commission an access management infrastructure to serve the education sector in the UK based on Shibboleth technology.
• Work closely with partner organisation (JISC, DfES and Becta) to ensure that cohesive messages are sent to the education sector in relation to the project.
• Establish policies, guidelines and agreements in order to establish a robust federation of trust.
• There is no provision within this project at the moment for outreach or assisted take up services. JISC are considering how best to proceed in these areas.

Formal work will not begin until letters of funding confirmation have been received from JISC and DfES. Work will continue in the background to help prepare for the project.

Design Overview

Currently there is an open question about whether a single federation can be constructed and operated or whether two separate federations will need to be established, one for Schools and one for the rest of the community.  There are both policy  and technical issues surrounding a single or multi-federation approach.  At the moment the approach adopted by all parties is to aim to establish a single federation.  If at some point this becomes impracticable the decision will be made to establish and operate two federations.

The major components of the service are illustrated below:

Starting at the centre of the circle the federation will require a number of resilient web servers to provide the WAYF (Where are you from) service. In addition the metadata that specifies who is in the federation and what services they provide will need to be hosted in a secure and highly available way. 

In terms of operation of the federation the WAYF servers and the metadata hosts will need to secure and maintained. The metadata that forms the basis of the infrastructure needs to be maintained and updated as organisations join the federation and details surrounding the services provided by SPs and IdPs changes. The current plan is to work with the existing providers of the SDSS federation (Edina) to continue with the day-to-day management of the metadata. In addition those managing the metadata on a day-to-day basis will need to have an ongoing programme of testing of server certificates. While it is likely that most organisations within the education sector will use certificates from the TERENA framework agreement, these certificates will not be available to the commercial sector. Therefore a list of compatible server certificates for use with the federation will need to be maintained. There is also likely to be a rapid evolution of shibboleth technology. The currently deployed versions range from v1.1 to v1.3 with v2.0 likely to be available later in 2006 or early 2007. There will need to be a staged migration between versions. This has a direct impact on the way the metadata is structured and the functionality that can be provided through the federation.

Federation policy will be the most critical and perhaps most difficult area of the project. Gaining consensus across the education sectors for all aspects of policy from attribute release to levels of assurance and legal requirements placed on SPs and IdPs is likely to be challenging. The ultimate success of the project rests on a federation of trust being established between all members; if the policies are too constraining new services will not be added to the federation limiting its use, if they are too open the fabric of trust will not be strong enough again limiting membership and use. There will also be a requirement for policies to evolve and develop as the federation grows.

A support service will be established using JCS as the central point of contact. Individuals with a range of skills in the use and deployment of Shibboleth will then be contracted to provide support effort as part of a structured service. Until the point at which a support service can be established the technical specialists and project manager will provide and coordinate responses to support enquiries in cooperation with those managing the metadata on a day to day basis.

As part of the overall project it will be necessary to establish and co-ordinate a plan for communicating what the project is doing, the services that will be available as well as helping to raise general awareness of the technologies being deployed. Another essential element of the project will be a training programme. This programme will need to address how to make use of the federation from the perspective of IdPs and SPs, the rules and policies governing the use of the federation, how to connect, report problems and obtain support. There will also be a requirement for technical training on the technology being deployed as well as associated best practice in approaching identity management and directories. It is unclear at the present time where responsibility for the provision of outreach and assisted take up services will fall. JISC are currently considering their approach.

Completing the circle the federation will require ongoing development to ensure it continues to meet requirements, supports appropriate versions of the Shibboleth software and is responsive to emerging requirements in Authentication and Authorisation technologies.

Email this page Bookmark & share this page