JISC has led the policy initiative in the UK to deploy Shibboleth as the next generation access management technology for authentication and authorisation across the science and education sector. The community has made a substantial investment to support the adoption of Shibboleth technology. The significant central funding provided by JISC, Becta, and other funding authorities has triggered major investment of effort by individual institutions and commercial vendors in implementing the technology and integrating it with their local systems.

Proposal for SDSS Access Management Group

JISC has led the policy initiative in the UK to deploy Shibboleth as the next generation access management technology for authentication and authorisation across the science and education sector. The community has made a substantial investment to support the adoption of Shibboleth technology. The significant central funding provided by JISC, Becta, and other funding authorities has triggered major investment of effort by individual institutions and commercial vendors in implementing the technology and integrating it with their local systems.

Aims and Objectives and Scope of SDSS Management Group

Aims

The UK federation for Access Management now has over one hundred member organisations and is on track to satisfy the original goal of providing a next generation access management solution for UK education and research. The user base envisaged for the UK federation is at least an order of magnitude greater than that of the next biggest national deployment of Shibboleth in a federation. As such the technology is both of key strategic importance for UK education and research and leading-edge, therefore of need for careful risk management.

The UK is heavily dependent upon both access to a stable codebase for the Shibboleth framework and upon establishing and maintaining a development path which is aligned to UK future requirements. Shibboleth however, is not a UK development; it is essential that the UK maintains indigenous expertise in the technology to guarantee the security of service provision and maintenance.

Benefits

JISC and its partners need access to expert and timely advice on policy and technology in order that risks are managed and lessons are learnt from the pioneering deployment of the technology in the UK federation.  There is also a need for a broadly based identity management technology watch, to keep the community informed of middleware trends and to inform the UK development programme by reporting and assessing initiatives elsewhere.

Scope

It is envisaged that the proposed Expert Group would have wide scope and remit that would contribute directly in meeting the challenges outlined above, with an understanding that its focus would narrow on specific themes, especially at the outset, as agreed with the JISC.  EDINA is well placed to host the Expert Group in Access Management. In addition to its direct programme support activity, through the SDSS project EDINA has also fostered effective working relationships with the Internet2 MACE developers of Shibboleth and has been representing issues of relevance for the UK. Members of the EDINA SDSS team have made, and continue to make, a substantial contribution to the Shibboleth codebase and are recognised as trusted colleagues.

Background

JISC investigated a range of alternative solutions to the access management problem under several development programmes before selecting Shibboleth as the most suitable technology for the UK. The initial basis for this policy commitment was set out a consultation paper (PDF)

Shibboleth technology was seen as much more than a replacement for Athens: it was intended that the choice of an internationally-supported open-source product that would provide a broad based solution for the UK. While this would handle access control for library resources (as Athens has done) it would also be relevant to the management of internal institutional business functions, e-Science resources, virtual organisations, and other new application areas.

EDINA has been contributing to this investigation through various JISC programmes and has increasingly been playing a lead role in support of the various JISC initiatives to develop and embed the technology in the UK. A summary is given below.

  • Under the Authentication, Authorisation and Accounting Programme, the TIES project implemented a pilot Public Key Infrastructure as a possible access management solution for Higher and Further Education.
  • The follow-on TIES II project tested the practicality of deploying digital certificate technology from a commercial supplier, or other single Certification Authority.

When considered against the range of candidate solutions for access management in the UK, the clear favourite that eventually emerged was Shibboleth technology, a development of the Internet2 MACE initiative. As this technology was new and not well understood, JISC launched the Core Middleware Programme to acquire and promote better understanding of the issues involved in introducing it into the UK.

  • As part of this work, EDINA developed the SDSS project as a means of providing support for the Programme over its three-year lifetime, and to create a technical environment that would enable the other projects supported by the Programme to make progress. The SDSS pilot federation identified and developed solutions for the essential elements of a national federation infrastructure. Early findings from this pilot activity informed the JISC production federation blueprint document, which set down key elements of the organisation of the UK federation.

The SDSS federation proved to be an effective prototype for the UK production federation and the transition between the two was straightforward (during their period of coexistence, the two federations were technically identical, and used the same federation metadata).In consequence, EDINA was engaged by JISC to provide operational support to JANET(UK), formerly UKERNA, who were allotted responsibility to run the UK federation. In practice, many of the technical aspects of federation operation are devolved to EDINA by JANET(UK). This operational support is distinct from the remit and activity proposed here but forms useful context. Establishing a separate Expert Group in access management is seen as the best way of ensuring that the R&D activity within the SDSS team at EDINA is sustained and developed to support the policy needs of JISC in this demanding area. It also supports the aims and objectives of the Access Management Transition Programme and the Service Portfolio approach by ensuring that expertise in a key JISC thematic area is spread within the JISC Community and not held within one organisation (i.e. JANET(UK)).

Remit for the Expert Group

The remit of the Expert Group is to provide the JISC with expert advice on technology and policy in the area of access management, including authentication, authorisation and accounting. This is wide in scope and it is expected that the main focus in the early years will be on authentication. As such, the responsibilities of the Group will include the following:

  • expert advice to the JISC and the other responsible bodies, and to existing and potential members of the UK federation;
  • report from a watching brief on risk factors that might adversely affect the future stability of the UK federation;
  • monitoring and reporting on future UK requirements and application areas;
  • engagement with the Internet2 MACE-Shibboleth developers, sharing workload by assuming responsibility for agreed developments and elements of the codebase;
  • communication of UK requirements, constraints, and concerns to Internet2;
  • investigation of models of authorisation and licensing within the Shibboleth framework;
  • investigation of models for the regulation of the UK federation;
  • report from a watching brief on other international developments

Activities and Outcomes

The major activities of the proposed Expert Group are as follows:

  • Provision of expert advice and analysis to the JISC, including the issue of Briefing Notes.
  • Consultancy to the community, for inter- and intra-institutional use, including communication with organisations outside the UK federation.
  • Regular communication with technical experts elsewhere, nationally and internationally; in particular, maintaining the close contacts with the Shibboleth core development team built up by members of the SDSS team over the past three years in the course of the JISC Core Middleware Programme.
  • Contribution to maintenance of the Shibboleth code base; for example, the development of a Discovery Service for Shibboleth 2.0 and simpler installation of the identity provider software under Windows Active Directory.
  • Providing a locus for development and initial (pre-SLA) deployment of useful services enabled by federated identity management but not part of the operation of the federation itself; for example, the inter-connection (bridge) previously developed by SDSS between the commercial TypeKey identity system and the UK federation. The availability of a large-scale, robust deployment infrastructure and the corresponding people skills within EDINA provides an ideal test bed for future service candidates.
  • Technology watch on new developments in federated identity management.
  • Representation of the UK federation at inter-federation meetings, with Board approval and as requested by JISC.

The Group would remain independent of any access management deployment, in order to be able to offer impartial advice. It will maintain a permanent record of all products which it had produced or contributed to.

Relationships and Responsibilities

The Group must work as part of a matrix of bodies involved in federated access management in the UK:

  • JISC and Becta, which act on behalf of the funding bodies.
  • JANET(UK), the federation operator, is mainly concerned with the management of the administrative activities of the UK federation1. It brings a legal risk-mitigation viewpoint to the policy development process as represented in the Rules of Membership.
  • EDINA, which is contracted to perform the crucial technically demanding aspects of UK federation operations2.
  • A Technical Advisory Group, which was established by JANET(UK) to review operational and technical issues. It has met rarely.
  • A Federation Policy Board, which was established to be the source of authority for changes to the federation’s rules. Again, this meets rarely.

A well-defined role for the Group is needed to formalise its relationship with these responsible bodies.

International collaboration

There is also an important set of international collaborations with various bodies, including the Internet2 MACE team itself, as well as the emerging national federations in Switzerland, Finland, Australia, France, Norway, Sweden, and Denmark. Internationally, the UK needs to be adequately represented as the different national federations seek to develop workable inter-federation (confederation) agreements at both the policy and technical levels. To date, the UK has been represented, formally or informally:

  • Directly by JISC in the ‘Cotswolds meeting’ and subsequent high-level policy discussions.
  • At a purely informal, technical level by SDSS staff in discussions with Internet2’s Shibboleth core team.
  • Increasingly, at the European level, by JANET in discussions between the various NRENs.

For the present and the medium term, technical development is not yet sufficiently mature to allow useful policy discussion without strong technical input. In most other European countries, development of the technical side of the national federation would take place within the national NREN. In the UK, it took place within a project (SDSS) funded by the JISC Core Middleware Programme. The proposed Expert Group is the means to take forward that architectural expertise, but it is also important that the UK is well represented in discussions between European NRENs. Since much of the required technical contribution would presently have to come from EDINA/SDSS rather than from JANET, the Group will require to be granted sufficient standing at discussions between NRENs.

It is for the JISC to consider:

  • whether this situation can be improved by formalising a right for the proposed Expert Group to be consulted on and participate in international federation discussions, perhaps as representatives of the JISC;
  • whether the Centre should be formally represented on the Technical Advisory Group and Policy Board (SDSS staff are already represented on the former). Note that these two committees might be expected to become more active as the policy implications of confederation are worked through.

Organisation

SDSS will run as a project initially under the Access Management Transition Programme. A rolling three-year funding model with a two year review point will be adopted.  The proposed costs for the initial period August 2007 – March 2010 are given in Appendix A.  The Co-Directors will be Peter Burnhill (also Director of EDINA) and Sandy Shaw. It is envisaged that Ian Young will be designated Associate Director.  Establishing the Group provides the means to secure the services of the SDSS team. A further priority is to implement a succession plan through the recruitment of other suitable staff.

Project Staff

Bookmark and Share
Summary
Start date
1 August 2007
End date
31 July 2010
Funding programme
Access Management Transition programme
Committees
  • JISC Integrated Information Environment committee
Topic