Introduction to the Federated Access Management in the UK : JISC

Introduction to the Federated Access Management in the UK

JISC has devoted significant funds to the development and implementation of the next generation access-management system based on Shibboleth technology. This has had significant implications for FE and HE institutions. This section will explains the reasons behind JISC's decision and the introduction of key federated access management concepts.

What is Access Management?
What is Federated Access Management (including an introduction to Shibboleth and federations)?
Introduction to Federated Access Management animation
Why has JISC decided to adopt a new generation access management system, based on Shibboleth?

What is Access Management?

Access Management is the term used to describe the process of permitting access to protected online information, usually in the context of web pages or web based applications. It describes both the means by which an online information resource decides whether to allow access to a protected area, and also the administrative process of allowing access for approved individuals.

Main Access Management concepts

In order to understand Access Management there are a number of key concepts:

Authentication is the process of verifying who is requesting access to a resource.
Authorisation is the process of determining whether access should be granted to that individual based on information about that individual.
Attributes are information about an individual in defined formats such as member of organisation x, member of department y, role equals student or faculty.
Accounting is the term used to describe the statistics functions available within an access management system which show usage of online resources by individuals or the organisation as a whole. These statistics also provide an audit trail, which ensures that usage can be tracked, and allow unusual behaviour to be identified and investigated.
Credentials are the generic term to describe information provided by the individual in order to authenticate. The most common credential is a username and password, but other examples are email addresses, smart cards, biometrics and X.509 certificates.
Single sign-on environments allow a user to 'sign on' once using a set of credentials and then be permitted access to many online resources without the need to 'sign on' again. The technology used for the Single sign-on environment is generally an LDAP directory with a web front end with cookies to record information about the signed-in user. Examples of this are Novell's iChain backed up by its e-Directory and the Athens Access Management System. Other solutions in place world wide are Kerberos and PubCookie.
An access management system (AMS) provides functionality for an administrator to create, manage and issue credentials and associated attributes for access to online resources; and enables online resources to make decisions on access based on user credentials and attributes. Examples of access management systems are a bank's processes for issuing credentials for its online banking service; basic auth for Windows NT; a publisher's subscription fulfilment system for issuing usernames and passwords to subscribers; Amazon's 'Your Account' service.
X.509 certificates are electronic documents used to identify an individual, a server, a company, or some other entity, and to associate that identity with a public key. They are held within web browsers and are accessible to online resources through the browser. Like a driver's licence, or a passport, a certificate provides generally recognised proof of a person's identity, as approved by the issuing Certificate Authority.
Identity Providers are organisations that provide information about individuals. For instance, a University could inform third parties whether an individual was a registered student at the University; a mobile phone company could inform a third party that an individual with a given phone number is called john Smith and has paid all his bills. The Identity Provider uses a range of different systems and technologies to provide identity information to third parties in a secure manner.
Service Providers are providers of information to Identity Providers (e.g. publishers).

Values and expectations of an access management system

The first value of an access management system (AMS) is trust; a protected resource must be able to trust the information provided by the AMS. The trust is generally associated with processes such as student registration and reinforced by terms and conditions or contracts. When the AMS is used for a single protected resource, eg a bank's processes for its own online banking service, then the trust issues are simpler than for an AMS used for third party resources.

The second value of an AMS is security; only authorised parties should be able to read the information and only approved administrators should be able to amend the information. In the context of a publisher's subscription system, only the publisher's customer service staff should be able to amend a customer's information to say that a subscription has paid; only the publisher's delivery system should be able to read that information and deliver materials to subscribed customers. No customer should be able to say his subscription has been paid, the publisher's competitors should not be able to see which organisations subscribe to his materials. To enforce security, the AMS will use a variety of techniques, all transactions should be encrypted, at least over Secure Socket layer (SSL) connections with associated certificates. All access to the system should be protected by a minimum of username and password, with additional checks for administrator access perhaps from restricted PCs.

The third value is privacy. An access management system may well hold a variety of information about an individual for the purposes of managing the individual's account; for instance an individual's name and email address as well as username and password. Under normal Data Protection legislation, this data may not be divulged to third parties. Unless the individual can be assured of his privacy, he or she is unlikely to use the AMS.

A fourth value is neutrality. Users of an AMS, both organisations and resource owners, must be assured that the AMS is neutral - to all organisations within it, and to all resources using it. The AMS should not favour one resource over another, attempt to promote resources to organisations, or offer different terms and conditions to some organisations.

The AMS must be able to identify individuals and assign attributes to them. The user's credentials should allow the AMS to identify the individual reliably, and assign appropriate attributes. The user may be identified simply as a member of an organisation or may be uniquely identified with a persistent unique identifier as an individual. For instance, IP authentication of an organisation's firewall could enable a user of a PC within that firewall to be identified simply as a member of the organisation; IP authentication of the actual PC could identify the owner of the PC.

A protected resource must be able to trust that users, who are no longer entitled to access the resource, have access removed promptly from the AMS. So subscribers who do not renew their subscription should be disabled at the end of the subscription period; students who leave a university should have their passwords disabled. This is generally termed revocation of rights, and is particularly important in the context of X.509 certificates as the certificate will still be located in the user's browser and cannot easily be updated.

Access Management issues

Proliferation of usernames

Typically each protected web-based application, such a library online catalogue or virtual learning environment, has its own authentication system and each user of that application is issued with a username specifically for access to that system. Similarly publishers and commercial resource owners issue usernames and passwords for access to their protected or subscribed resources. So a typical student is likely to have a username for access to the Library Catalogue, a username for access to local PCs, another username for access to the Virtual Learning Environment, and a username for access to academic research material like ISI's Web of Knowledge or Gale's InfoTrac. This proliferation of usernames causes management effort for the resource owner, confusion for the user and customer service effort for the organisation.

To alleviate these problems, many organisations are seeking to establish single sign-on environments so that members of their organisation only have one set of credentials issued by the organisation for access to all resources owned by or subscribed to by the organisation. In this scenario, the organisation is the Identity Provider for its members.

Personalisation

The first online resources purchased by organisations were bibliographic databases and dictionaries sold under site licence to the organisation. The majority were authenticated by IP address. A resource like a dictionary has no obvious personalisation features but bibliographic databases of academic journals which are constantly updated offer features like 'my favourite journals' ,'my saved searches' and email alerts. To simplify access to these personalisation features, it is necessary to identify the individual as well as the subscribing organisation. This requires individual identification, not simply identification of the subscribing organisation. Personalisation is now the norm for online resources with the advent of online shopping and banking services.

Licencing

Online resource providers need an easy way to licence their products and to police the licensing terms. IP authentication provides an easy way to identify an organisation and to ensure that no-one outside the organisation can access the product. However it is impossible to identify parts of an organisation, say the department of chemistry, using IP authentication. Resource providers have therefore been forced to make their resources available to the entire organisation, and have priced them accordingly.

The use of attributes from an authoritative source makes it possible for a resource owner to make his resource available to a subset of an organisation, for instance to students in the department of chemistry.

Attributes

The use of attributes provides endless possibilities to categorise users, but also the possibility of endless confusion. For a single online resource, one attribute can have a simple meaning in relation to that resource, however when the attribute is used by many resources the definition and possible values of that resource need to be clearly identified, both for those setting the attribute and for those reading the attribute. As an example take the attribute role. The value 'student' would seem to have a fairly obvious meaning, but does it include school children? Is a teaching postgraduate a student or a member of staff or both? There are a number of initiatives internationally which seek to establish standards for individual meta-data such as OrgPerson, EduPerson and CourseID. These initiatives are in their infancy and there is at present no common set of standards either nationally or internationally.

Nonetheless, it makes sense for common attributes to be set once for the individual rather than once per resource. This quickly becomes unscaleable and unmanageable. A key requirement of such a naming scheme is that the names and possible values are publicised clearly, so that common understanding can develop. However there are other attributes that are resource specific, for instance the editor of a content management web site. So there will remain a need for resource specific attributes with flexible names and values.

What is Federated Access Management?

Federated Access Management builds a trust relationship between Identity Providers (IdP) and Service Providers (SP). It devolves the responsibility for authentication to a user’s home institution, and establishes authorisation through the secure exchange of information (known as attributes) between the two parties.

Shibboleth technology

Shibboleth is a technology, developed by the Internet2 group, that enables federated access management. It both triggers the authentication process within an institution, and supports the secure exchange of information to establish authorisation.

Shibboleth is an implementation of an open standard known as SAML (Security Assertion Mark-Up Language). There are other products available that can be used instead of Shibboleth, such as the AthensIM and Guanxi implementations. The latest version of Shibboleth is 2.0.

The Shibboleth architecture defines a way of exchanging information between an organisation and a provider of digital resources (such as data, video, documents, and so on). By using Shibboleth, the information is exchanged in a secure manner, protecting both the security of the data and the privacy of the individual.

In the Shibboleth model, the organisation is responsible for authenticating the user - that is, for checking that the credentials the user presents are correct (typically with a username/password combination). The organisation is also responsible for providing information about the user; for example, whether the user is a student, lecturer, or member of the department zoology. This information is called attribute information. The organisation is called the Identity Provider.

The decision to authorise access to information is the responsibility of the owner of the resource, and is based on the user's attribute information. Attribute information can be as simple as 'member of zoology department' or as complex as 'member of project team who has signed up to the project terms and conditions'. The provider of the information is called the Service Provider.

Some of the benefits of using Shibboleth

Users will have a single sign-on using an institutional ID and password for a wide range of resources, as well as the assurance that their personal data will not be disclosed to third parties.

Librarians will be free of the burden of user name and password administration, and will have new tools for managing licenses and service subscriptions.

IT managers will have more control of the access management process through enhancements to enterprise directories, although this will require additional institutional effort in the short term.

Institutions will have a single service to meet the requirements of e-learning, e-research and library-managed resources. Simplification of the authentication process has also proven to lead to increased use of subscribed services.

Find out more about Shibboleth and how it works.

'Federations’ and why they are needed

A federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of resources and services. The federation combined with identity management software within institutions and organisations can be referred to as federated access management.

How authentication is carried out by the institution and how rights management is carried out by the service provider is left up to the respective parties. In doing so, Shibboleth depends on a certain level of trust. These trust agreements are managed by Federations. Federations are typically being established at a national level.

The UK federation is called the UK Access Management for Education & Research. It is run by JANET(UK), building on the experiences of a successful pilot federation at EDINA (a JISC data centre), on behalf of JISC and Becta.

Membership of the UK Federation will be free at the point of use for both Identity Providers and Service Providers within or serving the UK HE and FE community.

Why has JISC decided to adopt a new federated access management system, based on Shibboleth?

Provision of access management facilities for the UK Further and Higher Education communities has formed a key part of the JISC strategy and operational planning for over ten years. Through the project initiation and subsequent service funding of Athens, JISC, the University of Bath and subsequently Eduserv proved the importance, impact and benefits of a co-ordinated approach to access management services. Athens has successfully served the UK education community as a national access management service for almost ten years. The adoption of Athens put the UK at a considerable advantage over many countries in terms of coordinated national provision of access to electronic resources.

2000 – 2002

JISC has a clear remit for ‘sustainable innovation’ and as such is responsible for continued review of sustainability models for its services and new and innovative solutions to issues within the JISC portfolio. Through the 05/99 development programme and supporting work, a clear requirement for a next generation access management system emerged. The programme work highlighted the importance of a system that was based on open standards, supporting the JISC sustainability model. It also highlighted the need for the system to support four usage scenarios within a single system:

intra-institutional use for internal systems and campus single sign-on support
access to third-party / commercial resources
inter-institutional use for long-term collaborations (e-learning scenarios)
inter-institutional use for ad-hoc collaborations (virtual organisation scenarios)

This innovative vision demanded join-up across all stakeholders serving the JISC community, bringing e-research, e-learning and information environment communities together to support a shared requirement.

2002 – 2004

In response to the requirements identified, JISC commissioned the AAA Programme (Authentication, Authorisation and Accounting) to act as an audit and evaluation programme for the emerging technologies within this arena. JISC also carried out extensive consultation and joint work with international bodies, such as Internet2 and TERENA, and was able to benefit from the findings of the Internet2 early adopters and trials within European countries.

During this time, JISC awarded Eduserv a new contract for the Athens service in 2003, confirming its commitment to providing access management facilities to the UK Further and Higher Education community.

2004 – 2006

The recommendations from the AAA Programme and the international arena clearly supported a closer evaluation of federated access management, based on SAML technologies. To meet this recommendation, JISC initiated the Core Middleware: Technology Development Programme to further develop federated software tools within the UK. JISC also presented the findings of the AAA programme to HEFCE (Higher Education Fundiong Council for England) as part of the spending review process, and was subsequently awarded a capital grant with the specific aim of ‘building a working federated access management infrastructure within the UK’. This produced the Core Middleware: Infrastructure Programme.

2006 - 2008

At the beginning of 2006, JISC was in a position to make two decisions regarding access management provision to its community:

The Athens service was now fully mature and appropriate for moving to a subscription based model within the community, in line with the JISC Development – Service Strategy.
Federated Access Management was a viable approach within the UK, and Further and Higher Education institutions would realise significant benefits from its introduction and support.

On Tuesday 28 February 2006, all Higher Education Vice Chancellors and Principals in Further Education in Northern Ireland, Wales and Scotland, along with publishers, received a letter from JISC which detailed the changes.

In November 2006, JISC launched its UK Access Management Federation for UK higher (HE) and further (FE) education institutions. Educational institutions throughout the UK are invited to join the UK Federation and adopt new technology, such as Shibboleth. This will provide institutions with a route to single sign-on to resources for users through the implementation of federated, devolved authentication.

The Athens service in its current form will not be funded by JISC after July 2008. Athens (run by Eduserv) will continue to be available to institutions beyond July 2008 on a subscription basis.

JISC has established a transition programme with clear choices to minimise disruption to end-users. JISC has produced roadmaps for institutions and publishers to clearly outline the choices that they have to make. JISC will also be providing the community with support in the form of bulletins, events, training and early-adopter funding over the transition period. Information about all these activities is available from this website.