Federated Access Management

From RSCWMWiki

right?100px

Introduction

Access management is concerned with managing how users from gain access to web resources provided by external content providers (including other learning providers).

Prior to August 2008, the JISC subsidised the Athens service run by Eduserv. Under Athens, the identity of a user trying to access an external resource is verified against a database held by Eduserv. The user's institution is responsible for maintaining user login information and defining which users are granted access to which resources. The advantage of Athens is that a user only has to remember a single set of credentials to access any resource to which his/her institution is subscribed. The disadvantage is that separate user credentials have to be maintained for internal and external resources.

In November 2006, JISC launched the UK Access Management Federation (usually referred to as the UK Federation) to provide secure access to online resources using a federated access management (FAM) framework. The main difference between FAM and Athens is that, with FAM, the content or service provider authenticates a user against the educational institution or identity provider's internal user directory. This removes the requirement for institutions to maintain separate credentials for internal and external resources. An institution can also use FAM if it wants to share content with other institutions. See Benefits of joining the UK Access Management Federation for more information.

The UK Federation

Institutions must become members of the UK Federation in order to gain access to resources provided by other members, even if the institution does not plan to implement FAM. UK Federation membership is free. Application for membership must be made in writing to JANET (UK) and signed by a senior officer of the institution. See the application process flow chart (pdf) or the Applying for Membership page for more information.

An institution joining the UK Federation must be:

A legal entity
An educational or research institution or a commercial organisation that provides educational services.

In addition to the above, an institution that wishes to register as an FAM identity provider must:

Have a registered Internet domain name
Have an internal access management infrastructure, such as Microsoft Active Directory, Novell eDirectory or OpenLDAP, for staff and student accounts.

See Federation Operator Procedures and Rules of Membership for more information.

FAM Identity Provider

The following are brief instructions for becoming a UK Federation Identity Provider:

1. Validate Access Management Infrastructure

The UK Federation Rules of Membership specify that an identity provider must:

promptly revoke credentials of end users who are no longer members of the organisation
not reassign unique end user attributes, e.g. a username, for at least 24 months after the user leaves the organisation
update the user attributes in the directory as soon as possible when the user status changes

2. Identify Sources of User Attributes

The UK Federation defines four core attributes that an identity provider should be capable of providing. Service providers will define what subset of attributes they require. See Attribute Usage for more information.

One of the core attributes - eduPersonScopedAffiliation - defines the user's affiliation with the organisation, e.g. member, staff, student. The institution may store this information within the user's directory record or it can be derived from the directory structure, e.g. staff and student accounts are stored in different containers / organisational units.

3. Join the UK Access Management Federation

See previous section

4. Obtain an X.509 Server Certificate

A certificate is used for encrypting communication with the Identity Provider. JANET can provide GlobalSign certificates free of charge to connected organisations. For more information visit the Get Certificate and Service Certificate Application pages.

5. Implement the Identity Management Software

The UK Federation uses the Shibboleth software to enable federated access management. Shibboleth is an open-source web-based technology that can run on either Linux or Windows. Although there is no license fee to use Shibboleth, there may be a cost to installing or supporting the software depending on whether or not it is managed entirely in-house.

Institutions wishing to implement an identity provider (IdP), have the following options.

Install and support Shibboleth in-house

The Shibboleth IdP software is Java-based and its configuration is controlled by XML files. If the in-house IT staff are comfortable with both technologies, then Shibboleth can be supported entirely in-house.

Pay a third-party to install and support an in-house Shibboleth IdP.
Outsource identity management to a third-party

WAYFLess URLs

When a user attempts to access a resource owned by a UK Federation service provider, the service provider needs to know which institution will authenticate the user, i.e. WAYF - Where Are You From. The default mechanism for doing so is to display a dropdown list of UK Federation Identity Providers from which the user can select his or her institution, as shown in the image to the right.

To make life easier for its users, an institution can set up a portal to the services it uses and embed the WAYF information in the link to the service, also known as a WAYFLess URL. When a user clicks on a WAYFLess URL, he or she is automatically sent to the institution's Shibboleth authentication page.

The standard format for WAYFLess URLs is:

SSO_LOCATION?target=RESOURCE_LOCATION&shire=AC_SERVICE_LOCATION&providerId=PROV_ID

where:

SSO_LOCATION is the URL of the institution's identity provider
RESOURCE_LOCATION is the URL which is to be accessed following the establishment of a Shibboleth session
AC_SERVICE_LOCATION is the URL of the Assertion Consumer Service of the Service Provider
PROV_ID is the identifier of the Service Provider

See [1] for more information.

Other than the RESOURCE_LOCATION, the information needed to build the WAYFLess URL can be extracted from the UK Federation metadata. The RSC West Midlands has developed a web script that generates a WAYFLess URL in this format using information in the Federation metadata, click here to use the web script.

Many service providers accept shortened WAYFLess URLs. Information on the WAYFLess URL formats of specific service providers can be found on the Service Providers with WAYFless URLs on the UK Federation web-site.

Alternatives to FAM

The OpenAthens service is provided by Eduserv, and allows an institution to maintain the same arrangement as with Athens but have access to resources of both Athens and UK Federation members. Institutions pay an annual subscription fee (price table) to Eduserve to use OpenAthens. Institutions that subscribe to OpenAthens can also opt to authenticate users against their internal user directory.