JISC Access and Identity Management: Future Directions

Joint Information Systems Committee

Access Management Transition Programme MeetingAccess Management Futures: JISC and International Development Strategy

Nicole HarrisSenior Services Transition Manager, JISC


A Little Background


Some Background

1995: Athens developed by NISS (National Information Services and Systems) at University of Bath as an in-house system.

1996: eLib Study ‘Technologies to Support Authentication in Higher Education’ identified Athens as a potential solution for all JISC Services.

1997: Athens in use in all JISC Data Centres and rolled out across HEIs / FEIs over the next two years.

1998: CNI White Paper on AAA requirements. JISC commits to using as a basis for next-generation technologies.

1997 – 2000: three year contract for Athens provision with University of Bath and then Eduserv.

2000 – 2008: two three year plus one two year contract with Eduserv for Athens provision.

2000: Alan Robiette and JCAS scope requirements for next generation access management system (ANGEL project starts testing Shibboleth and PAPI technologies).

2002 – 2004: AAA Programme – audit of next generation technologies and ratification of requirements.

2004 – 2007: Core Middleware Programmes. JISC decision to support federated access management.

2006 – 2009: Access Management: Transition Programme. Roll-out and embedding.


The Requirements

A single access management system for:

– Intra-institutional resources.

– Third party digital library type resources.

– Inter-institutional resources for secure long-term collaboration.

– Inter-institutional resources for ad-hoc (virtual organisation) collaboration.

Evolving strategy:

– Where possible, JISC should focus on fostering development and use of standards rather than specific technologies.

– Institutions should have the widest possible range of options, from full open source to commercial support.

– Solutions should be in line with international developments in the field.

– Solution must provide real benefits to institutions and service providers.


Not just about preventing..

Copyright: Getty Images from the Education Image Gallery


..but about collaborating and sharing

Copyright: Getty Images from the Education Image Gallery


The UK Development Landscape

outreach support federation

Federation Services

AthensGateways

CABridge

eduRoamGateway

Development

Level of Assurance – FAME project

Identity Management – inter- and intra-NHS / Government

N-tier Developments – SPIE project

Authorisation Tools - PERMIS, DYVOSE (Authority Delegation)

Interfaces / User Tools

Virtual Home for Identities

Federation Tools

Identity / Service Providers


JISC Plans


Access Management Transition Programme!


e-Infrastructure Programme

Continued support for integration of UK federation and Grid.

Levels of Assurance: ES-LOA.

Identity Project.

Federated tools: 5 new projects.

– Federated Identities and virtual organisations with Grouper

– Virtual Organisations and management of organisations objects

– Integrated Authorisation for Shibboleth/Grid.

– Integrating VOMS and PERMIS

– Virtual Organisation tools

Upcoming ITTs / Calls / other work in the areas of…


Orphans

American evangelist Dwight Lyman

Moody (1837 - 1899) with a group of

orphans at one of his Chicago missions.

Courtesy of the Education Image Gallery

Copyright: Getty Images


Identity Management outside Institutions


Multiple Affiliations


Attributes and Personalisation

Copyright: HEFCE


e-Research

Access Management for complex data

Flexible Service Provider models for virtual organisations

Ongoing work with the National Grid Service, including the CA


Education Image Gallery


Federated Tools such as ShARPE


Internet2 Plans


SAML 2.0

Scott Cantor: technical editor of SAML 2.0 specification and lead Shibboleth architect.

SC describes it as a ‘vulcan mind-meld’ of SAML 1.1, Shibboleth and Liberty ID-FF 1.2.

You can expect in the long-term:

– Focus on federated identity management.

– Single log-out.

– Account linking / management.

– More features / more complexity.


Education Image Gallery


Shibboleth 2.0

Major changes:

– New and broadening concepts

– New configuration files

– Metadata updates

– Minor installation differences

Partial SAML 2.0 support (AuthnRequest, AttributeQuery, SingleLogout).

Better session management

Better authentication packaged with Shib

Better attribute management – particularly attribute filter policy

Focus on SP side discovery service (the future?)

Better audit and access logs

Java Service Provider

https://spaces.internet2.edu/display/SHIB/ShibTwoRoadmap.


Other Internet2 Stuff

More work in collaborative scenarios: virtual organisations etc.

Application integration with infrastructure: wikis, SharePoint, Sakai, mailing lists etc.

Integrated application providers: yahoo, google, e-bay etc.

Easier install IdPs.

Information card integration including CardSpace (in place now).

Open Liberty Integration


International Plans


Work with our International Partners

International Vendor Liaison, with specific emphasis on work with SURF and Internet2.

Directory Schema work with TERENA through TF-EMC2.

Inter-federation and licensing work with Knowledge Exchange Partners in Netherlands, Germany and Denmark.

Inter-federation work with TERENA, Internet2 and DEST.

Contributions to the Shibboleth code-base through team at EDINA.

Continued international dialogue


and developing the UK federation…

(see Josh Howlett presentation)

Technology

JISC Access and Identity Management: Future Directions