Federated id alignment 2011
Download as KEY, PDF0 likes341 views
The document discusses BCcampus's strategy of implementing federated identity management to provide students with secure and personalized access to educational resources across institutions. Federated identity management allows institutions to authenticate users belonging to partner institutions without sharing confidential data. It aims to foster collaboration, reduce costs, and leverage expertise through open networks. The underlying technologies that enable federated identity management include Shibboleth for authentication, SAML for authorization, EduPerson for user attributes, and encrypted transmissions over existing networks.
Federated id alignment 2011
- 2. Federated Identity Management BCcampus and Federated Identity Management “Aligning with the Vision”
- 4. The BCcampus Vision BCcampus is a collaborative online learning initiative that was established to assist public post-secondary institutions in British Columbia to meet their students’ online learning needs.
- 6. The BCcampus Strategy Provide agile, personalized access to educational information and services using a federated approach to connectivity across system institutions.
- 7. The BCcampus Strategy Provide agile, personalized access to educational information and services using a federated approach to connectivity across system institutions. Reduce costs and create efficiencies using collaborative and shared service models.
- 8. The BCcampus Strategy Provide agile, personalized access to educational information and services using a federated approach to connectivity across system institutions. Reduce costs and create efficiencies using collaborative and shared service models. Develop and share educational resources and expertise through the promotion of open and accessible networks.
- 9. Federated Identification Allows a consortium of institutions to provide electronic authentication for the community of individuals belonging to any of those institutions without releasing any confidential or personal data. All participating members of the consortium can authenticate individuals belonging to any one of the participating members without having to create artificial e-credentials. This is the truly federated model of authenticating individuals. The individual’s “home” institution is solely responsible for assuring the veracity and authentication of the individual in question.
- 10. Strategies / Federated Identification
- 11. Strategies / Federated Identification How does Federated Identification Fit
- 12. Strategies / Federated Identification
- 13. Strategies / Federated Identification How does Federated Identification Fit
- 14. Strategies / Federated Identification
- 15. Strategies / Federated Identification How does Federated Identification Fit
- 16. Alignment with the Goals
- 17. Alignment with the Goals Federated identification technologies can make available the authentication / data interchange infrastructure to:
- 18. Alignment with the Goals Federated identification technologies can make available the authentication / data interchange infrastructure to: provide a secure, trusted, real-time mechanism that can be used to interchange student information via the provincial network amongst BC’s post-secondary institutions using links to online learning resources and information provided by post-secondary system partners.
- 19. Alignment with the Goals Federated identification technologies can make available the authentication / data interchange infrastructure to: provide a secure, trusted, real-time mechanism that can be used to interchange student information via the provincial network amongst BC’s post-secondary institutions using links to online learning resources and information provided by post-secondary system partners. foster and support the formation of collaborations and partnerships between institutions that leverage knowledge, reduce costs and generate benefits for students.
- 20. Alignment with the Goals Federated identification technologies can make available the authentication / data interchange infrastructure to: provide a secure, trusted, real-time mechanism that can be used to interchange student information via the provincial network amongst BC’s post-secondary institutions using links to online learning resources and information provided by post-secondary system partners. foster and support the formation of collaborations and partnerships between institutions that leverage knowledge, reduce costs and generate benefits for students. provide educator support through online communities of practice, re-usable tools and resources, professional development strategies, technology training, and online program development.
- 22. The Underlying Technologies Authenticating the individual
- 23. The Underlying Technologies Authenticating the individual – via WEB based “Shibboleth” technology • Individual authenticates him or herself at the home institution using that institution’s instance of computer credentials (user id and password). • These authenticating credentials (user id and password combination) are never made available to any partner institution – the authentication being performed by computers resident within the home institution itself. • Shibboleth has access to an individual’s affiliation with the home institution which can be made available after authentication.
- 25. The Underlying Technologies Authenticating the individual – continued
- 26. The Underlying Technologies Authenticating the individual – continued – WEB based “Shibboleth” technology • Shibboleth will only release pre-approved data to a specific partner’s server computer once the individual’s authentication / authorization is verified. • Shibboleth was developed exactly for these types of requirements and privacy considerations. • Shibboleth is an accepted standard and is actively supported. • Widely adopted by IT groups involved in higher education.
- 28. The Underlying Technologies Confirming the Authorization – SAML
- 29. The Underlying Technologies Confirming the Authorization – SAML • “Security Assertion Markup Language” for computer to computer communication to prevent fraudulent transactions and bogus authentications • SAML (currently version 2) is an accepted standard • SAML version 2 is fully supported by Shibboleth version 2 (version 2 having been defined as a joint effort from both development groups)
- 31. The Underlying Technologies Defining the Content of the data
- 32. The Underlying Technologies Defining the Content of the data • Use of the “EduPerson” standard for Shibboleth / SAML interchange of data. • EduPerson is an accepted standard and is actively supported. • Use of the Postsecondary Education Standards Council (PESC) standards for student specific data. (eg. e- transcript interchange) • Emerging 3rd party vendor support for the PESC standards
- 34. The Underlying Technologies Enforcing Security • All WEB pages used by the individual for authentication and authorization are secured (using HTTPS: pages). • All network interchanges of data are encrypted using current DES public key encryption technology – the accepted standard.
- 36. The Underlying Technologies The Method of Transmission
- 37. The Underlying Technologies The Method of Transmission • Existing network (internet) technology used to interconnect all the computers involved in the authentications, authorizations, and data exchanges. • All network data for this application is strongly encrypted (see prior slide). • Use of “standards based” Enterprise Service Bus (ESB) and Systems Oriented Architecture (SOA) messaging software technologies.
- 38. Some References
- 39. Some References • Shibboleth – an Internet2 initiative – http://shibboleth.internet2.edu/about.html • SAML – http://saml.xml.org/about-saml • EduPerson – a joint Internet2 / EDUCAUSE initiative – http://middleware.internet2.edu/eduperson/ • Postsecondary Education Standards Council – http://www.pesc.org/