A presentation from Networkshop48 by Rhys Smith, chief technical architect, trust and identity, Jisc and Mark Williams, UK Access Management Federation manager, Jisc.
Jisc has a range of trust and identity services that enable intra- and inter-organisational authentication and authorisation. These already play a key part in enabling on- and off- campus access to both internal resources (such as VLEs) and external resources (e-books, journals, collaboration tools). In these extraordinary times, these are more important than ever.
Apidays New York 2024 - The value of a flexible API Management solution for O...
Trust and identity - enabling intra- and inter-organisational authentication and authorisation
1. Trust and identity:
Enabling intra- and inter-organisational
authentication and authorisation
Dr Rhys Smith, chief technical architect,
Trust and identity, Jisc
2. • Dr Rhys Smith – Chief technical architect, Trust and identity (Jisc)
• Mark Williams – UK federation service manager (Jisc)
Speakers
Enabling intra- and inter-organisational authentication and authorisation2
3. • What’s the main aim of Jisc’s Trust and identity portfolio?
• What are Jisc’s Trust and identity services and what do they do?
• Which services can help during the Covid-19 crisis, and how?
• Q&A and community discussion
Agenda
Enabling intra- and inter-organisational authentication and authorisation3
4. “Easy and secure access to anything,
anywhere, anytime”
All of Jisc’s Trust and identity services revolve around enabling all
aspects of this proposition.
5. Jisc’s Trust and identity services
UKfederation
Assent
Shibboleth
Managedservices
Certificateservice
Studentvoter
Helpdesk
VerifID
Consultancy
Member and
professional
services
Federation
Identity and
access
Domainregistry
Verification
Enabling intra- and inter-organisational authentication and authorisation5
6. Federation services
Enabling intra- and inter-organisational authentication and authorisation6
• These are underlying trust infrastructure to
enable federated authentication / authorisation
between members
- Solves the problem of N2 interactions
• At the business and at the technical level
UKfederation
Assent
Federation
7. Identity and access
Enabling intra- and inter-organisational authentication and authorisation7
• Software and services to help members make
use of our services, where appropriate
Shibboleth
ManagedServices
Identity and
access
8. Verification
Enabling intra- and inter-organisational authentication and authorisation8
• Ensures the secure validation of
various aspects of our membership’s
interactions with each other
Certificateservice
Studentvoter
VerifID
DomainregistryVerification
9. Member and professional services
Enabling intra- and inter-organisational authentication and authorisation9
• Providing help, support and guidance on the use of all of our services
Helpdesk
Consultancy
Member and
professional
services
10. Quality assurance and information security
Enabling intra- and inter-organisational authentication and authorisation10
All of the T&I services are included within
Jisc’s ISO 9001 and 27001 scopes
12. UK Access Management Federation
12 Enabling intra- and inter-organisational authentication and authorisation
Web single sign-on federation
• Cross-organizational SSO to web resources
• Est. 2006, part of the Jisc core subscription
• Vendor-agnostic (SAML based)
• ~1200 members, ~2,500 entities
- 100% of HE, ~80% of FE, also schools,
government, libraries, NHS, etc
• Global Inter-federation with 68 other
countries via eduGAIN
- ~7,000 entities total
13. Assent
13 Enabling intra- and inter-organisational authentication and authorisation
Non-web single sign-on federation
• Cross-organisational access to non-
web resources (eg SSH)
• Est. 2015, part of the Jisc core
subscription
• Vendor-agnostic (ABFAB based)
• Primarily aimed at research and
complex virtual organisations with
complex services and requirements
15. Shibboleth
15 Enabling intra- and inter-organisational authentication and authorisation
Open source, standards based, software
• Jisc is a board member and Principal
Member of the Shibboleth Consortium
on behalf of our community
• The consortium ensures the
development, maintenance and
sustainability of the Shibboleth software
• Software is free to use and open source
• ~70% of entities in the UK federation
use Shibboleth
16. Managed services
16 Enabling intra- and inter-organisational authentication and authorisation
Currently in development…
Watch this space
18. Certificate service
18 Enabling intra- and inter-organisational authentication and authorisation
Verifies: Web services
• We are a registration authority for issuing
SSL (TLS) and email certificates to secure
web services
• Provides significant discount and cost-
savings for our members
• Free to join, per-certificate cost at present
• Issued hundreds of thousands of certs
• Reprocuring this year – watch this space for
exciting news!
19. Student voter registration
19 Enabling intra- and inter-organisational authentication and authorisation
Verifies: Student voter enrolment
• Promotes civic engagement and helps an
organisation meet its statutory requirements
from the OfS
• Shared service for students to register their
term-time and home-time address to
government to be able to vote in local and
national elections
• Additional paid-for service over and above
Jisc membership
20. Domain Registry
20 Enabling intra- and inter-organisational authentication and authorisation
Verifies: DNS names
• Jisc is the domain registrar for:
- .ac.uk
- .gov.uk (on behalf of Cabinet Office)
- .gov.scot (on behalf of Scottish Government)
- .gov.wales / llyw.cymru (on behalf of Welsh Government)
• Free to join, per-domain cost
• Tens of thousands of domains managed
• We verify all requests and therefore the underlying trust framework
• (Jisc also runs the DNS itself)
21. VerifID
21 Enabling intra- and inter-organisational authentication and authorisation
Verifies: Studentness!
• Commercial verification of student status
• Uses UK federation as source of data
• Currently mostly used by providers of student
discount
• Paid-for service (by providers), per verification
• Helps subsidise the UK federation
• To ensure optimal student experience:
- Ensure you are releasing “student” affiliation
value as appropriate
23. T&I helpdesk
23 Enabling intra- and inter-organisational authentication and authorisation
Free support and guidance
• Provides help, support and guidance
for using any of the T&I services
• Email trustandidentity@jisc.ac.uk or
call 0300 300 2212.
24. T&I consultancy
24 Enabling intra- and inter-organisational authentication and authorisation
Paid-for bespoke support
• For those with needs beyond our free helpdesk
support
• Targeted bespoke support, advice, training
• Remote or in-person
• One-off engagements through to retained expertise
• Covers UK federation, Assent, eduroam, govroam,
Identity Management, etc
26. Covid-19 and Jisc’s T&I services
Enabling intra- and inter-organisational authentication and authorisation26
Largely business as usual
• Our trust and identity services are designed to
facilitate easy and secure access to anything,
anywhere, anytime
• Importance of the services has increased, but
general requirements are the same
• All staff now working from home, of course, but
hasn’t impacted any of our service or helpdesk
offerings due to extensive pre-existing BCP
planning
27. Specific changes
Enabling intra- and inter-organisational authentication and authorisation27
However, some tweaking was desirable
• Instituted service-wide change freeze during lockdown
- Stability and reliable of services is paramount while membership adapts to
new circumstances
• UK federation metadata validity period temporarily increased
- To ensure additional time to respond to issues in the management processes
• Increased priority of support for gov.uk domain registry
- Primary source of interaction between public and government
• Domain suspension/expiry policy temporarily relaxed
- Ensuring domains don’t “accidentally” expire (may be missed in the mayhem)
28. Some advice and guidance
Enabling intra- and inter-organisational authentication and authorisation28
Across the services
• Secure SSO to internal and external resources now of paramount
importance
- Ensure your UK federation IdP (whatever flavour) is up to date and
configured correctly
- Consider adopting R&S support in your IdP to enable your
researchers to more easily collaborate on Covid-19 related research
• Users are now primarily off-premise, BYOD usage increased
- If you have any internally signed certificates, consider swapping for
properly supported certs via our certificate service for fewer issues
on non-managed devices
29. • Free health-check for UK federation Shibboleth IdPs
- Offered on a first-come-first-served basis, Shib IdP v3+ only
- Usually undertaken remotely via our consultancy service
- Ensure your Shib IdP is fully functioning and safe (OS patch
state and IdP version checking, attribute and attribute
release configuration check, resource checking, etc)
• Free three hours consultancy to help deal with any simple
issues highlighted in the health-check
• To register your interest, email trustandidentity@jisc.ac.uk
Offerings to the membership
Enabling intra- and inter-organisational authentication and authorisation29
31. Dr Rhys Smith
Chief technical architect, trust and identity
rhys.smith@jisc.ac.uk
4 Portwall Lane, Bristol, BS1 6NB
Thankyou
customerservices@jisc.ac.uk
jisc.ac.uk