UK Access Management Federation Development Roadmap

1. About the roadmap

The UK Access Management Federation development roadmap highlights the principal areas of work that the UK federation Operator, JANET(UK), intends to focus on.

This roadmap has been produced in collaboration with JISC, Becta, experts and users from the education and research communities, other experts in the area of Federated Access Management (FAM) and vendors providing FAM-orientated products and services.

Given the scale and diversity of these communities this document does not intend to capture the full range of requirements, which would be very considerable. Instead the items presented in this document have been selected according to the following criteria:

  • it is a community requirement, or likely to become one
  • it is not currently being addressed satisfacto rily by any existing effort
  • the nature of the effort required aligns with JANET(UK)'s competencies
  • the amount of effort required is proportionate to the benefits and the resources available.

The roadmap will be assessed regularly and the community is encouraged to provide comments to ensure that it reflects current requirements.

2. Communication with existing and potential members

JANET(UK) must understand the requirements of the UK federation's members and potential members. These might include novel applications of the UK federation, or perceived challenges to joining or participating within the UK federation. In addition, JANET(UK) should keep its members informed of technical and other developments.

JANET(UK) will:

  • track and participate on communit y mailing lists related to the UK federation
  • disseminate information through events, workshops and the UK federation website.

3. Liaison with other federations and common interest groups

A number of national federations for research and education have been or are in the process of being established in a number of other countries. JANET(UK) should liaise with these federations, and associated common interest groups, to collaborate on the development and sharing of standards, tools, policy and so forth.

Note that the matter of supporting interoperation between national federations is deemed sufficiently significant to merit a separate mention in section 6.

JANET(UK) will:

  • track and participate in activities and groups concerned with the collaboration be tween national federations for education and research
  • track and participate in groups concerned with development of standards related to access management and their deployment.

4. Shibboleth on Windows®

Given the requirement to support a diverse range of directory configurations, the Shibboleth Identity Provider software sometimes requires a relatively complex manual configuration to integrate with an organisation's local directory environment. Due to the prevalence of Microsoft Windows Active Directory®, an effort is under way to streamline the installation and configuration of Shibboleth specifically for that environment through the creation of an installer package.

JANET(UK) will:

  • establish a project to support the community's requirement for running Shibboleth on Windows® in an Active Directory environment.

5. Understand other federated access management products

While the UK federation does not preclude the use of products other than Shibboleth, there exist significant challenges that limit the extent to which the UK federation can support other products. This primarily reflects differences in how other products choose to realise the types of federation appropriate for their respective user communities. Shibboleth, developed by the education and research community for the education and research community, is therefore the software recommended by JANET(UK) for use within the UK federation.

Nonetheless it is likely that some member (or potential member) organisations may prefer to use products other than Shibboleth.

JANET(UK) will:

  • assist member organisations, vendors and integration partners in evaluating the use of other products within the UK federation.

6. Interoperate with other federations

At present no mechanisms or policies exist to allow interoperation between the UK federation and the national federations for education and research established in other countries. This greatly increases the effort required by UK federation members to interact with organisations affiliated to other federations.

JANET(UK) will:

  • track and participate in activities concerned with interoperation between federations.

7. Supporting access for visitors

Students and staff frequently need to consult materials held in the libraries of other organisations. Most libraries now have systems in place to allow visitors to consult printed materials; however an increasing proportion of HE library stock is now held in electronic form only, and this proportion is likely to continue to increase. In many organisations it is only possible to access this material if individuals have a network account, and such accounts are very often provided only to students and staff of the organisation. As a result bona fide academic visitors are often unable to gain access to these electronic materials.

HEARVI (HE Access to E-Resources in Visited Institutions), managed by SCONUL and UCISA and funded by JISC, is a project whose purpose is to assist organizations with addressing this problem. A recommendation of the HEARVI report is that “[JANET(UK)] should carry out some common development work so that it becomes possible for the future visitor to be [...] ‘trusted’ by the visited institution to access [protected resources]”.

JANET(UK) will:

  • collaborate with others within the community to design and d evelop a solution addressing the management of visitor authorisation to electronic resources.

8. Integration with JANET Roaming & eduroam

JANET Roaming, which relies on a RADIUS-based trust fabric for transporting network authentication credentials that is distinct from the UK federation's trust fabric, enables users from participating organisations to connect to other organisations' respective networks. Three scenarios have been identified for integrating JANET Roaming with the UK federation, providing benefits to users of both systems.

The first scenario is to promote the RADIUS Gateway to Shibboleth (RAGS) system, an experimental gateway between JANET Roaming and the UK federation developed within the JISC Core Middleware programme, to a production service. This would enable organisations that are participating in JANET Roaming also to participate within the UK federation without deploying any Identity Provider software.

The second scenario is to supplement the limited native authorisation functionality of RADIUS with the more advanced capabilities offered by the UK federation. This would allow organisations to use a finer-grained authorisation when selecting the style of network service appropriate for a given visitor. Given that JANET Roaming is part of the broader international eduroam effort, this work will require collaboration with other education and research networks.

Finally, while eduroam and federated access management technologies offer single sign-on to networks and web-based applications respectively, it is not currently trivial to integrate both systems such that a user is only required to present his credentials once. Therefore there exists a requirement for new technology to unify these (and possibly other) single sign-on systems.

JANET(UK) will:

  • determine the feasibility of developing the experimental gateway into a production service
  • collaborate with other education and research federations on the development of standards and implementations providing enhanced authorisation to eduroam services
  • collaborate with other education and research federations on the development of standards and implementations providing unified single sign-on.