Joining the UK Access Management Federation for Education and Research

Summary of procedure

Early application for membership of the UK Access Management Federation is advised so that once you are ready to participate in the federation, the application process is already completed. Once you are a member, you can take advantage of the many benefits the federation offers. Membership is free and involves a simple administration process.

For further information on joining, please click on the following links. If you have javascript enabled, clicking on the "[+]" symbols will expand each section. Otherwise, click on the section title to be taken to a page with the same content.

[+] Apply for membership

  1. A senior officer at an eligible organisation makes a formal application in writing to JANET(UK) to join the federation (full details) and agrees to be bound by the federation rules of membership.
  2. JANET(UK) replies with an approval e-mail verifying contact details.

NB: Where an applicant intends to use an outsourced provider (see participation options), both the applicant and the external organisation providing the outsourcing service must become members of the federation and the management liaison of the requesting organisation must provide additional outsourced provider information.

[+] Participation options

Once an organisation has joined the federation, there are various options for participation.

In-house

Run and support identity management in-house.There are two options for following this route:

  1. implement the technology wholly through the organisation.
  2. implement the technology using a third party. This option is particularly useful for those organisations who do not have the internal resource or expertise to deploy the initial technical requirements but would like to maintain ultimate control of their user authentication.
Outsourced

Organisational identity management provision may be handled by a third party. For further information about the provision of third-party outsource services in the schools sector please see the document regarding the trust framework for participation of UK schools.

The application process for outsourced IdPs should be followed if taking this route.

Outsourced service provision: an organisation may outsource service provision to an external organisation without reference to the federation operator. However, where the entityID proposed for the SP entity contains a domain name which does not belong to the external organisation, this procedure should be followed.

There are several organisations who offer outsourced and/or in-house support services.

Guidance is provided here for an organisation which outsourced identity provision to Eduserv but now wishes to move to using its own Shibboleth IdP.

Schools

The recommended approach for schools is to join via the Local Authorities (England & Wales) or Regional Broadband Consortia in England, Classroom 2000 in Northern Ireland and Learning & Teaching, Scotland. However, schools may join the federation independently.

[+] Register entities

Entity registration

Once an organisation’s application for membership has been approved, and the option for participation determined, the organisation may register any number of identity provider and service provider entities. Further information is provided for organisations wishing to enter into an outsourcing arrangement.

Shibboleth 1.3

Please note that as Shibboleth 1.3 reaches its end-of-life in Summer 2010, we recommend that you install version 2 instead.

To register and install a Shibboleth 1.3 IdP or SP:

  1. You install Shibboleth 1.3 IdP or SP software
  2. You obtain a suitable X.509 server certificate
  3. Your Management Liaison e-mails a registration request to the federation helpdesk to register Shibboleth 1.3 IdP or register Shibboleth 1.3 SP entities
  4. You are sent an e-mail confirming that the technical description of each registered entity has been published in the federation metadata
  5. You download the metadata and modify your Shibboleth configuration to match it (described in Setup 1.3 IdP or Setup 1.3 SP).

Shibboleth 2

To register and install a Shibboleth 2 SP:

  1. You install Shibboleth 2 SP software
  2. You obtain a suitable X.509 server certificate
  3. You make changes appropriate to your installation to the standard Shibboleth 2 configuration files, as described in set up Shibboleth 2 SP
  4. Your Management Liaison e-mails a registration request to the federation helpdesk to register a Shibboleth 2 SP entity
  5. You are sent an e-mail confirming that the technical description of your registered entity has been published in the federation metadata.
  6. Test and if necessary modify your configuration according to set up Shibboleth 2 SP.

To register and install a Shibboleth 2 IdP:

  1. You install Shibboleth 2 IdP software
  2. You obtain a suitable X.509 server certificate
  3. Your Management Liaison e-mails a registration request to the federation helpdesk to register a Shibboleth 2 IdP entity
  4. You make changes appropriate to your installation to the standard Shibboleth 2 configuration files, as described in set up Shibboleth 2 IdP.
  5. You are sent an e-mail confirming that the technical description of your registered entity has been published in the federation metadata.
  6. Test and if necessary modify your configuration according to set up Shibboleth 2 IdP.

Upgrading from Shibboleth 1.3 IdP to Shibboleth 2

Upgrading a Shibboleth 1.3 IdP installation to Shibboleth 2 IdP.

Upgrading a Shibboleth 1.3 SP installation to Shibboleth 2 SP.

Changing from OpenAthens to Shibboleth

Changing from an OpenAthens IdP to an in-house Shibboleth IdP.

[+] Summary of application and registration process

A diagram (PDF File 447Kb) is available which summarises the steps to be carried out by technical and administrative staff when an organisation applies to join the UK federation.