NB This page provides content intended to be informative to school communities, and has been put together from a range of authoritative sources. Whilst every care is taken to ensure its accuracy and validity, this cannot be guaranteed, and readers are advised to seek advice if unsure, or leave a comment.

Introduction

Single Sign-On (SSO) is the ability to authenticate once (login with a username and password. or smartcard) and gain access to all your services and applications without using another login. This can be achieved by using Microsoft Active Directory (part of Server 2003), or Oracle IdM; however because these give connected (but trusted) systems access to names etc. the National Digital Infrastructure have chosen Shibboleth as the SSO middleware. Why, Shibboleth doesn't identify the user, using instead an authentication token system. Full details are given below.

Full blown IdM though is needed to integrate back office systems at authority level, especially with the requirements of the Children's Act s(12), and the information sharing agenda.

• GLOW, the new Scottich Schools Digital Network uses Oracle as the IdM core, with Microsoft Active Directory as the local authentication.

Federated Identity Management

Check out this SSO video from JISC

Listen to this audio on Uk Federation

From Federated Identities to Federated Federation

First Came LDAP, then Single Sign On, then Provisioning, then sprouted Identity Management, and then Access Management, and from there on Fererated Identity Management. All the major vendors scrambled around adopting Project Liberty standards and releasing their own version of Federated Identity Management Poducts. I try to keep up with the trends and technological advancements in this arena.

• Open Source Federated Identity Management
• wikipedia federated identity

UK Access Management Federation

The Joint Information Systems Commitee (JISC) has announced a new UK Access Management Federation (Nov 06). The federation will be made up of identity providers such as universities and colleges and service providers, for instance, publishers of online resources.

It will be run by the JISC and the British Educational Communications and Technology Agency (Becta) to support complex e-learning and e-research collaborations and will allow institutions to take greater control over access to resources.

Universities and colleges are being invited to join the federation free of charge which, according to JISC, will bring education and research sectors a step closer to achieving a single sign on to network and online resources.

John Robinson, JISC services director, said on 30 November 2006: "The current access management service offered by JISC requires colleges and universities to outsource the process of authenticating and authorising their users for access to online resources.

"The new service enables institutions to bring these functions back in-house, to take full responsibility for authenticating their members and asserting their entitlements to a variety of resources within a federation of mutual trust and support."

Of course the question remains; how will schools take full advantage, as the press release doesn't mention them?

Employee Authentication Services (EAS)

Since July 2007, Government Connect working group with DCSF has aimed to define the requirements for authenticating Local Government employees when accessing Central Government information and services. That group is focusing in ContactPoint in particular.

EAS is a scalable, sustainable, secure solution that will enable local government, schools and other organisations to access and share sensitive information in order to improve services for the benefit of children, learners and citizens. DCSF is leading the development of EAS, with the aim to make this a pan-government service.

It is intended that the service will be available to users in children’s services from November 2008. EAS will be implemented through a phased approach to ensure that the functionality meets the requirements for different types of users. EAS will be delivered through the Government Gateway which currently provides online accounts to 13 million citizens and businesses for 150 government services.

The key EAS components include:

• Local Authorities – a registration function to register new users on the system and Enrolment function to enrol users on services
• Identity Provider – the part of the system which will verify a user's identity when they try to log on to a service
• Authentication Broker – the hub of the system which co-ordinates requests for identification between Identity Providers and Services
• Service Providers – these are the central government resources which users will access through the scheme.

This project has been set up as an exemplar and champion asset under the CIO Council initiative to maximise the opportunity for re-use by other government departments and local authorities.

EAS will deliver a common strong authentication platform for local government, teachers and third-sector users. EAS offers a number of benefits for schools:

A user will only need one token to access a series of Government services

• It offers greater integration of education and children's services to improve access to services, support and resources for children and learners, using a common single sign-on for all services
• It offers safe and secure access to information and sharing of resources to support the learner (including hard-to-reach or disadvantaged groups)
• With robust access security controls, it allows pupil-level data to be shared, including between Children’s Services and education practitioners.

Letter to Directors of Childrens Services

EAS Problem Statement

EAS Powerpoint

Impact LevelsPPT

EAS YouTube Video

Shibboleth tutorial

What is Shibboleth?

Its open standard middleware! An architecture that manages personalisation beyond a single institution. The UK Access Management Federation mentioned above is the body that is meant to be providing the Shibboleth service to schools and education.

• Single login - easier to use
• Access to resources at other sites
• Students & staff can collaborate with members of other institutions

• Click Here for an overview diagram

Federation is an important concept. It means that schools need to agree to a common infrastructure to make it work effectively. This the importance of the Federated Access web site at Becta.

Shibboleth works particularly well with Moodle, as they are compatible 'out of the box'.

The most advanced model, that is potentially replicable in Kent is that being run by Kidderminster College - ROLO. It uses Microsoft Active Directory, and a few extras such as PERMIS and Pubcookie

• UK Federated Access Management - Shibboleth
• Presentation: Towards a unified Authentication, Authorisation and Accounting Infrastructure
• Kidderminster College Shibboleth Project ROLO A detailed look and step by step guides to linking multiple Moodle VLE's with Shibboleth RAAA]
• Powerpoint with excellent Shibboleth (How it works) diagrams
• Powerpoint - Improving Shibboleth by using PERMIS and PubCookie
• Shibboleth Architecture - Official Guide (Readable!
• PDF Download - Notes on Shibboleth

Identity Management

This Identity Management Primer provides an interesting 'big picture!, and a set of powerpoint slides on Authentication, Shibboleth and ID Management.

• pdf - ID Management & SOA
• Role based identity management
• What is SAML?
• Wikipedia definition of Identity Management (IdM)
• Oracle Internet Directory - Tutorial
• White Paper on Identity Management with some terrific bits on the history of trust. Worth using in the eBay Academy.

• Underpinning Service Delivery Platform
• Athens
• Oracle IdM - Information Governance Framework
• Windows Cardspace (formerly Infocard)

OpenID & Identity 2.0

• BBC joins OpenID foundation
• MyOpenID

Eduserv OpenID Meeting

• Sildeshow presentations from Meeting

Other Links

• OpenID: Decentralised Single Sign-on for the Web a comparison of shibboleth & OpenID!
• Sxipper the Firefox browser add-in for identity management and encryption.
• Identity 2.0 presentations
• OpenID
• Windows Card Space (Formerly Infocard)
• Kim Cameron's Identity Weblog Contains the laws of identity! Kim is the chief architect of Windows Card Space IdM.

Passwords

Click Here for passwords advice

221206 - Password problems hamstring helpdesks - survey

Smartcards

Smartcard Alliance

NEWS

Microsoft Supports OpenID