Principles for UK Shibboleth Federations

The Internet2 model[1] is one proposing a “cluster” of distinct federations within higher education, with each federation setting a set of independent standards, but subscribing as well to a cluster-wide set of agreements.

The assumption is that federations will correspond to national higher education networked communities, with one or more federations per nation. By participating in national federations, universities will be able to customise trust and privacy rules and establish particular sets of common attributes, entitlements and other services for distinctive national needs. By individual federations participating in the cluster of higher education federations, interactions can be developed to operate across national borders and include global providers of digital content. The model also permits "limited-purpose" federations, for example Shibboleth research test beds, to coexist with "production" federation services (including ones that charge a fee for membership).

Trust

As Shibboleth has moved towards real-world deployments and production environments, it has become clear that there will be a need for several types of federations to support the evolution of sites as they engage with the community. It's clear that sites won't come prepared to interoperate at a high level of assurance, and in many cases, unclear about which sites they will interoperate with and in which manner.

Since Service Providers will see only user attributes, not identity, the Service Provider must trust the Identity Provider asserting the attribute. The Federation can simplify the trust framework, since the Service Provider only needs an agreement with the Federation and not with each Identity Provider.

Policies and practices

Within a Shibboleth-based federation, agreements have typically been established around the following issues:

  • a list of the operational metadata for each of the sites in the federation (a signed sites.xml)

  • a list of the trust values for each of the sites in the federation (a signed trust.xml)

  • an agreement about the attributes and entitlements that will be exchanged (e.g. eduPerson)

  • operational procedures and/or legal understandings, both at the identity and service providers and for the federation, to address security, privacy, and data integrity concerns.

It is important to note that Federations are not involved in enforcing either the Identity Provider or the Service Provider to abide by the rules of the Federation. The role of the Federation is to indicate to Identity Provider members that they should be prepared to supply attribute information to the Service Provider members; and that Service Provider members should only make reasonable requests for the minimum amount of information required to authenticate users.

Membership

A UK Shibboleth Federation should aim to support research and education in higher and further education and research institutions by developing and maintaining an infrastructure for user authentication and authorisation.

The following organisations would be able to join the federation:

  • higher and further education institutions

  • publically funded research institutions

  • university hospitals

  • organisations supporting research and education (e.g. HE Academy)

  • service aproviders

Technical Requirements

There is a fundamental and critical discussion ongoing to evaluate how multiple federations may interact and share various services they offer. There are several aspects of what federations do where it will be important to be able to group or bridge between them; among these are the signed representations of metadata enumerating and detailing individual federation members, the definition of the attributes and information exchanged between federation members, and provision of levels of assurance for different authentication methods. For further detail on these issues please refer to the IAMSECT documentation page.

Risk

An important aspect of the trust in a federation is a reasonable degree of comfort in the assertions passed around by other federation members. Two fundamental types of risk are commonly reported:

  • informational: loss of value for the information the more broadly it is shared

  • transactional: actual exchange of information and personal data

Federations may not cover risks well since one party needs to accept and trust data and assertions issued by another party with limited information. In the event of a problem, it could be difficult to find which party is culpable. In the case of Shibboleth Federations, a set of organisations will agree to share information with a common syntax and semantics.

Benefits

The benefits to UK academic institutions and service providers of federating can be summarised as being a member of a body which can:

  • offer central services and facilitating mechanisms for linking Identity and Service Providers

  • co-ordinate the response to technical developments

  • represent the interests and needs of the Service Providers and Identity Providers to each other and to external agencies

  • promote dialogue and communication between the members of the federation

  • promote cross-regional collaborative research activity and sharing of resources

  • operate to promote collaboration between institutions and users.

Towards a UK production federation

Practical and policy issues underpinning the formation of a single production Shibboleth federation in the UK HE and FE communities have been outlined in Blueprint for a JISC Production Federation (www.jisc.ac.uk/middleware_documents.html). An advisory board has also been set up to recommend the appropriate action to be taken by JISC to set up the federation following the conclusion of the consultation process.