Skip navigation

Are you ready to join a Trust Federation?

July 10, 2008 – 4:56 pm

Are you ready (technically) to join a Trust Federation?

If you are an organisation that wants to join a trust federation then, in order to get the full benefits, your IT functions will need to be up to speed.

Presumably you want to join a trust federation in order to deliver the following benefits to you organisation and its members (staff, students etc):

  • Extend the reach of your members by becoming an Identity Provider (IDP):
    • Give your members more seamless (single sign on) access to external services (e.g. information resources)
    • Give your members access to external restricted services (services that were previously unavailable to you but can now be accessed on a controlled basis only if you are a federation member)
  • Extend the reach of your systems/resources by becoming a Service Provider (SP):
    • Make it easer for members of other organisations to seamlessly access your resources
    • Make your previously in-house/restricted services available to other external federation members on a controlled basis

Identity Provider

Hopefully you already have an internal (enterprise) identity management system (IDM) with single sign on (SSO) to all your internal systems. If so then you are well placed to enhance this capability into a federation Identity Provider (IDP). This is the ideal as it gives your members seamless SSO to both internal and federation systems.

In enhancing your IDM into an IDP you will need to be able to:

  • Support the federation’s SSO protocol to authenticate your members to the external SP
  • Support the federation’s agreed set of member attributes and attribute values.

For example the Shibboleth-based UK Access Federation requires IDPs to be able to supply (subject to the organisation/member’s privacy/attribute release policy) member attributes like:

  • eduPersonScopedAffiliation. This attribute indicates the user’s relationship (e.g., staff, student, etc.) with the organisation.
  • eduPersonTargetedID. a persistent user pseudonym (opaque identifier) used to uniquely identity the user.
  • eduPersonPrincipalName. the user’s single sign-on (SSO) name.
  • eduPersonEntitlement. A more advanced (optional) capability that enables an organisation to assert that a user has a specific privilege.

If you are not at this level yet and/or you are a small organisation then the trust federation usually provides a virtual IDP service that your members could use as an initial solution. This means more proliferation of identities and passwords but at least it gets you going in the federation.

Service Provider

If you want parts of your web-based systems and resources to be accessed on a secure, controlled basis and restricted to only other federation members then you need to enhance your application so that is operates as a Service Provider (SP). The main areas of your application that you may need to enhance are described below.

Registration
Most applications provide a registration form where you have to fill in details about you (identity attributes). A SP-enhanced application can streamline this process by pre-filling in much of the form by querying the federation to get user attributes. The application can also control who can register by querying the user’s attributes. For example you might decide that you don’t want registration open to the public: only federation members are allowed to register.

Logon
A SP-enhanced application can auto-logon the user via SSO with the federation.

Access Control
An SP-enhanced application can implement access control to functions and information based on the user’s attributes provided by the federation. This enables you to implement any combination of access control policies like:
Only federation members can see/do this
Only federation members from a specific organisation can see/do this
Only federation members with a specific affiliation (e.g. staff/faculty) can see/do this
Only federation members with a specific entitlement (e.g. approved purchasing authority) can see/do this

Summary

These concepts are fairly common to most trust federation architectures including:

Of course, the amount of work and complexity involved can be quite different. Whether or not OpenID qualifies as a trust federation architecture is a subject for another time!

Once your IDM and Web-systems are architectured to support these capabilities you will be well positioned to take early advantage of the benefits of trust federation membership.

By ghendrick | Posted in Educationau, trust federations, shibboleth, openID | Comments (1)

The case for Trust Federations in Education

July 9, 2008 – 4:12 pm

The concept of a Trust Federation for the Australian education sector is a subject of lively debate and some activity.

The Australian Access Federation (AAF) is progressing from a testbed to production status. To date it has focused mainly on the needs of the Australian higher education (HE) sector.

There has been much discussion about a trust federation for the Australian School and Vocational Education & Training (VET) sectors and whether it should be the AAF or a separate (but interoperable) federation.

Two national online projects I have been involved with would be much enhanced if we had one (or more) national Schools/VET/HE trust federation(s).

The VET-sector Learning Object Repository Network (LORN) project aggregates the various state-based learning object (LO) repositories into a national service with the following benefits:

  • teachers within state institutions can access a much larger nationally aggregated range of learning objects for use in their courses
  • LO content developers in state institutions can see what has already been developed in other jurisdictions and avoid re-inventing LO’s
  • LO owners can showcase (and sell) their LO’s to a national and international audience

To date LORN has been restricted to LO’s that the LO owners are willing to give away for free. But these organisations have many other LO’s that they would like to make available more widely on a commercial basis. Work is progressing on extending LORN with an online credit card payment facility for this purpose, but a trust federation would provide a much richer set of commercial arrangement options.

Within a trust federation, LORN could be enhanced to encourage LO providers (state institutions and others) to publish their commercial LO’s under secure access-controlled conditions. Example arrangements could be:

  • Institutions A & B could agree to allow each other to access all their LO’s.
  • Institution C might allow free access to its LO’s for all federation members but deny access to non-members.
  • Publisher D could make its LO’s available to Institution E because they have an annual licence agreement
  • Institution F could avoid unnecessary copyright fees because it can prove access to licenced materials by authorised users

In the Australian schools sector The Learning Federation (TLF) has developed a large range of high quality LO’s that are intended to be restricted to authorised school jurisdictions. In the absence of a suitable national school sector trust infrastructure, implementing these access control policies has added complexity and inconvenience to the project and (for some school jurisdictions) the intended beneficiaries: teachers and students.

Some have argued that Trust Federations in the education sector so far represent an institution-centric, overly complex (e.g. Shibboleth) view of the world. It has been suggested that we should take a leaf out of the Web 2.0 world and go for a more learner-centric, light weight (e.g. OpenID) approach.

Others have suggested that we should just make all learning materials feely available to all.

A rich subject area for future postings!

By ghendrick | Posted in Educationau, trust federations, shibboleth, openID | Comments (1)

Social Networking behind the Firewall

July 8, 2008 – 12:46 pm

Education.au ltd’s me.edu.au social networking site has continued to generate interest not only from the education community but also from government and corporates.

My colleague Sarah Hayman and I recently presented at a South Australian Government Web 2.0 conference.

This was a lively and informative event attended by 150 delegates from across South Australian Government and other sectors.

We heard stories of desire within government departments to get access to the superb capabilities provided by external Web 2.0 sites such as Linkedin, Facebook, Myspace and me.edu.au to:

  • improve social and knowledge networking within government and
  • deliver on citizen-facing Government strategies

We also heard of groups in Government forming “bottom-up” networks using these Internet sites, only to have them closed down because of management concerns about the risks of storing internal government information on public sites.

A common frustration was that many of the popular Web 2.0 sites are blocked by government firewalls.

Another key business driver for the adoption of web 2.0 technologies and paradigms within Government is the need in many departments to be able to attract and retain younger people for whom online social networking is an integral part of their lives.

A number of departments have started pilot web 2.0 projects by deploying internal blogs and wikis behind their firewalls using open source products. Some brave souls are even contemplating using the social networking features of the latest version of Sharepoint!

We discussed the opportunity for governments to use a productised version of me.edu.au as a next step along the web 2.0 path:

  • adding a social/knowledge networking overlay to existing information sources such as blogs, wikis and intranets.
  • connecting people and information sources within and across departments
  • deployed internally (behind the firewall) to overcome information sensitivity and firewall policy barriers
  • possible integration with existing ideentity management systems

Another common theme was the need to know best practice policies and processes for setup and operation of these new generation social networks.

By ghendrick | Posted in Educationau, me.edu.au, social software, web 2.0 | Comments (1)

SCORM and CORDRA at Work

October 19, 2006 – 3:00 pm

E-learning standards guru Jon Mason (who is now the editor for the JISC/DEST e-Framework project) organised a seminar on Friday 6Oct06 at the University of South Australia to promote awareness of ADL technologies such as SCORM and CORDRA.

Dan Rehack (who is now co-director of the WorkForce ADL Co-Lab in Memphis) gave the keynote “The 5 R’s of Workforce Training - Enabling Technologies for Scalable Solutions”. Dan described the global picture for workforce training and gave an overview of the role that ADL and other technologies are playing to deliver this promise. In particular Dan described:

  • SCORM for shareble, reusable content
  • CORDRA for discovery
  • e-Framework as a reference model to aid technical interoperability

I presented on the subject of Federating Repositories in the Australian VTE Sector. This is a project that I have been involved in over the last 2 years. It is a good case study of a national-level pragmatic, low-cost, light-weight repository federation implementation that has been informed by standards such as SCORM, CORDRA, LOM, OAI-PMH and SRW/U. The VTE sector’s Learning Object Repository Network (LORN) project is a CORDRA-like federation of repositories.

Ian Reid from UniSA presented on institution-level implementation issues associated with Elearning within UniSA. He agreed that standards and scalability were important but challenged vendors to provide course creation and management systems that are sufficiently easy-to-use by non-technical teaching staff. He went on to describe how at UniSA they use a simple set of web-based wizards and templates for content creation.

 

 

By ghendrick | Posted in Educationau | Comments (1)

Blogging from Microsoft Word Documents

September 7, 2006 – 4:00 pm

If you are like me you have a large volume of content sitting in Microsoft Word documents that you would like to publish on your Blog. You are comfortable and productive using Word and prefer to keep your source documents in Word format on your local laptop of corporate LAN.

It would be very attractive to be able to just open up your Word documents and copy and paste sections into your blog entries. Trouble is the resultant HTML is horrendous: bloated and full of unwanted styling.

I have tried a number of approaches to getting good clean HTML into blogs from my Word documents, but have not yet found a simple, reliable method.

The approach I am currently using looks promising. Nick Lothian put me onto Windows Live Writer. This is a free downloadable tool that acts much like a cut-down Word.

I open my source Word document and copy and paste text into Live Writer. This nifty tool seems to do a good job of removing all the excess HTML including unwanted styling. It also converts headings, lists etc to HTML equivalents. Then I can use Live Writer’s inbuilt blog capabilities to post into my blog.

So far I’ve only tried it with fairly simple sections of my Word documents but it looks promising.

By ghendrick | Posted in Educationau | Comments (1)

Cathedrals and Bazaars: Shibboleth versus Web 2.0

September 5, 2006 – 4:18 pm

There are a number of Higher Education initiatives, both nationally here in Australia and internationally, that are aimed at building a trust fabric to enable secure collaboration between institutions.

Central to these initiatives is the notion of creating federations of institutions who (while maintaining the identity of its staff and students in its internal systems) have developed a trust relationship, agree on basic security standards and interoperate via agreed middleware standards. The approach is for institutions to federate their internal Identity, Authentication and Authorisation systems so as to interoperate with each other.

The major business drivers here are:

  • Single Sign On: users logged into University A can access and auto-logon to an application at University B without having to remember a different set of usernames and passwords.
  • Access to protected resources: University A can choose to allow users at University B to access protected resources e.g. an online e-Science database.
  • Virtual Organisations: Short-lived, online virtual organisations can be easily created. For example a research project can be formed comprising members from multiple universities. They can come together via a secure collaborative workspace.

The major activities in Australia are the Meta Access Management System (MAMS) project and the Middleware Action Plan and Project (MAPS).

MAMS is building a testbed federation of Higher Education institutions www.federation.org.au. Institutions belonging to this federation are developing (or extending) their IT systems to support seamless access by staff and students across the federation using common middleware based on the Internet2 Shibboleth standard.

There are a number of Higher Education initiatives, both nationally and internationally, that are aimed at interoperability between institutional repositories. These include FRODO, ARROW and CORDRA.

These above initiatives can be summarised as progressing an institutional view of identity and collaboration. Recent Internet activities known collectively as Web 2.0 and Identity 2.0 are focused on the paradigm of the Web as a community-based or user-centric social networking fabric Web 2.0 sites such as delic.io.us, flickr promote a view of web where the user is in charge of his/her identity and multiple sites interoperate to promote community based collaboration and resource sharing. Central to this notion are technologies such as:

  • Foksonomies and tag clouds
  • User-centric identity services such as SXIP, OpenId and Microsoft InfoCard
  • Functionality exposed as XML-based web services

It is likely that students and staff within Higher Education institutions will have both institutional and Web 2.0 identities and resource sharing requirements. The challenge for architects of the next generation of Elearning systems will be to accommodate both worlds.

By ghendrick | Posted in Educationau | Comments (2)

The Australian Middleware Forum and CAMP 2006

September 5, 2006 – 4:09 pm

The Middleware Forum and CAMP 2006 was held this week at Macquarie University in Sydney, Australia. This was a Higher Education (HE) conference focusing on the core middleware that would be needed by the HE sector. The 1 day forum was more about strategy and policy while the 2 day camp was more about technical architectures and implementations.The major theme for the conference was building federated trust networks: a set of core middleware that would enable unis to securely collaborate online nationally and globally.Although the focus was on the technicalities of core middleware, it was agreed that the major drivers for creating a federated trust network are:

  • Single Sign-on: single sign on to inter-institutional applications
  • E-research GRID: secure global access to high value GRID resources e.g. computing arrays
  • Digital Resources and DRM: authorised online access to shared protected resources e.g. publishers’ e-journals such as Science-Direct
  • Virtual Organisations (VO): creating virtual project teams across HE institutions (globally) to support collaborative research projects.
  • Secure collaboration: secure cross-institutional applications to support collaboration (chat, wikis, forums, blogs, mail-lists etc)

The focus here is on federating Identity, Authentication and Authorisation (IAA) across institutions. That is your IAA is maintained in your home uni but the uni belongs to a trust federation where all unis trust each other. Inter-federations can be created e.g. where the Aust HE federation is joined to the US, UK HE federations. Other federations can be formed e.g. where the HE federations join with the FedGov federations or other education sector federations e.g. schools, VTE.

The main technologies used to build these trust federations are shibboleth (SAML, XACML) and PKI.

It’s interesting to see what is being done in building trust federations in the US and UK as well as here. So far the initiatives are building separate federations: PKI and shibboleth. They are now thinking how to combine them:

  • In the US, the HE sector has built 2 HE PKI trust federations (USHER and HEBCA).  They are linking HEBCA to the Fed Gov PKI federation. The US education sector has established a production-level HE shibboleth trust federation (InCommon) complete with polices and governance. They have also federated InCommon with the US FedGov EAuth shibboleth trust network.
  • In the UK, there is a well-organised and funded national initiative (JISC and BECTA) that is building a national federated shibboleth trust network (to be operated by UKERNA) across all education sectors. It will spend $Aus9m over 2 years and replace the obsolete Athens trust network.
  • In Europe the Bologna Process is supporting harmonised standards across European Unis.
  • In Australia the MAMS project has established a testbed national HE shibboleth trust federation. MAMS is talking about this being a “production” federation but there is little policy or governance framework in place yet. Most of the applications are still at the demonstrator and proof-of-concept stage. The Caudit PKI initiative (AHERTF) is building an Australian HE PKI federation (operated by AusCERT) so that users at Uni-A with PKI certificates can be recognised at Uni-B.

There was little discussion about these trust networks being used for applications like national assessment and reporting, student mobility or truancy. However, with a middleware infrastructure in place that supports secure access to applications and resources, these types of applications would become quite practical to build.  In order to do this we would also need to ensure that the trust federation included the other educational sectors and government departments.

So far, this has been all about federating institutional IAA.

It was also noted that there is a parallel bottom-up trend towards user-centric IAA as per Web 2.0 and Identity 2.0 initiatives. Microsoft’s Infocard is a promising initiative in the Web 2.0 user-centric IAA area. It will be part of Vista and looks like “Passport done right”.

By ghendrick | Posted in Educationau | Comments (0)