Docstoc

Project Initiation Document _PID_

Document Sample
Project Initiation Document _PID_ Powered By Docstoc
					           HEAnet Federated Access Management Pilot – Project Initiation Document




                               Project Initiation Document (PID)
                    HEAnet Federated Access Management
                                       - First Pilot Phase




                                                 Version:     1.0
                                                 Author:      Glenn WearenDate:
                                                   rd
                                                 23 June 2008




abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                  Page 1 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document



   Document History




      Revision History

Revision Date                   Version No.                 Change Comments
23rd June 2008                  1.0                         First publication




      Approval Authority

This document requires approval from the following authorities:

Name                            Title                       Signature
John Boland                     CEO, HEAnet
Mike Norris                     CTO, HEAnet




abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                  Page 2 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document




      Distribution

The document distribution group for this document is as follows:

Name                    Title                Name                  Title
John Boland             CEO, HEAnet
Mike Norris             CTO, HEAnet
Aidan Carty             ISO, HEAnet




      Related Documents:

This document should be reviewed with reference to the following associated documents:

Document Name           Version                             Date
Irish Federated Access V1.0                                 June 2007
Management – Discussion
Document




abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                    Page 3 of 14
                  HEAnet Federated Access Management Pilot – Project Initiation Document



             CONTENTS


DOCUMENT HISTORY ............................................................................................................................................2
     Revision History ......................................................................................................................... 2
     Approval Authority ..................................................................................................................... 2
     Distribution ................................................................................................................................. 3
     Related Documents: .................................................................................................................... 3
CONTENTS .................................................................................................................................................................4
2.      BACKGROUND ................................................................................................................................................6
     What is Access Management? .................................................................................................... 6
     What is Federated Access Management? ................................................................................... 6
     What are the Benefits? ................................................................................................................ 6
      For the User: ........................................................................................................................... 6
      For the Librarian: .................................................................................................................... 6
      For the IT Manager: ................................................................................................................ 7
      For the Institution:................................................................................................................... 7
      For the Content Provider:........................................................................................................ 7
      In summary ............................................................................................................................. 7
3.      ESTABLISHMENT OF AN IRISH RESEARCH & EDUCATION FEDERATION..................................8
4.      PROJECT SCOPE .............................................................................................................................................9
     Project Scope: Summary Requirements...................................................................................... 9
       Policy / Administration Requirements: All............................................................................. 9
       Technical Requirements: HEAnet .......................................................................................... 9
       Technical Requirements: Identity Providers ........................................................................... 9
       Technical Requirements: Service Providers ......................................................................... 10
5.      OPEN STANDARDS ....................................................................................................................................... 10
     Shibboleth ................................................................................................................................. 10
     Shibboleth Version for Pilot ..................................................................................................... 10
       Shibboleth 1.3 ....................................................................................................................... 10
       Shibboleth 2.0 ....................................................................................................................... 10
       SAML 1.1 and SAML 2.0..................................................................................................... 10
       Active Directory Federation Services (ADFS) ..................................................................... 11
6.      HEANET SERVICE OFFERINGS ................................................................................................................ 11
        Hosted LDAP with Hosted IdP ............................................................................................. 11
        Hosted IdP and Hosted SP .................................................................................................... 11
        Managed IdP and Managed SP ............................................................................................. 11
7.      RECRUITMENT OF PROVIDERS .............................................................................................................. 11
     Recruitment of identity providers ............................................................................................. 12
     Recruitment of service providers .............................................................................................. 12


abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                                                                                   Page 4 of 14
               HEAnet Federated Access Management Pilot – Project Initiation Document

8.    PILOT OBJECTIVES & SUCCESS CRITERIA ......................................................................................... 12
9.    PROJECT APPROACH ................................................................................................................................. 13
10.   PROJECT ORGANISATION ........................................................................................................................ 13
11.   KEY PROJECT MILESTONES & TIMETABLE ....................................................................................... 13
12.   PROJECT DELIVERABLES ......................................................................................................................... 13
13.   EXCLUSIONS .................................................................................................................................................. 14
14.   CONSTRAINTS & EXTERNAL DEPENDENCIES ................................................................................... 14




abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                                                                              Page 5 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document




2. BACKGROUND

      What is Access Management?
Access Management is the term used to describe the process of permitting access to protected
online information, usually in the context of web pages or web-based applications. It describes
both the means by which an online information resource decides whether to allow access to a
protected area, and also the administrative process of allowing access for approved individuals.

      What is Federated Access Management?
A federation is a group of institutions and organisations that sign up to an agreed set of policies
for exchanging information about users and resources to enable access and use of resources and
services. The federation combined with identity management software within institutions and
organisations can be referred to as Federated Access Management.

Federated Access Management builds a trust relationship between Identity Providers (IdP) and
Service Providers (SP). It devolves the responsibility for authentication to a user‟s home
institution, and establishes authorisation through the secure exchange of information (known as
attributes) between the two parties.

In the research and education environment, Federated Access Management allows students and
staff access to a wide-range of federation resources by using their institutional username and
password.

For further information on federations and access management, please refer to HEAnet’s
discussion document: Irish Federated Access Management V1.0

      What are the Benefits?
Federated Access Management provides significant benefits to several user-groups:

For the User:
Single sign-on using an institutional ID and password with the potential to realise a personalised
and persistent experience between visits to the content. Assurance that personal data will not be
disclosed beyond the boundary of the user‟s institution unless the user has been explicitly
requested for consent by the remote content provider. Where consent has been provided, users
will be assured that data will be handled securely and will not be passed to third parties.

For the Librarian:
Freedom from the burden of username/password administration and new tools for managing
licences and service subscriptions. Federated access can enable users to access federated search
engine results regardless of whether the content is protected or open. Federated access also offers



abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                        Page 6 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document


the potential to identify visually impaired users so that online access to copyright protected
material in a digitised format can be automatically granted to library visitor.

For the IT Manager:
More control of access management process through enhancements to enterprise directories, in
some cases this may require additional institutional effort at first, in other cases IT Managers
may be able to leverage the existing quality of their directories. No longer will access be keyed
to IP address space, and so mobility/roaming access will become real options.

For the Institution:
A single service to meet the requirements of cross institution collaboration, e-learning, e-
research, and library-managed resources. The use of open-source software should result in lower
subscription charges. It facilitates finely-controlled access to services or resources, allowing for
subscriptions by department and group or courseware targeted at individual classes. Also, it
maintains compliance with the Data Protection Act in subscribing to online services; institutions
will not have to disclose details of staff or student personnel records to content providers unless
the resource requires such data (as in the case of collaborative resources). The federation will act
as a trust that incorporates user privacy at its core and is compliant with the Data Protection Act.

For the Content Provider:
Educational institutions are demanding a single sign-on solution. Adoption of international
standards is of significant benefit to publishers who operate at an international level.
Authentication is controlled by the user‟s home institution; this will mean less work in
administering usernames and passwords for Service Providers. Authorisation is controlled by
the content provider, who trusts the identity provider to make assertions about those identities
under its control. The content provider will be able to enable access by institution, faculty, and
department or by type of visitor (lecturer, student etc.). Where users have consented, content
providers will have the option of requesting attributes such as the users name and email address,
these attributes can be used to offer the visitor an enhanced and personalised experience.
Persistence can also be maintained to provide returning visitors with the same personalised
experience, furthermore, persistence can be preserved in the case where the users attributes
remain anonymous by the use of a persistent random user identifier that is shared between the
content provider and identity provider only. Persistence and personalisation are particularly
useful in the case of collaborative resources such as Wiki‟s, virtual blackboards, shared calendars
and web-based conferencing systems.

In summary
Federated Access Management should deliver an improved user experience where users don‟t
have to remember a separate identity and can benefit from personalised interfaces, where
institutions are not required to disclose personal data, and a multitude of technical access
arrangements can be harmonised into a single consistent system. Ultimately, this improved user
experience should increase the uptake and utilisation of subscribed services, facilitate the sharing
and collaborative development of resources amongst member institutions, and stimulate the
uptake of e-learning at all levels.




abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                         Page 7 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document


3. Establishment               of     an     Irish      Research            &     Education
   Federation

HEAnet has played a key role in communications technology and e-infrastructure at national
level. Working on behalf of its member institutions in the education and research communities,
it has developed the national network to deliver world-class IT resources. As a consequence,
students and academics can now use diverse resources as part of their learning and research.

Managing the access between user and resource is still largely done on a bilateral basis or via an
institutional or departmental proxy. There are, for instance, several institutions with integrated
library services for their users, but in other cases there is often little or no coordination or
scaling. Some measure of aggregation can be achieved by consortia of institutions; academic
libraries have been adept at negotiating good deals on behalf of their members. In other areas,
multi-institutional projects have established ways of sharing well-defined resources. The
benefits, however, have been bounded by the nature, scope and duration of the projects. There is
clearly a gap in service provision here, a need for a secure and seamless way of managing access
at national level for all education and research users.

HEAnet now proposes to establish and manage an Irish Federated Management Access
infrastructure to serve the Irish education and research community. As federations are typically
being established at national level this offers future potential to establish peerings with other
federations across Europe and worldwide, permitting cross-federation sharing of resources
supporting international collaboration

Recent findings indicate that several countries in Europe and elsewhere have taken a holistic
approach to access management. They have recognised the scale of the challenge, and have also
acknowledged the pleas of users for simplified sign-on: the multiplicity of logins that users are
asked to negotiate on a daily basis are inhibitors to productive work and to exploitation of the
infrastructure. The eduroam service, now offered by HEAnet and some of its member
institutions, is one measure in response to this challenge, aimed at supporting the roaming user,
and delivered as the result of collaboration at European level. At national level, policy decisions
have been taken to form middleware federations in order to coordinate access management. In all
cases so far, the NREN (National Research and Education Network) has been the logical
provider of this service.

HEAnet intends to recruit a small number of “early adopter” Identity Providers and Service
Providers to establish the first pilot stage build of an Irish federation.

This document sets out the scope of this pilot phase, outlining the requirements of HEAnet,
Identity Providers and Service Providers respectively. This document will also outline the
success criteria which shall serve to measure the success or otherwise of this pilot phase.

A forward-looking statement with regard to the future outlook for International Federations and
Federated Access Management can be found at:




abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                        Page 8 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document


http://www.jisc.ac.uk/media/documents/themes/accessmanagement/cc253d018-
1.0%20international%20aspects.pdf



4. PROJECT SCOPE

The project scope shall see HEAnet establish a Federated Access Management infrastructure that
will allow a small number of Irish third-level organisations and second-level schools to access
the resources of a small number of Content Providers using prescribed Federated Access
Management technologies.

Federated access and authentication depends on a level of trust amongst federation members. In
this light, the parties to the pilot shall consider and establish an appropriate framework to define
federation policy and governance procedures.

      Project Scope: Summary Requirements
Policy / Administration Requirements: All
     Establish Governing Body
     Define Policy & Rules
     Draft Legal Instruments Required
     Recruit Early Adopter Identity Providers
     Recruit Early Adopter Service Providers
     Engage in information dissemination

Technical Requirements: HEAnet
    Build Federated Access Management Infrastructure
    Install & Configure WAYF Servers
    Operate namespace for providers
    Install & Configure reference IdP and SP implementations
    Define Operational Procedures
    Configure & Define federation access requirements including prototype attribute schema.
    Produce Documentation/Instruction for Identity Management Participation
    Produce Documentation/Instruction for Service Provider Participation
    Implement Mechanism to Allow Maintenance of Metadata.
    Investigate distributed maintenance of metadata
    Track developments in other Federations

Technical Requirements: Identity Providers
    Install and configure requisite hardware and software components
    Implement and contribute to evaluation of prototype federation schema
    Consolidate disparate datasets (if necessary)
    Agree content access license agreement with Service Provider
    Implement mechanism for advising metadata updates to HEAnet



abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                         Page 9 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document


Technical Requirements: Service Providers
    Ensure content management systems are federation ready
    Agree content access license agreement(s) with Identity Provider(s)
    Implement mechanism for advising metadata updates to HEAnet
    Evaluate suitability of proposed attribute schema

5. OPEN STANDARDS

      Shibboleth
HEAnet is proposing a Federated Access Management infrastructure based on
Shibboleth technology. Shibboleth was initially developed by the Internet2 group specifically for
the academic sector. Recently, developers from other institutions around the world have
contributed to the development of Shibboleth and this has resulted in software that can be easily
adapted to the needs of other national research and education federations. Shibboleth is an
implementation of an open standard known as SAML (Security Assertion Mark-Up Language)
which has provided the basis of federated access for organisations since 2002.

With Shibboleth, the Identity Provider manages authentication of their users, but the Service
Provider decides whether the individual can access the resource. The Identity Provider sends just
the minimal data that the Service Provider needs for authorisation and nothing more.

      Shibboleth Version for Pilot
Shibboleth 1.3
Shibboleth 1.3 is the recommended release of Shibboleth software for new deployments within
the Irish federation. This version is fully supported by Internet2, including the provision of
security updates in binary form for many target environments. Federations services offered
directly by HEAnet will be built upon this version of Shibboleth (see the later section on HEAnet
Service Offerings).

Shibboleth 2.0
Shibboleth 2.0 is the most recent version, of Shibboleth available, it will be some time before
applications that supported Shibboleth 1.3 will offer Shibboleth 2.0 support, for this reason
Shibboleth 2.0 is not recommended. However, Shibboleth 2.0 will be supported in the pilot as it
is backward compatible with Shibboleth 1.3, it is expected that both versions of Shibboleth will
be supported in the post-pilot federation.

SAML 1.1 and SAML 2.0
Shibboleth is based on SAML, functional enhancements to SAML are the main differences to be
found in Shibboleth. It is possible to federate a Shibboleth provider with SAML 1.1 and 2.0, and
thus SAML will be facilitated within the federation. However, support for SAML
implementations must be obtained from the provider of the SAML implementation in the first
instance, therefore, the SAML implementation provider must support issues arising from



abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                     Page 10 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document


federating with a Shibboleth provider. It is expected that at least one version of SAML will be
allowed in the post-pilot federation. It is expected that providers that prefer vendor software
support will choose a SAML based solution from a commercial vendor such as Sun or PingID.

Active Directory Federation Services (ADFS)
While Microsoft Active Directory can be used as an identity store for either a SAML or
Shibboleth identity provider, Windows Server 2003 Enterprise edition provides built-in support
for federated access that is based on the SAML 1.1 and the WS-* standards. The included
software provides an identity provider component (termed „account partner‟) and a service
provider component (termed „resource partner‟). Both the account partner and resource partner
will be facilitated within the federation solely to allow federation members to evaluate for
themselves the suitability of ADFS in the post-pilot federation.

6. HEAnet Service Offerings

HEAnet will evaluate the suitability of the following service offerings which customers may
desire in the post-pilot rollout. The following services will be offered using Shibboleth
implementations only;

Hosted LDAP with Hosted IdP
In this model HEAnet will offer clients a hosted LDAP service, the client may choose to use this
service exclusively in conjunction with the Hosted IDP service, or in conjunction with other
applications requiring access to an instance of the institutions LDAP user store.

Hosted IdP and Hosted SP
HEAnet will host the IdP on behalf of customers, this will require access from HEAnet‟s
network to the identity providers remote users repository (LDAP or database). HEAnet can offer
the hosted SP service to customers who have availed of our web hosting services only.

Managed IdP and Managed SP
HEAnet will configure and operate the IdP and SP instance(s) either installed at the customers
site or on HEAnet‟s network on the customers behalf. In the case where the preferred location of
the IdP or SP is at the customers site, the service may be delivered in the form of a managed
appliance.

7. RECRUITMENT OF PROVIDERS

HEAnet will invite potential identity and service providers to participate in the federation, while
the criteria for selection will be defined after the initial invitation is broadcast to HEAnet
customers and other research and development communities, the criteria will aim to encapsulate
a disparate range of participants who intend to use different technologies, non-web-based
resources, and offer a view from outside the academic sector. The purpose of this goal is to foster
the development of policies and frameworks that are acceptable to a wide range of potential post-
pilot participants.


abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                       Page 11 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document


      Recruitment of identity providers
HEAnet shall encourage pilot participation by Identity Providers who are deemed to be most
“federation-ready”. In this regard, HEAnet shall request that potential early adopters illustrate
that they are well disposed to implement a Shibboleth-compliant infrastructure to support
campus-wide single sign-on. Availability of appropriately skilled resources shall be a further
consideration.

The considered state of readiness of an Identity Provider shall also inform a roll-out schedule
which shall be agreed with all participating Identity Providers.

It is envisaged that Identity Providers shall be selected from the University &IoT communities,
state agencies such as the ESRI and second level Schools.

      Recruitment of service providers
HEAnet has a preference to engage with those Content Providers which already have
commercial licence agreements in place with the selected Identity Providers and which are also
Shibboleth-compliant. Reference to membership of other national federations (e.g. UK
federation) shall also inform this selection process.

Again, the considered state of federation-readiness of a Service Provider shall inform the roll-out
priority to Service Providers.

It is envisaged that Service Providers shall be selected from the Library community in the first
instance. It is further envisaged that HEAnet shall itself act as a Service Provider offering
federation members access to applications such as network monitoring tools and listserv
applications. Other service providers that will be invited to participate include Grid Ireland and
ICHEC, NDLR and existing providers of eLearning content to the academic sector. Commercial
organisations such as RTE and suppliers with e-procurement systems that the Irish academic
sector use today.

8. PILOT OBJECTIVES & SUCCESS CRITERIA

At its simplest level, the pilot phase shall aim to achieve the following objectives:

   1. IdP1 users can logon from their home institution and access authorised content hosted at
      location SP1.

   2. A roaming IdP1 user can access “approved” content hosted at location SP1 from a remote
      location via a WAYF service at HEAnet.

   3. Users at IdP2 can logon from IdP1 location and access authorised content hosted at
      location SP1.

The pilot shall also establish and validate the efficient workings of technical support, metadata
refresh, and federation operational processes.


abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                         Page 12 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document



More specific success criteria shall be defined following project initiation.

9. PROJECT APPROACH

The following project controls will be maintained for the duration of this pilot project:

       Project Initiation Document which details the baseline pilot scope and outlines the
       responsibilities of each party. This scope may be modified during the course of the pilot
       with the agreement of all relevant parties.

       Project Issues Log which details issues which may affect the delivery of certain work
       packages or project elements. Project issues shall be weighted for impact, assigned a
       priority level, and an action plan agreed to address.

       Project Risk Register shall highlight fundamental project issues that may result in
       serious impact on project resources, project financials, or project timescales.




10. PROJECT ORGANISATION

For the purposes of delivering this pilot project, a Middleware Working Group shall be
established at HEAnet. This HEAnet Working Group shall report to a Federated Access
Management Steering Group that shall consist of representatives of HEAnet, Identity Providers
and Service Providers.

The Federated Access Management Steering Group shall meet at regular intervals to review
project progress over the course of the pilot phase. Further, the Federated Access Management
Steering Group shall evaluate the success of the pilot phase against pre-determined pilot success
criteria.

11. KEY PROJECT MILESTONES & TIMETABLE

A project plan shall be agreed amongst the participating federation members and maintained
over the course of this project.

12. PROJECT DELIVERABLES

The key project deliverables can be summarised under the following categories:

      Policy Framework & Charter
      Federation Joining Process


abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                        Page 13 of 14
           HEAnet Federated Access Management Pilot – Project Initiation Document


      Federation Hardware Infrastructure
      Irish Federation Shibboleth Configuration
      Deployment of Identity Provider Servers at selected Third-Level Organisations
      Deployment of Service Provider Services at selected Service Providers
      Establishment of a WAYF Server at HEAnet
      HEAnet Technical Support Services
      HEAnet Administrative Support Services

13. EXCLUSIONS

Responsibilities and exclusions shall be more particularly defined in the policy framework to be
defined and drafted within the scope of this pilot phase.

HEAnet shall deliver the Federated Access Management service on a best effort basis and shall
seek indemnification within the federation membership charter.

It is important to note that federated access is applicable primarily for web-based resources;
some resources such as a Grid computing infrastructure and shared UNIX servers can be adapted
to permit federated access.

The federated access network will be dependent on existing agreements between content
providers and subscribers of such content. The federation will not attempt to replace collective
subscription arrangements which may exist today.

14. CONSTRAINTS & EXTERNAL DEPENDENCIES

There are external dependencies to the successful establishment of an Irish Federated Access
Management service, namely the dependency on selected Identity Providers and Service
Providers to successfully implement, in a timely fashion, the requisite local technical
components of their federation infrastructure. There is also an ongoing requirement for
federation members to maintain metadata and support the underlying hardware and software at
each location.

The continued availability of content to Identity Providers by Service Providers is also dependent
on the continuation of existing commercial agreements between Service Provider(s) and
respective Identity Providers.

Ongoing compliance with Shibboleth by all members of the federation is a further requirement
and dependency, this requirement extends to providers who may opt to use Active Directory
Federation Services and SAML.




abc8416a-767a-474e-a90f-18a7b2faa9c9.doc                                      Page 14 of 14

				
DOCUMENT INFO