Versions Compared

Old Version 10

changes.mady.by.user Mark Scheible (mcnc.org)

Saved on

compared with

New Version Current

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

A Roadmap to K-12 Federated Identity Management

Introduction

Write up on K-12 Federation versus Higher Education?

Terminology

Access Management (AM)

Part of Identity and Access Management, it deals specifically with how users (identities) are authorized to access resources, frequently through the use of groups, roles and entitlements that are established through policies.  Privilege Management is a related area and tends to be more granular in nature.

Affiliation

Describes an individual’s relationship with an institution.  Slightly different than role, which describes the job function performed or responsibilities of the job, rather than the relationship.

Authentication

The “act” of proving you are the owner of an identity (e.g. username, credential, account, etc.), usually consists of providing a password or other factor (token, PIN, digital certificate, fingerprint scan, etc.)

Cloud

Cloud services or applications are those that are not run locally, but are hosted at a vendor location and accessed through the internet.

eduPerson

eduPerson is an LDAP schema designed to include widely-used person attributes in higher education. It was developed, and is maintained, by the Internet2 MACE-Directories Working Group (MACE-dir), a project of the Internet2 Middleware Initiative.  The eduPerson object class provides a common list of attributes and definitions.  Attributes are used to communicate information about an individual accessing an online resource.

Federated Identity Management (FIM)

The management and use of identity information between members of a federation.

Federation

A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.

Identity

A unique, electronic representation of a physical person (usually) used to interact with online resources.

Identity Data

Attributes about an individual that uniquely identify them.  Usually consists of bio-demo data such as Name, Address, Phone number, email, Employee/Student Number, DOB, etc.

Identity Management (IdM)

Identity management refers to the policies, processes, and technologies that establish (provision) user identities and enforce rules about access to digital resources.

Identity and Access Management (IAM)

Identity and Access Management is the current discipline, which combines the creation and management of Identities and how they are enabled to access resources.  Formerly referred to as Identity Management (IdM), it was expanded to include Access Management in the last few years.

Provisioning

The act of creating an electronic identity or record for a user.  May also refer to the creation of accounts or the provisioning of services (access to applications).

Role-Based Access Control, Group-Based Access Control (RBAC & GBAC)

Provisioning access (to resources) for a user based on what roles they have (e.g. teacher, guidance counselor, student, etc.), or based on their membership in a group of like individuals (e.g. All fifth graders, Data Coordinators, Coaches, principals, etc.)

Shibboleth

Shibboleth is an open-source software that allows sites to make informed authorization decisions for individual access to protected online resources in a privacy-preserving manner.  The Shibboleth software implements widely used federated identity standards, principally OASIS' Security Assertion Markup Language (SAML), to provide a federated single sign-on and attribute exchange framework.

Single Sign-On (SSO)

The act of a user logging in once to gain access to multiple applications, services, etc., without being prompted to log in again at each of them.

Source Systems

The authoritative Systems of Record (SoR) that are the source of identity data in an Identity and Access Management system.

Target Systems

The applications, services, resources, etc. that users access with their accounts/credentials.  Service accounts may be provisioned directly into the target system via a vendor’s API (e.g. Google Apps), or target systems may be enabled to use federated access via a SAML assertion (e.g. Shibboleth).

Use Cases

Good set of examples for using Federated Identity Management (FIM)

For information about authenticating to this wiki so you can edit here, see Getting access to the Internet2 federated wiki.

Table of Contents

Terminology

See Glossary

Introduction

HTML

<style>
.panel {
width:50%;
}
</style>

Panel

When it comes to Federated Identity Management (FIM) and K-12 there are many places to begin the conversation.  Since this document is described as a “Roadmap”, one can safely assume that somewhere there are people who want to implement federated access for their school district, for all districts in their state, or nationally, or there wouldn’t be a need for a roadmap.  Higher education has been working on FIM for nearly a decade.  And while participant growth in the InCommon Federation (the US national identity federation for research and higher education) continues to gain momentum - doubling roughly every year, it’s taken a while for institutions to understand the value proposition(s) for implementing federated identity management.  In fairness, the benefits to using FIM have continued to evolve and blossom over the last few years, so as school districts begin to migrate to a growing number of “cloud” applications and resources for instance, finding a simple and secure way to access these “external” services becomes a priority.

Many school districts are already using a mix of locally run, vendor-hosted and Cloud SaaS resources.  Many of these require a separate username and password to be accessed, which results in K-12 teachers and students needing to remember and manage all these accounts.  This may be the biggest value proposition for the end user – “single sign on”.

The following sections capture the Benefits, Challenges, Federation Options, Use Cases, Case Studies and Next Steps for K-12 Federation.  Please feel free to add your own to the list!

Benefits (Value Proposition) for K-12

Districts, Schools, Users:
  • Fewer Accounts
    • Password Management
    • Better User Experience
    • Single Sign On (SSO)
  • Easier Application On-boarding – simple to extend once implemented
  • Better security and access to an increasing number of Cloud Services (use case)
  • Licensing costs controlled - More accurate count of actual users (via federated access)
  • Security
    • Better control over user Credentials (username/password)
      • Active/Inactive accounts
      • Management of users’ privacy or information exchanged
      • User data (attributes) released are controlled by the institution
    • Fewer Firewall “holes” needed (opened for vendor access to LDAP data)
    • Passwords not transmitted to vendor/application sites to authenticate
    • Easier to enable a user and grant entitlements (theoretically in one place)
    • Much easier to disable a user (one place, rather than searching for accounts)
  • Consortium purchasing (licensing)
  • SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)
State-level (DOE/DPI):
  • Opportunity for consortium buying
  • Shared Applications
    • External (common vendor apps – LMS, Library Services, Learning Object Repositories, etc.)
    • Internal (state-wide applications)
  • Collaboration made easier
    • Shared Wiki spaces
    • Access to limited/costly resources through Federated Login
    • Between different communities of practice
      • Community Colleges – High school early access
      • Other Higher Education institutions
        • Research
        • Services
        • School Districts
  • Virtual Public Schools (Online Learning)
    • Similar issues to Distance Education
    • Federated access possible from “home school/district”

Challenges

  • K-12 Districts don't have FIM "high" on their lists of projects (maybe top 10)
    • Major needs/projects are likely to be "district-focused"
    • Districts won't benefit as much from FIM on their own
  • The bigger benefits are realized when coordinated at the State level (or higher)
    • Shared learning infrastructure
    • Consortium buying
    • State-wide licensing of multi-tenant Cloud Services
    • State-specific (required) "federated" applications/services
  • The effort to implement FIM is frequently too great for a single district to manage
    • The coordination, leadership and funding "likely" needs to be done at a state level
    • Partnerships of InCommon/Regionals/State Departments of Education could help
    • IAM backend systems do not always exist or may be incomplete
    • Technical Expertise/Knowledge of local IT Staff may be limited
    • Lack of Federation knowledge
    • Shibboleth, other Federation Software may be a challenge to implement
    • Java developer skills may be lacking
    • Existing staff may already be overloaded
    • Cost of Federation membership ($)
  • Availability of client machines for all students (1:1)?
    • Currently not a given
    • BYOD/T (Bring Your Own Device/Technology)
    • Next few years may see a higher percentage of K-12 students with client devices
  • Trust/Legal Issues of participation
    • Students are minors (can’t agree to release PII on their own)
    • Effort to seek oversight approval may limit interest
  • Level of Assurance (LoA) of the credential
    • Account/username/password issuing process
    • Identity-Proofing – tied to the credential
  • New Attributes needed?
    • Grade (K-12)
    • Age-specific
      • 13 or older (“Age of Reason?”)
      • 18 or older (Able to make some decisions on their own?)
    • School Type
      • Elementary School (K-5)
      • Middle School (6-8)
      • High School (9-12)
  • Parent/Guardian Access
    • Approvals
    • Waivers
    • Access (via student, others, legal guardian) to grades, schedule, other information
    • Ability to update student information? (Bio/Demographic data?)
  • Regulatory Concerns:
    • FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
      • Access to student data, grades, etc.
    • CIPA - Children's Internet Protection Act
    • COPPA - Children's Online Privacy Protection Act (1998)
    • HIPAA Health Insurance Portability and Accountability Act (1996)
    • Protected Health Information (PHI)
  • Additional Security?
  • Leadership/Champions in the K-12 space
  • Number of K-12 focused, SAML-enabled services (vendor applications)

Possible K-12 Federation Options

  • District or State-Level IdPs
    • How would (could) a state-wide IdP work?
      • Much more granular OU than in Higher Education
      • Scoping of ePPN (eduPerson Principle Name)
      • How does this tie in with an IIS and the national SLC effort?
      • Should there be follow up (outreach) with the Shibboleth and InCommon folks?
    • Who would run IdP(s)?
      • State Dept of Education
      • Regional IdPs (throughout the state)
      • R&E Network Providers (RONs, Regionals)
      • State University Systems
  • Are there enough differences to warrant a separate K-12 Federation?
    • K-12 applications vs. Higher Education applications
    • Attributes and Attribute Release Policies (ARPs)
    • Regulations (state and federal) and Security (K-12 students are minors)
    • Shared Infrastructure - National K-12 Federation?
  • Inter-federation with InCommon?
  • Is this an InCommon Problem/Concern?
    • Pricing for K-12
    • Inter-federation vs. a single federation
    • K-12 Issues (see above)
    • Dilution of SP pool? (or "too much" for vendors to work with multiple federations)
    • Need to participate in multiple federations and inter-federate, OR 
    • Participate in a single federation and have subsets of metadata (K-12, HE, etc.)?

Use Cases

  • Good set of example Use Cases for using Federated Identity Management (FIM).
  • (Review what constitutes a "Use Case" vs. a "Benefit")
  • See a description of Use Cases at bredemeyer.com (The Architecture Discipline - Bredemeyer Consulting)

Case Studies

Existing K-12/K-20 FIM implementations

  • North Carolina (NCTrust)
  • Others?

Benefits (Value Proposition) for K-12

  • Fewer accounts to maintain for Users
  • Ease of New Service Onboarding
  • Consortium purchasing (licensing)
  • (Your thoughts here)
  • SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)

Challenges

Next Steps

  • This Roadmap
  • Outreach to vendors
  • Coordination with state departments of education
  • Possible outreach to regional broadband providers
  • National coordination (Federal DOE)