Versions Compared

Old Version 30

changes.mady.by.user Mark Scheible (mcnc.org)

Saved on

compared with

New Version 31

changes.mady.by.user Mark Scheible (mcnc.org)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Write up on K-12 Federation versus Higher Education? (Need a narrative form, but here's an outline to start)

Panel
An Outline for K-12 Federated Identity Management
  • Baseline requirement for running an IdP (Identity Provider)
    • Underlying IAM infrastructure (accounts & minimal set of attributes)
    • Value proposition for districts (not much at the district level - need examples)
      • Reduced cost through shared applications
      • Reduced/Single Sign-On to "?" (some cloud services?)
        • Application/Service driven (e.g. Google Apps for Education)
  • District or State "Shared Applications" - SPs (value proposition)
  • Availability of client machines for all students (1:1)?
    • BYOD/T (Bring Your Own Device/Technology)
    • Currently not a "given"
    • Next few years may see a higher percentage of K-12 students with client devices
  • Moving from a district-focused effort to a state-wide or national effort would improve the chances for success (true?)
Possible K-12 Federation Options
  • District or State-Level IdPs
    • How would (could) a state-wide IdP work?
      • Much more granular OU than in Higher Education
      • Scoping of ePPN (eduPerson Principle Name)
      • How does this tie in with an IIS and the national SLC effort?
      • Should there be follow up (outreach) with the Shibboleth and InCommon folks?
  • Are there enough differences to warrant a separate K-12 Federation?
    • K-12 applications vs. Higher Education applications
    • Attributes and Attribute Release Policies (ARPs)
    • Regulations (state and federal) and Security (K-12 students are minors)
    • Shared Infrastructure - National K-12 Federation?
  • Inter-federation with InCommon?
  • Is this an InCommon Problem/Concern?
    • Pricing for K-12
    • Inter-federation vs. a single federation
    • K-12 Issues (see above)
    • Dilution of SP pool? (or "too much" for vendors to work with multiple federations)
    • Need to participate in multiple federations and inter-federate, OR participate in a single federation and have subsets of metadata (K-12, HE, etc.)?
K-12 Federation Challenges
  • K-12 Districts don't have FIM "high" on their lists of projects (maybe top 10)
  • Major needs/projects are likely to be "district-focused"
  • Districts won't benefit as much from FIM on their own
  • The bigger benefits are realized when coordinated at the State level (or higher)
    • Shared learning infrastructure
    • Consortium buying
    • State-wide licensing of multi-tenant Cloud Services
    • State-specific (required) "federated" applications/services
  • The effort to make progress on FIM is frequently too great for a single district to manage (true?)
  • The coordination, leadership and funding "likely" needs to be done at a state level
    • Partnership of RENs/Regionals and State Departments of Education
    • CoSN Leadership
    • Large District "role models"
    • Others?

Terminology

See Glossary

Use Cases

...

...

Case Studies

Existing K-12/K-20 FIM implementations

Benefits (Value Proposition) for K-12

...

  • Fewer Accounts
    • Password Management
    • Better User Experience
    • Single Sign On (SSO)
  • Easier Application On-boarding – simple to extend once implemented
  • Increasing use Better security and access to an increasing number of Cloud Services (use case)
  • Licensing costs controlled - More accurate count of actual users (via federated access)
  • Security
    • Better control over user Credentials (username/password)
      • Active/Inactive accounts
      • Management of users’ privacy or information exchanged
    • Fewer Firewall “holes” needed (opened for vendor access to LDAP data)
    • Passwords not transmitted to vendor/application sites to authenticate
    • Much easier to disable a User (one place, rather than searching for accounts)
    • User data is neither stored at nor transported to vendor sites
  • Consortium purchasing (licensing)
  • SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)

...

  • Opportunity for consortium buying
  • Shared Applications
    • External (common vendor apps – LMS, Library Services, Learning Object Repositories, etc.)
    • Internal (state-wide applications)
  • Collaboration made easier
    • Shared Wiki spaces
    • Access to limited/costly resources through Federated Login
    • Between different communities of practice
      • Community Colleges – High school early access
      • Other Higher Education institutions
        • Research
        • Services
        • School Districts
  • Virtual Public Schools (Online Learning)
    • Similar issues to Distance Education
    • Federated access possible from “home school/district”

Challenges

  • K-12 Districts don't have FIM "high" on their lists of projects (maybe top 10)
    • Major needs/projects are likely to be "district-focused"
    • Districts won't benefit as much from FIM on their own
  • The bigger benefits are realized when coordinated at the State level (or higher)
    • Shared learning infrastructure
    • Consortium buying
(Your thoughts here)

Challenges

    • State-wide licensing of multi-tenant Cloud Services
    • State-specific (required) "federated" applications/services
  • The effort to implement FIM is frequently too great for a single district to manage
    • The coordination, leadership and funding "likely" needs to be done at a state level
    • Partnerships of InCommon/Regionals/State Departments of Education could help
    • IAM backend systems do not always exist or may be incomplete
    Accuracy of IAM backend systems
    • Technical Expertise/Knowledge of local IT Staff may be limited
    • Lack of Federation knowledge
    • Shibboleth, other Federation Software may be a challenge to implement
    • Java developer skills
    • Potentially beyond the level of experience available in many school districts
  • Trust/Legal Issues of participation
  • Level of Assurance (LoA) of the credential
    • Issuing process
    • Identity-Proofing
  • Cost of Federation membership ($)
    • may be lacking
    • Existing staff may already be overloaded
    • Cost of Federation membership ($)
  • Availability of client machines for all students (1:1)?
    • Currently not a given
    • BYOD/T (Bring Your Own Device/Technology)
    • Next few years may see a higher percentage of K-12 students with client devices
  • Trust/Legal Issues of participation
      K-12
      • Students are minors (can’t agree to release PII on their own)
      • Effort to seek oversight approval may limit interest
    • Level of Assurance (LoA) of the credential
      • Account/username/password issuing process
      • Identity-Proofing – tied to the credential
    • New Attributes needed?
      • Grade Level (K-12)
      • Age-specific
        • 13 or older (“Age of Reason?”)
        • 18 or older (Able to make some decisions on their own?)
      • School Type
        • Elementary School (K-5)
        • Middle School (6-8)
        • High School (9-12)
    • Parent/Guardian Access
      • Approvals
      • Waivers
      • Access (via student, others, legal guardian) to grades, schedule, other information
      • Ability to update student information? (Bio/Demographic data?)
    • Regulatory Concerns:
      • FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
        • Access to student data, grades, etc.
      • CIPA - Children's Internet Protection Act
      • COPPA - Children's Online Privacy Protection Act (1998)
      • HIPAA Health Insurance Portability Health Insurance Portability and Accountability Act (1996)
      • Protected Health Information (PHI)
    • Additional Security?
    • Leadership/Champions in the K-12 space
    • Number of K-12 focused, SAML-enabled services (vendor applications)

    Possible K-12 Federation Options

    • District or State-Level IdPs
      • How would (could) a state-wide IdP work?
        • Much more granular OU than in Higher Education
        • Scoping of ePPN (eduPerson Principle Name)
        • How does this tie in with an IIS and the national SLC effort?
        • Should there be follow up (outreach) with the Shibboleth and InCommon folks?
      • Who would run IdP(s)?
        • State Dept of Education
        • Regional IdPs (throughout the state)
        • R&E Network Providers (RONs, Regionals)
        • State University Systems
    • Are there enough differences to warrant a separate K-12 Federation?
      • K-12 applications vs. Higher Education applications
      • Attributes and Attribute Release Policies (ARPs)
      • Regulations (state and federal) and Security (K-12 students are minors)
      • Shared Infrastructure - National K-12 Federation?
    • Inter-federation with InCommon?
    • Is this an InCommon Problem/Concern?
      • Pricing for K-12
      • Inter-federation vs. a single federation
      • K-12 Issues (see above)
      • Dilution of SP pool? (or "too much" for vendors to work with multiple federations)
      • Need to participate in multiple federations and inter-federate, OR participate in a single federation and have subsets of metadata (K-12, HE, etc.)?

    Use Cases

    • Good set of example Use Cases for using Federated Identity Management (FIM).
    • (Review what constitutes a "Use Case" vs. a "Benefit")
    • See a description of Use Cases at bredemeyer.com (The Architecture Discipline - Bredemeyer Consulting)

    Case Studies

    Existing K-12/K-20 FIM implementations

    Next Steps

    • This Roadmap
    • Outreach to vendors
    • Coordination with state departments of education
    • Possible outreach to regional broadband providers
    • National coordination (Federal DOE)