A Roadmap to K-12 Federated Identity Management

For information about authenticating to this wiki so you can edit here, see Getting access to the Internet2 federated wiki.

Terminology

See Glossary

Introduction

When it comes to Federated Identity Management (FIM) and K-12 there are many places to begin the conversation.  Since this document is described as a “Roadmap”, one can safely assume that somewhere there are people who want to implement federated access for their school district, for all districts in their state, or nationally, or there wouldn’t be a need for a roadmap.  Higher education has been working on FIM for nearly a decade.  And while participant growth in the InCommon Federation (the US national identity federation for research and higher education) continues to gain momentum - doubling roughly every year, it’s taken a while for institutions to understand the value proposition(s) for implementing federated identity management.  In fairness, the benefits to using FIM have continued to evolve and blossom over the last few years, so as school districts begin to migrate to a growing number of “cloud” applications and resources for instance, finding a simple and secure way to access these “external” services becomes a priority.

Many school districts are already using a mix of locally run, vendor-hosted and Cloud SaaS resources.  Many of these require a separate username and password to be accessed, which results in K-12 teachers and students needing to remember and manage all these accounts.  This may be the biggest value proposition for the end user – “single sign on”.

The following sections capture the Benefits, Challenges, Federation Options, Use Cases, Case Studies and Next Steps for K-12 Federation.  Please feel free to add your own to the list!

Benefits (Value Proposition) for K-12

Districts, Schools, Users:
  • Fewer Accounts
    • Password Management
    • Better User Experience
    • Single Sign On (SSO)
  • Easier Application On-boarding – simple to extend once implemented
  • Better security and access to an increasing number of Cloud Services (use case)
  • Licensing costs controlled - More accurate count of actual users (via federated access)
  • Security
    • Better control over user Credentials (username/password)
      • Active/Inactive accounts
      • Management of users’ privacy or information exchanged
      • User data (attributes) released are controlled by the institution
    • Fewer Firewall “holes” needed (opened for vendor access to LDAP data)
    • Passwords not transmitted to vendor/application sites to authenticate
    • Easier to enable a user and grant entitlements (theoretically in one place)
    • Much easier to disable a user (one place, rather than searching for accounts)
  • Consortium purchasing (licensing)
  • SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)
State-level (DOE/DPI):
  • Opportunity for consortium buying
  • Shared Applications
    • External (common vendor apps – LMS, Library Services, Learning Object Repositories, etc.)
    • Internal (state-wide applications)
  • Collaboration made easier
    • Shared Wiki spaces
    • Access to limited/costly resources through Federated Login
    • Between different communities of practice
      • Community Colleges – High school early access
      • Other Higher Education institutions
        • Research
        • Services
        • School Districts
  • Virtual Public Schools (Online Learning)
    • Similar issues to Distance Education
    • Federated access possible from “home school/district”

Challenges

  • K-12 Districts don't have FIM "high" on their lists of projects (maybe top 10)
    • Major needs/projects are likely to be "district-focused"
    • Districts won't benefit as much from FIM on their own
  • The bigger benefits are realized when coordinated at the State level (or higher)
    • Shared learning infrastructure
    • Consortium buying
    • State-wide licensing of multi-tenant Cloud Services
    • State-specific (required) "federated" applications/services
  • The effort to implement FIM is frequently too great for a single district to manage
    • The coordination, leadership and funding "likely" needs to be done at a state level
    • Partnerships of InCommon/Regionals/State Departments of Education could help
    • IAM backend systems do not always exist or may be incomplete
    • Technical Expertise/Knowledge of local IT Staff may be limited
    • Lack of Federation knowledge
    • Shibboleth, other Federation Software may be a challenge to implement
    • Java developer skills may be lacking
    • Existing staff may already be overloaded
    • Cost of Federation membership ($)
  • Availability of client machines for all students (1:1)?
    • Currently not a given
    • BYOD/T (Bring Your Own Device/Technology)
    • Next few years may see a higher percentage of K-12 students with client devices
  • Trust/Legal Issues of participation
    • Students are minors (can’t agree to release PII on their own)
    • Effort to seek oversight approval may limit interest
  • Level of Assurance (LoA) of the credential
    • Account/username/password issuing process
    • Identity-Proofing – tied to the credential
  • New Attributes needed?
    • Grade (K-12)
    • Age-specific
      • 13 or older (“Age of Reason?”)
      • 18 or older (Able to make some decisions on their own?)
    • School Type
      • Elementary School (K-5)
      • Middle School (6-8)
      • High School (9-12)
  • Parent/Guardian Access
    • Approvals
    • Waivers
    • Access (via student, others, legal guardian) to grades, schedule, other information
    • Ability to update student information? (Bio/Demographic data?)
  • Regulatory Concerns:
    • FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
      • Access to student data, grades, etc.
    • CIPA - Children's Internet Protection Act
    • COPPA - Children's Online Privacy Protection Act (1998)
    • HIPAA Health Insurance Portability and Accountability Act (1996)
    • Protected Health Information (PHI)
  • Additional Security?
  • Leadership/Champions in the K-12 space
  • Number of K-12 focused, SAML-enabled services (vendor applications)

Possible K-12 Federation Options

  • District or State-Level IdPs
    • How would (could) a state-wide IdP work?
      • Much more granular OU than in Higher Education
      • Scoping of ePPN (eduPerson Principle Name)
      • How does this tie in with an IIS and the national SLC effort?
      • Should there be follow up (outreach) with the Shibboleth and InCommon folks?
    • Who would run IdP(s)?
      • State Dept of Education
      • Regional IdPs (throughout the state)
      • R&E Network Providers (RONs, Regionals)
      • State University Systems
  • Are there enough differences to warrant a separate K-12 Federation?
    • K-12 applications vs. Higher Education applications
    • Attributes and Attribute Release Policies (ARPs)
    • Regulations (state and federal) and Security (K-12 students are minors)
    • Shared Infrastructure - National K-12 Federation?
  • Inter-federation with InCommon?
  • Is this an InCommon Problem/Concern?
    • Pricing for K-12
    • Inter-federation vs. a single federation
    • K-12 Issues (see above)
    • Dilution of SP pool? (or "too much" for vendors to work with multiple federations)
    • Need to participate in multiple federations and inter-federate, OR 
    • Participate in a single federation and have subsets of metadata (K-12, HE, etc.)?

Use Cases

  • Good set of example Use Cases for using Federated Identity Management (FIM).
  • (Review what constitutes a "Use Case" vs. a "Benefit")
  • See a description of Use Cases at bredemeyer.com (The Architecture Discipline - Bredemeyer Consulting)

Case Studies

Existing K-12/K-20 FIM implementations

Next Steps

  • This Roadmap
  • Outreach to vendors
  • Coordination with state departments of education
  • Possible outreach to regional broadband providers
  • National coordination (Federal DOE)
  • No labels