You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Next »

A Roadmap to K-12 Federated Identity Management

For information about authenticating to this wiki so you can edit here, see Getting access to the Internet2 federated wiki.

Introduction

Write up on K-12 Federation versus Higher Education? (Need a narrative form, but here's an outline to start)

An Outline for K-12 Federated Identity Management
  • Baseline requirement for running an IdP (Identity Provider)
    • Underlying IAM infrastructure (accounts & minimal set of attributes)
    • Value proposition for districts (not much at the district level - need examples)
      • Reduced cost through shared applications
      • Reduced/Single Sign-On to "?" (some cloud services?)
  • District or State "Shared Applications" - SPs (value proposition)
  • Availability of client machines for all students (1:1)?
    • BYOD/T (Bring Your Own Device/Technology)
    • Currently not a "given"
    • Next few years may see a higher percentage of K-12 students with client devices
  • Moving from a district-focused effort to a state-wide or national effort would improve the chances for success (true?)
Possible K-12 Federation Options
  • District or State-Level IdPs
    • How would (could) a state-wide IdP work?
      • Much more granular OU than in Higher Education
      • Scoping of ePPN (eduPerson Principle Name)
      • How does this tie in with an IIS and the national SLC effort?
      • Should there be follow up (outreach) with the Shibboleth and InCommon folks?
  • Are there enough differences to warrant a separate K-12 Federation?
    • K-12 applications vs. Higher Education applications
    • Attributes and Attribute Release Policies (ARPs)
    • Regulations (state and federal) and Security (K-12 students are minors)
    • Shared Infrastructure - National K-12 Federation?
  • Inter-federation with InCommon?
  • Is this an InCommon Problem/Concern?
    • Pricing for K-12
    • Inter-federation vs. a single federation
    • K-12 Issues (see above)
    • Dilution of SP pool? (or "too much" for vendors to work with multiple federations)
    • Need to participate in multiple federations and inter-federate, OR participate in a single federation and have subsets of metadata (K-12, HE, etc.)?
K-12 Federation Challenges
  • K-12 Districts don't have FIM "high" on their lists of projects (maybe top 10)
  • Major needs/projects are likely to be "district-focused"
  • Districts won't benefit as much from FIM on their own
  • The bigger benefits are realized when coordinated at the State level (or higher)
    • Shared learning infrastructure
    • Consortium buying
    • State-wide licensing of multi-tenant Cloud Services
    • State-specific (required) "federated" applications/services
  • The effort to make progress on FIM is frequently too great for a single district to manage (true?)
  • The coordination, leadership and funding likely needs to be done at a state level
    • Partnership of RENs/Regionals and State Departments of Education
    • CoSN Leadership
    • Others?

Terminology

See Glossary

Use Cases

Good set of examples for using Federated Identity Management (FIM):

  • Review what constitutes a "Use Case"... (vs. a Benefit)
  • See Use Cases at bredemeyer.com (The Architecture Discipline - Bredemeyer Consulting)

Case Studies

Existing K-12/K-20 FIM implementations

Benefits (Value Proposition) for K-12

Districts, Schools, Users:
  • Fewer Accounts
    • Password Management
    • Better User Experience
  • Single Sign On (SSO)
  • Easier Application On-boarding – simple to extend once implemented
  • Increasing use of Cloud Services (use case)
  • Licensing costs controlled - More accurate count of actual users (via federated access)
  • Security
    • Better control over user Credentials (username/password)
      • Active/Inactive accounts
      • Management of users’ privacy or information exchanged
    • Fewer Firewall “holes” needed (opened for vendor access to LDAP data)
    • Passwords not transmitted to vendor/application sites to authenticate
    • Much easier to disable a User (one place, rather than searching for accounts)
    • User data is neither stored at nor transported to vendor sites
  • Consortium purchasing (licensing)
  • SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)
State-level (DOE/DPI):
  • Opportunity for consortium buying
  • Shared Applications
    • External (common vendor apps – LMS, Library Services, Learning Object Repositories, etc.)
    • Internal (state-wide applications)
  • Collaboration made easier
    • Shared Wiki spaces
    • Access to limited/costly resources through Federated Login
    • Between different communities of practice
      • Community Colleges – High school early access
      • Other Higher Education institutions
        • Research
        • Services
        • School Districts
  • Virtual Public Schools (Online Learning)
    • Similar issues to Distance Education
    • Federated access possible from “home school/district”
(Your thoughts here)

Challenges

  • Accuracy of IAM backend systems
  • Technical Expertise/Knowledge of local IT Staff
    • Federation knowledge
    • Shibboleth, other Federation Software
    • Java developer skills
    • Potentially beyond the level of experience available in many school districts
  • Trust/Legal Issues of participation
  • Level of Assurance (LoA) of the credential
    • Issuing process
    • Identity-Proofing
  • Cost of Federation membership ($)
  • K-12
    • Students are minors (can’t agree to release PII on their own)
    • New Attributes needed?
      • Grade Level (K-12)
      • Age-specific
        • 13 or older (“Age of Reason?”)
        • 18 or older (Able to make some decisions on their own?)
        • School Type
          • Elementary School (K-5)
          • Middle School (6-8)
          • High School (9-12)
    • Parent/Guardian Access
      • Approvals
      • Waivers
      • Access (via student) to grades, schedule, other information
      • Ability to update student information? (Bio/Demographic data?)
  • Regulatory Concerns:
    • FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
      • Access to student data, grades, etc.
    • CIPA - Children's Internet Protection Act
    • COPPA - Children's Online Privacy Protection Act (1998)
    • HIPAA Health Insurance Portability and Accountability Act (1996)
      • Protected Health Information (PHI)
      • Additional Security?
  • Leadership/Champions in the K-12 space
  • Number of K-12 focused, SAML-enabled services (vendor applications)

Next Steps

  • This Roadmap
  • Outreach to vendors
  • Coordination with state departments of education
  • Possible outreach to regional broadband providers
  • National coordination (Federal DOE)
  • No labels