A Roadmap to K-12 Federated Identity Management
For information about authenticating to this wiki so you can edit here, see Getting access to the Internet2 federated wiki.
Introduction
Write up on K-12 Federation versus Higher Education? (Need a narrative form, but here's an outline to start)
An Outline for K-12 Federated Identity Management
- Baseline requirement for running an IdP (Identity Provider)
- Underlying IAM infrastructure (accounts & minimal set of attributes)
- Value proposition for districts (not much at the district level - need examples)
- Reduced cost through shared applications
- Reduced/Single Sign-On to "?" (some cloud services?)
- Application/Service driven (e.g. Google Apps for Education)
- District or State "Shared Applications" - SPs (value proposition)
- Availability of client machines for all students (1:1)?
- BYOD/T (Bring Your Own Device/Technology)
- Currently not a "given"
- Next few years may see a higher percentage of K-12 students with client devices
- Moving from a district-focused effort to a state-wide or national effort would improve the chances for success (true?)
Possible K-12 Federation Options
- District or State-Level IdPs
- How would (could) a state-wide IdP work?
- Much more granular OU than in Higher Education
- Scoping of ePPN (eduPerson Principle Name)
- How does this tie in with an IIS and the national SLC effort?
- Should there be follow up (outreach) with the Shibboleth and InCommon folks?
- How would (could) a state-wide IdP work?
- Are there enough differences to warrant a separate K-12 Federation?
- K-12 applications vs. Higher Education applications
- Attributes and Attribute Release Policies (ARPs)
- Regulations (state and federal) and Security (K-12 students are minors)
- Shared Infrastructure - National K-12 Federation?
- Inter-federation with InCommon?
- Is this an InCommon Problem/Concern?
- Pricing for K-12
- Inter-federation vs. a single federation
- K-12 Issues (see above)
- Dilution of SP pool? (or "too much" for vendors to work with multiple federations)
- Need to participate in multiple federations and inter-federate, OR participate in a single federation and have subsets of metadata (K-12, HE, etc.)?
K-12 Federation Challenges
- K-12 Districts don't have FIM "high" on their lists of projects (maybe top 10)
- Major needs/projects are likely to be "district-focused"
- Districts won't benefit as much from FIM on their own
- The bigger benefits are realized when coordinated at the State level (or higher)
- Shared learning infrastructure
- Consortium buying
- State-wide licensing of multi-tenant Cloud Services
- State-specific (required) "federated" applications/services
- The effort to make progress on FIM is frequently too great for a single district to manage (true?)
- The coordination, leadership and funding "likely" needs to be done at a state level
- Partnership of RENs/Regionals and State Departments of Education
- CoSN Leadership
- Large District "role models"
- Others?
Terminology
See Glossary
Use Cases
Good set of example Use Cases for using Federated Identity Management (FIM).
- Review what constitutes a "Use Case"... (vs. a Benefit)
- See Use Cases at bredemeyer.com (The Architecture Discipline - Bredemeyer Consulting)
Case Studies
Existing K-12/K-20 FIM implementations
- NCTrust, A K-20 Identity Federation Pilot (DRAFT)
- Others?
Benefits (Value Proposition) for K-12
Districts, Schools, Users:
- Fewer Accounts
- Password Management
- Better User Experience
- Single Sign On (SSO)
- Easier Application On-boarding – simple to extend once implemented
- Increasing use of Cloud Services (use case)
- Licensing costs controlled - More accurate count of actual users (via federated access)
- Security
- Better control over user Credentials (username/password)
- Active/Inactive accounts
- Management of users’ privacy or information exchanged
- Fewer Firewall “holes” needed (opened for vendor access to LDAP data)
- Passwords not transmitted to vendor/application sites to authenticate
- Much easier to disable a User (one place, rather than searching for accounts)
- User data is neither stored at nor transported to vendor sites
- Better control over user Credentials (username/password)
- Consortium purchasing (licensing)
- SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)
State-level (DOE/DPI):
- Opportunity for consortium buying
- Shared Applications
- External (common vendor apps – LMS, Library Services, Learning Object Repositories, etc.)
- Internal (state-wide applications)
- Collaboration made easier
- Shared Wiki spaces
- Access to limited/costly resources through Federated Login
- Between different communities of practice
- Community Colleges – High school early access
- Other Higher Education institutions
- Research
- Services
- School Districts
- Virtual Public Schools (Online Learning)
- Similar issues to Distance Education
- Federated access possible from “home school/district”
(Your thoughts here)
Challenges
- Accuracy of IAM backend systems
- Technical Expertise/Knowledge of local IT Staff
- Federation knowledge
- Shibboleth, other Federation Software
- Java developer skills
- Potentially beyond the level of experience available in many school districts
- Trust/Legal Issues of participation
- Level of Assurance (LoA) of the credential
- Issuing process
- Identity-Proofing
- Cost of Federation membership ($)
- K-12
- Students are minors (can’t agree to release PII on their own)
- New Attributes needed?
- Grade Level (K-12)
- Age-specific
- 13 or older (“Age of Reason?”)
- 18 or older (Able to make some decisions on their own?)
- School Type
- Elementary School (K-5)
- Middle School (6-8)
- High School (9-12)
- Parent/Guardian Access
- Approvals
- Waivers
- Access (via student) to grades, schedule, other information
- Ability to update student information? (Bio/Demographic data?)
- Regulatory Concerns:
- FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
- Access to student data, grades, etc.
- CIPA - Children's Internet Protection Act
- COPPA - Children's Online Privacy Protection Act (1998)
- HIPAA Health Insurance Portability and Accountability Act (1996)
- Protected Health Information (PHI)
- Additional Security?
- FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
- Leadership/Champions in the K-12 space
- Number of K-12 focused, SAML-enabled services (vendor applications)
Next Steps
- This Roadmap
- Outreach to vendors
- Coordination with state departments of education
- Possible outreach to regional broadband providers
- National coordination (Federal DOE)