A Roadmap to K-12 Federated Identity Management

For information about authenticating to this wiki so you can edit here, see Getting access to the Internet2 federated wiki.

Introduction

Write up on K-12 Federation versus Higher Education? (Need a narrative form, but here's an outline to start)

An Outline for K-12 Federated Identity Management

•Baseline requirements for Running an IdP •Underlying IAM infrastructure (Accounts & minimal attributes) •Value proposition for districts (not much at the district level) •Reduced cost through shared applications •Reduced/Single Sign On to ? (some cloud services?) •District or State “Shared” applications – SPs (Value Proposition) •Availability of client machines for all students (1:1)? •BYOD/T (Bring Your Own Device/Technology)? •Currently not a “given” •Next few years may see a higher percentage of K-12 students with clients •Moving from a district-focused effort to a state-wide or national effort would improve the chances for success

Terminology

See Glossary

Use Cases

Good set of examples for using Federated Identity Management (FIM):

• Review what constitutes a "Use Case"... (vs. a Benefit)
• See Use Cases at bredemeyer.com (The Architecture Discipline - Bredemeyer Consulting)

Case Studies

Existing K-12/K-20 FIM implementations

• NCTrust, A K-20 Identity Federation Pilot 
• Others?

Benefits (Value Proposition) for K-12

Districts, Schools, Users:

• Fewer Accounts
  • Password Management
  • Better User Experience
• Single Sign On (SSO)
• Easier Application On-boarding – simple to extend once implemented
• Increasing use of Cloud Services (use case)
• Licensing costs controlled - More accurate count of actual users (via federated access)
• Security
  • Better control over user Credentials (username/password)
    • Active/Inactive accounts
    • Management of users’ privacy or information exchanged
  • Fewer Firewall “holes” needed (opened for vendor access to LDAP data)
  • Passwords not transmitted to vendor/application sites to authenticate
  • Much easier to disable a User (one place, rather than searching for accounts)
  • User data is neither stored at nor transported to vendor sites
• Consortium purchasing (licensing)
• SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)

State-level (DOE/DPI):

• Opportunity for consortium buying
• Shared Applications
  • External (common vendor apps – LMS, Library Services, Learning Object Repositories, etc.)
  • Internal (state-wide applications)
• Collaboration made easier
  • Shared Wiki spaces
  • Access to limited/costly resources through Federated Login
  • Between different communities of practice
    • Community Colleges – High school early access
    • Other Higher Education institutions
      • Research
      • Services
      • School Districts
• Virtual Public Schools (Online Learning)
  • Similar issues to Distance Education
  • Federated access possible from “home school/district”

(Your thoughts here)

Challenges

• Accuracy of IAM backend systems
• Technical Expertise/Knowledge of local IT Staff
  • Federation knowledge
  • Shibboleth, other Federation Software
  • Java developer skills
  • Potentially beyond the level of experience available in many school districts
• Trust/Legal Issues of participation
• Level of Assurance (LoA) of the credential
  • Issuing process
  • Identity-Proofing
• Cost of Federation membership ($)
• K-12
  • Students are minors (can’t agree to release PII on their own)
  • New Attributes needed?
    • Grade Level (K-12)
    • Age-specific
      • 13 or older (“Age of Reason?”)
      • 18 or older (Able to make some decisions on their own?)
      • School Type
        • Elementary School (K-5)
        • Middle School (6-8)
        • High School (9-12)
  • Parent/Guardian Access
    • Approvals
    • Waivers
    • Access (via student) to grades, schedule, other information
    • Ability to update student information? (Bio/Demographic data?)
• Regulatory Concerns:
  • FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
    • Access to student data, grades, etc.
  • CIPA - Children's Internet Protection Act
  • COPPA - Children's Online Privacy Protection Act (1998)
  • HIPAA Health Insurance Portability and Accountability Act (1996)
    • Protected Health Information (PHI)
    • Additional Security?
• Leadership/Champions in the K-12 space
• Number of K-12 focused, SAML-enabled services (vendor applications)

Next Steps

• This Roadmap
• Outreach to vendors
• Coordination with state departments of education
• Possible outreach to regional broadband providers
• National coordination (Federal DOE)