View Source

A Roadmap to K-12 Federated Identity Management

For information about authenticating to this wiki so you can edit here, see Getting access to the Internet2 federated wiki.

Write up on K-12 Federation versus Higher Education? (Need a narrative form, but here's an outline to start)

Baseline requirement for running an IdP (Identity Provider)
- Underlying IAM infrastructure (accounts & minimal set of attributes)
- Value proposition for districts (not much at the district level - need examples)
  - Reduced cost through shared applications
  - Reduced/Single Sign-On to "?" (some cloud services?)
    - Application/Service driven (e.g. Google Apps for Education)
District or State "Shared Applications" - SPs (value proposition)
Availability of client machines for all students (1:1)?
- BYOD/T (Bring Your Own Device/Technology)
- Currently not a "given"
- Next few years may see a higher percentage of K-12 students with client devices
Moving from a district-focused effort to a state-wide or national effort would improve the chances for success (true?)

District or State-Level IdPs
- How would (could) a state-wide IdP work?
  - Much more granular OU than in Higher Education
  - Scoping of ePPN (eduPerson Principle Name)
  - How does this tie in with an IIS and the national SLC effort?
  - Should there be follow up (outreach) with the Shibboleth and InCommon folks?
Are there enough differences to warrant a separate K-12 Federation?
- K-12 applications vs. Higher Education applications
- Attributes and Attribute Release Policies (ARPs)
- Regulations (state and federal) and Security (K-12 students are minors)
- Shared Infrastructure - National K-12 Federation?
Inter-federation with InCommon?
Is this an InCommon Problem/Concern?
- Pricing for K-12
- Inter-federation vs. a single federation
- K-12 Issues (see above)
- Dilution of SP pool? (or "too much" for vendors to work with multiple federations)
- Need to participate in multiple federations and inter-federate, OR participate in a single federation and have subsets of metadata (K-12, HE, etc.)?

K-12 Districts don't have FIM "high" on their lists of projects (maybe top 10)
Major needs/projects are likely to be "district-focused"
Districts won't benefit as much from FIM on their own
The bigger benefits are realized when coordinated at the State level (or higher)
- Shared learning infrastructure
- Consortium buying
- State-wide licensing of multi-tenant Cloud Services
- State-specific (required) "federated" applications/services
The effort to make progress on FIM is frequently too great for a single district to manage (true?)
The coordination, leadership and funding "likely" needs to be done at a state level
- Partnership of RENs/Regionals and State Departments of Education
- CoSN Leadership
- Large District "role models"
- Others?

Good set of example Use Cases for using Federated Identity Management (FIM).

Review what constitutes a "Use Case"... (vs. a Benefit)
See Use Cases at bredemeyer.com (The Architecture Discipline - Bredemeyer Consulting)

Existing K-12/K-20 FIM implementations

Fewer Accounts
- Password Management
- Better User Experience
Single Sign On (SSO)
Easier Application On-boarding – simple to extend once implemented
Increasing use of Cloud Services (use case)
Licensing costs controlled - More accurate count of actual users (via federated access)
Security
- Better control over user Credentials (username/password)
  - Active/Inactive accounts
  - Management of users’ privacy or information exchanged
- Fewer Firewall “holes” needed (opened for vendor access to LDAP data)
- Passwords not transmitted to vendor/application sites to authenticate
- Much easier to disable a User (one place, rather than searching for accounts)
- User data is neither stored at nor transported to vendor sites
Consortium purchasing (licensing)
SLC/SLI (Shared Learning Collaborative/Shared Learning Infrastructure)

Opportunity for consortium buying
Shared Applications
- External (common vendor apps – LMS, Library Services, Learning Object Repositories, etc.)
- Internal (state-wide applications)
Collaboration made easier
- Shared Wiki spaces
- Access to limited/costly resources through Federated Login
- Between different communities of practice
  - Community Colleges – High school early access
  - Other Higher Education institutions
    - Research
    - Services
    - School Districts
Virtual Public Schools (Online Learning)
- Similar issues to Distance Education
- Federated access possible from “home school/district”

Accuracy of IAM backend systems
Technical Expertise/Knowledge of local IT Staff
- Federation knowledge
- Shibboleth, other Federation Software
- Java developer skills
- Potentially beyond the level of experience available in many school districts
Trust/Legal Issues of participation
Level of Assurance (LoA) of the credential
- Issuing process
- Identity-Proofing
Cost of Federation membership ($)
K-12
- Students are minors (can’t agree to release PII on their own)
- New Attributes needed?
  - Grade Level (K-12)
  - Age-specific
    - 13 or older (“Age of Reason?”)
    - 18 or older (Able to make some decisions on their own?)
    - School Type
      - Elementary School (K-5)
      - Middle School (6-8)
      - High School (9-12)
- Parent/Guardian Access
  - Approvals
  - Waivers
  - Access (via student) to grades, schedule, other information
  - Ability to update student information? (Bio/Demographic data?)
Regulatory Concerns:
- FERPA - Family Educational Rights and Privacy Act (1974, 2008?)
  - Access to student data, grades, etc.
- CIPA - Children's Internet Protection Act
- COPPA - Children's Online Privacy Protection Act (1998)
- HIPAA Health Insurance Portability and Accountability Act (1996)
  - Protected Health Information (PHI)
  - Additional Security?
Leadership/Champions in the K-12 space
Number of K-12 focused, SAML-enabled services (vendor applications)