Towards a Unified Authentication, Authorisation

and Accounting Infrastructure

Patrick Kirk

Chief Technical Officer (YHGfL)

Lifelong Learning Infrastructure Manager (Leeds City Council)

pvkirk@leedslearning.net

Benefits of a unified AAAI

Ease of access – a unified AAAI should simplify the process and make it easier for all users to access resources.

The potential to enable ‘anytime anywhere’ access subject to the validity of licences.

The reduction of administrative burdens for managers and users in schools.

The personalisation of portals, based on identity and location.

To enable publishers to concentrate on protecting their assets rather than separately implementing access procedures with each purchasing authority or user.

Requirements for AAAI

There will need to be a trusted registration process to manage user access.

Content delivery must respect Digital Rights Management (DRM).

There should be the flexibility to allow purchases at the school, LEA and RBC levels and eventually on a per individual basis.

The infrastructure should be location-independent to permit access from homes, libraries etc. as well as schools – subject to DRM issues.

The process will need to be simple to use to encourage users and content providers to adopt it.

Requirements for AAAI

There will have to be ‘trust’ between users, content providers and infrastructure managers.

Content providers will have to trust the information that is provided to them and users will have to be assured that no more information is provided than is necessary and that they have given consent for the transaction.

RAAAI and the learning environment

What if there was no standard framework for AAA?

Duplication of effort across multiple schools, LEAs and RBCs without many sharing opportunities.

Publishers and network providers would have to interface with multiple systems.

It would be more difficult to share resources between schools/LEAs/RBCs as there would not be a common method for establishing identity.

At what level should authentication and authorisation take place? Currently the smallest ‘unit’ is probably a

school It could be a key stage especially at the pre-

16 / post16 boundary Do we authenticate users or administrative

units? How do we maintain security?

Where should authentication take place?

Within FE / HE each participating college or university to administer its own part of the user database.

Within a schools’ environment the smallest practical unit is likely to be an LEA.

Do we need a nationally agreed unique identifier?

How could AAAI be achieved within schools?

Currently there are at least four models in place.

These have evolved without reference. Although they are ever more versatile they

have not necessarily followed an evolutionary path.

Model 1

Model 2

The content provider wishes to track the progress/use of its resource by individual users

It has provided the school with a unique username and password for each user of its resource

Typically there will be a different username/password combination for each user of each resource

Model 3

Model 4

Schools, LEAs and RBCs working towards a national system

Two basic models for AAAI appear plausible and are in use elsewhere within the academic community.

In the first a remote resource ‘asks’ the AAAI authority whether a user is allowed access to its resource and receives a yes/no response.

In the second the remote resource requests an attributes set for the user (agreed in advance) and then makes its own decision based on an examination of the attributes.

Model 5

Model 6

Model 7

Shibboleth

Model 7, evolved from the prior models, has very close parallels with the ‘Shibboleth’ system – a federated authentication system in use across a number of academic institutions in the United States.

Jon Browne will now explain how Shibboleth would work in our environment.