Access and Identity Management - Eduserv AIM
Eduserv Background Image Go to main textInnovative Technology Services
Home
Athens
Chest
Web Solutions
Foundation
You are in :    Eduserv > AIM > Federations
In this section

An introduction to Federations

An introduction to Federations

Summary

A federation is a group of organisations that share a set of agreed policies and rules for access to online resources. These policies enable the members to establish a basic level of trust. A federation provides a structure and sometimes a legal framework that enables authentication and authorisation, by Shibboleth or SAML, across different organisations. The particular policies adopted by a federation depend on the requirements for its use and the degree of assurance required by its constituent members.  Additional levels of trust are achieved through bi-lateral agreement of attribute exchange.


Description

Broadly speaking, a federation provides a common framework that links separate organisations (or, perhaps, parts of the same organisation) who want to collaborate or share information in a trusted manner. For example, if organisations A, B and C want to share information between them, they must at least decide, and agree on, the following:

  • The information they want to share.
  • How this information is shared and expressed (that is, they must agree on a common language).
  • How organisation A can trust organisation B, or how B can trust C, and so on.
  • How organisation A can find out high-level (meta) information about C, and so on for the other organisations. For example, what the organisation's address is, or who to contact for a particular purpose.

These policies could be mutually agreed between all three organisations. However, if 10 organisations wanted to collaborate and share information, it would be difficult to agree mutually on common policy and language - and would probably be unworkable! Moreover, if a new organisation also wanted to collaborate with the group, that organisation might have different requirements, requiring renegotiation. A more coherent and scalable solution to these problems would be to prescribe the rules, language, and associated policy. Taking this approach enables many organisations to collaborate in the way described above. We call this group of organisations a federation.

The functions of a federation depend on the goals and requirements of its members. A federation might be responsible for providing solutions to one or more of the above problems by prescribing a standard set of policies and guidelines on which organisations have to agree to in order to join. This would typically involve an organisation making a legal declaration (for example, by signing a licence or usage agreement) to abide by the requirements of the federation. This kind of formal registration procedure is essential for establishing mutual trust between members of a federation. A federation is typically a neutral 'body' that is set up by its constituent members, in order to specify and steer policy. It is in turn trusted by all its constituent members due to the legal and trust framework it provides.

The concept of a federation is typically independent of the technologies used by organisations to share information (for instance SAML, or Shibboleth), but instead focuses on the high level policy and legal framework. However, a federation body might decide to provide some actual (technology) services to its members in order to achieve one or more of its objectives. For instance, if the policy of a federation is to issue and sign the certificates used by organisations to establish mutual trust, then the federation would probably run a Certificate Authority (CA) in order to meet this objective. Additionally, there are often services required by all federation members that would be better run by an independent, centralised service, such as the federation body. For instance, the federation body is well-placed to provide the list of all federation members with agreed meta-data about each member. This is similar to the Where Are You From? (WAYF) in Shibboleth.

Example

As a simple example for a federation, consider three organisations X, Y and Z. These organisations want to share information (such as names and email addresses) contained in user records. To do this, they establish a federation. The information they will exchange is personal information, and it is important that the information is kept secure, trusted between organisations, and understood (that is, in a common language/format). Their federation provides the following framework and requirements for membership:

  • Organisations must agree to only exchange information relating to their members. This is a licence agreement between the member organisations so that each organisation can be assured that only members of organisations within the federation are able to participate in intra-federation information exchange. This effectively sets the boundaries of the federation.
  • The federation provides a standard naming format for attribute information (that is, information specifically related to a given member of an organisation, such as an email address). This means that, for example, an email address is always represented by the same named attribute, and attributes represent data in a standard format (for instance, the date of birth is always represented in the 'dd/mm/yyyy' format). This probably requires organisations to use a particular attribute schema (such as eduPerson), possibly published by the federation body.
  • Information must be kept secure and must be trusted by the receiving organisation, so the federation requires that all personal information passed between organisations must be encrypted, and signed by the issuing organisation. Signing certificates must be issued by a trusted certificate authority recognised by the federation. The federation also provides an infrastructure for the distribution of certificates between its members.

Additionally, the federation might publish additional meta-data about its constituent organisations and requirements for membership.

Existing federations:

Several federations currently exist worldwide:

  • InQueue http://inqueue.internet2.edu  and InCommon http://www.incommonfederation.org have been established by the Internet2 group http://www.internet2.edu in the US. The goals of these two federations are different, and illustrate how different types of federation are required, depending on their requirements and goals.InQueue is designed for organisations that are becoming familiar with Shibboleth and the federated trust model, and offers no assurance of trust between organisations. It also provides a temporary alternative to sites for which no suitable production-level federation exists.InCommon, on the other hand, offers a much higher level of assurance for its members. For instance, it operates a Certificate Authority (CA) for its member organisations. It also provides other services such as a WAYF (Where Are You From?) service.
     
  • The Athens UK Federation requires a much more robust registration process and allows access to Athens protected resources. The registration form can be found in the Athens Administration area under the "Local Authentication System options" link.
  • The UK Access Management Federation for Education and Research which is supported by JISC and Becta, and operated by UKERNA, went live in November 2006.
      

    Other federations include:

  • HAKA ( http://www.csc.fi/suomi/funet/middleware/english/index.phtml) in Finland
  • SWITCHaai (http://www.switch.ch/aai/) in Switzerland



 
Events | Contact us | News
© Copyright Eduserv - All rights reserved