K-12 Federated Identity Session

Internet2 Member Meeting

October 10, 2007

**Attending**

Randy Stout, Kansas Board of Regents (KanEd), Chair of K-20 initiative

Shaun Abshere, WiscNet

John Gieser, Edutech, North Dakota State University

Mark Williams, JISC

Jane Charlton, JISC

Marla Davenport, TIES

Paul Brilland, Cedar Point Communications

Roland Hedburg, Umea University, Sweden

John Krienke, Internet2

Ann West, EDUCAUSE/Internet2

Dean Woodbeck, Internet2 (scribe)

The purpose of this session is to begin a discussion of experiences in federating with or among K-12 school districts. In general, state-wide networks have no mandate in terms of identity management. Some of the questions that need answering:

  • What are the incentives and obstacles to federating in a K-12 environment?
  • What do K-12 providers want/need in terms of identity management?

What would provide incentive for K-12 districts, networks or consortia to federate?

  • Availability of resources?
  • Having unique identifiers to enable common transcripts?
  • Availability of online curriculum resources?
  • Availability of administrative resources or services?

The U.K. provides one example of a federation that involves K-12 schools. Local authorities, which are comprised of several school districts, can join the U.K. Access Management Federation. The local authority then serves as the identity provider for the individual schools.

An identity provider (IdP) is an organization that manages and operates an identity management system, typically including such things as credentials (user IDs and passwords) for its members to use in gaining access to online resources.

In the U.K. federation, identity providers include local authorities, regional broadband consortia, and universities and colleges. Through the federation, users can achieve single sign-on convenience, meaning they use just one set of credentials to access many online resources from service providers. These service providers are also members of the federation.

Members of the UK federation agree to a set of policies for exchanging information about users and resources. This enables access to, and use of, resources and services while protecting the security of both the individuals and the resources. The federation, combined with the use of identity management software within institutions and organizations, is referred to as "federated access management."

There are a number of helpful websites with much more information about the U.K. federation and its partners. Places to start include:

The UK federation has found little overlap in the content providers that serve the K-12 community and those that serve colleges and universities. Having said that, the issues for these content providers are likely to be the same. Larger publishers have more incentive to join federations because they have customer bases in many different countries and so using the same technology for access management which is based on international standards fits with their business case and strategies. However the smaller publishers have some of the same issues as the smaller institutions in that they don't have the financial or technical support to be able to implement federation-compliant technologies so the UK are currently looking for solutions to this problem. (See below).

The state of Minnesota has some present and future applications that are compatible with federating. As an example, every student has a unique ID, recognized by every school in the state. The state is looking at the concept of common transcripts that would travel with a student when he/she moves to a different district.

TheMidwest Higher Education Compact http://www.mhec.org(11 states) has a service in which high school students can provide higher education institutions with access to their transcripts (seehttp://www.mhec.org/index.asp?pageID=138.

Services like CollegeNet may provide some incentive for K-12 identity providers to join a federation. CollegeNet helps a student apply to colleges using the common application. A much smoother process would result if K-12 districts provided identity information to CollegeNet. In addition, colleges would not need to provide a user ID and password to prospective students; the school district would serve as the identity provider.

John Krienke, of the InCommon Federation (www.incommonfederation.org), noted that access to services, not just content, seems to be driving higher education institutions to consider federating. In particular, there has been a lot of activity around wikis - allowing users to share documents for editing and comments.

Mark Williams of JISC has reported on a number of issues in this area.

  • Sectors all suffer from mission creep. Schools want increased contact with community colleges. Elementary schools want to link to secondary schools. Higher ed is making vertical leaps to community college and schools. All of these are aspects of the growing cradle-to-grave lifelong learning concept.
  • In the UK, student portfolios are being introduced for schools and can be used in a closed HE system, however there is no consistant agreement yet on the information that should be passed along to HE . Individual student identifiers are being introduced in schools as a genuine "Unique Identifier". They are transmitted to Further Education (Community Colleges) / Higher Education but function as one of many identifiers, along with UCAS numbers (University application identifier etc).
  • For those providing content to schools, parental involvement/consent means an additional wrinkle in the process.
  • Smaller institutions, particularly those in the post-16 sector, don't have the financial or technical resources to implement federation-complaint technologies. To help solve this problem, JISC has gone out to tender for a third-party identity provider to support these smaller institutions in joining the UK federation and to enable them to be self-sufficient after a year (www.jisc.ac.uk/fundingopportunities/funding_calls/2007/10/amsupport.aspx). Due to funding restrictions, JISC is not able to provide the same kind of support to smaller publishers which are in a similar position. However some third-party providers may provide a service to these smaller publishers at reasonable cost or the smaller publisher might consider hosting their content on a site that has already joined the UK federation.

JISC has had no problems getting an IdP up and running (using a third party) for colleges. The problem comes in maintenance. If the third party gets the identity management system up and running, what happens a year down the road? JISC doesn't provide that service, but is attempting to develop evaluation criteria for colleges, as well as provide market information about 3rd party suppliers.

One suggested approach for such scenarios in the U.S. would be to have an organization run virtual IdPs for school districts. Local schools would maintain their own identity information, but the identity management system itself would operate through some central authority.

One additional discussion item was the case where a K-12 student takes a university course. Under a federated approach, the K-12 system would be the identity provider and the university would be the service provider.

There was additional discussion about the problems a federation might solve for a K-12 district. For example, in higher education, a lot of administrative services can be outsourced. Is that true in K-12? The consensus is that a white paper or use-case(s) need to be developed to answer those questions.

Shaun Abshere from WiscNet reported on a three-year grant received by New Jersey's state higher-ed network provider, NJEDge, to provide a statewide video repository for education. NJEDge has received a three-year grant to create a pilot demonstrating a federated, peered repository of video objects, as well as lectures-on-demand. The repository will be made available via a portal. The repository will include public libraries, museums, historical societies and community colleges. Cultural organizations will be able to place their video into this repository. Access will be federated using Shibboleth (www.shibboleth.internet2.edu) and support will be scaled for school districts that may not have an LDAP or identity management program.

Because NJEDge will set up an access management structure, the technology will be available for files and services other than video.

The original incentive for the grant came from academic librarians, who were all purchasing licenses from the same company for the same video objects. This federated approach to licensing has saved libraries $400,000 state-wide just from the consolidated approach to one licensed resource.

Next Steps:

1. Survey of vendor community to determine current status and future plans, define challenges currently experienced where vendor business model meets K12 environment, gauge potential for participation in pilot initiatives, and further assess value proposition for vendors.

2. Survey K12 CIO/CTO's to estimate readiness and willingness to participate in federated access management and to identify candidate content resources, services, and collaboration tools (i.e. real time communication systems, video services, journals, databases) that could be considered 'low-hanging fruit' for development/pilot initiative.

3. Survey of policymakers to assess potential for building support and requesting resources.

4. Draft of a white paper to address questions emerging from this BoF session, and from concurrent working group activities, exploring the intersections of IdM deployment in K12 networking environments and broader federated access management of new services and content.

5. Present the white paper for focused discussion in a session at the spring Internet2 Member Meeting and in other suitable venues. A preliminary statement of the scope would include descriptions of Identity Management Schema (IdM) and Middleware use case scenarios specific to the K12 networking environment to be discussed within the proposed framework of (1) content, (2) services, and (3) collaborative tools. Particular attention is given to questions about enterprise level concerns, summary descriptions of a sample of IdM models, peer to peer trust models, key attribute and object class identification, and discussion of lessons learned from large scale deployments of federated access management practices to date. Special attention is also given to developing a description of the supports needed to facilitate large scale deployment of IdM that are useful in elementary and secondary educational agencies as well as higher education.

6. A resulting product presents a business case to inform decision making processes with respect to the implementation of federations for access management in K12 networking environments.

  • No labels