Joining the UK Access Management Federation for Education and Research
Summary of procedure
Early application for membership of the UK Access Management Federation is advised so that once you are ready to participate in the federation, the application process is already completed. Once you are a member, you can take advantage of the many benefits the federation offers.
For further information on joining, please click on the following links. If you have javascript enabled, clicking on the "[+]" symbols will expand each section. Otherwise, click on the section title to be taken to a page with the same content.
(:togglelink init=hide div=div2 lshow='[+]' lhide='[-]':)
Apply for membership
- A senior officer at an eligible organisation makes a formal application in writing to the federation operator to join the federation (full details) and agrees to be bound by the federation rules of membership.
- The federation operator replies with an approval e-mail verifying contact details.
NB: Where an applicant intends to use an outsourced identity provider (see participation options), both the applicant and the external organisation providing the outsourcing service must become members of the federation, and the Management Contact of the requesting organisation must provide additional outsourced provider information.
(:togglelink init=hide div=div1 lshow='[+]' lhide='[-]':)
Membership verification procedures
Federation Membership Verification Procedures
In order to confirm the membership application of an organisation wishing to join the UK Access Management Federation the following must be verified.
1. Legal status
Only organisations with legal status are entitled to join the UK federation. The Operator makes checks based on the legal name provided in the letter of application. The checks are conducted with a number of official databases which include but are not limited to:
- Companies House - http://www.companieshouse.gov.uk
- The English and Welsh Charity Commission - http://www.charity-commission.gov.uk/
- European Business Register - http://www.gbrdirect.co.uk/
- Other worldwide registries listed at - http://www.companieshouse.gov.uk/links/introduction.shtml#reg
- The Official Home of UK Legislation - http://www.legislation.gov.uk
- Dun and Bradstreet - http://www.dnb.co.uk
Applicants should take care that the information they have registered with such databases is correct and up to date and that the company name and registered address on their application reflects the information they have registered with the above databases.
Applicants who are Sole Traders should contact the federation helpdesk in advance of their application, as different procedures may be used in their case.
2. Email address of named contacts in letter of application.
The federation operator will contact the individuals named in the letter of application to confirm their email addresses. Named contacts should ensure that they respond promptly.
(:togglelink init=hide div=div3 lshow='[+]' lhide='[-]':)
Participation options
Once an organisation has joined the federation, there are various options for participation.
In-house
Run and support identity management in-house.There are two options for following this route:
- implement the technology wholly through the organisation.
- implement the technology using a third party. This option is particularly useful for those organisations who do not have the internal resource or expertise to deploy the initial technical requirements but would like to maintain ultimate control of their user authentication.
Outsourced
Organisational identity management provision may be handled by a third party. For further information about the provision of third-party outsource services in the schools sector please see the document regarding the trust framework for participation of UK schools.
The application process for outsourced IdPs should be followed if taking this route.
Outsourced service provision: an organisation may outsource service provision to an external organisation without reference to the federation operator. However, where the entityID proposed for the SP entity contains a domain name which does not belong to the external organisation, this procedure should be followed.
There are several organisations who offer outsourced and/or in-house support services.
Schools
The recommended approach for schools is to join via the Local Authorities (England & Wales) or Regional Broadband Consortia in England, Classroom 2000 in Northern Ireland and Learning & Teaching, Scotland. However, schools may join the federation independently.
(:togglelink init=hide div=div4 lshow='[+]' lhide='[-]':)
Register entities
Entity registration
Once an organisation’s application for membership has been approved, a Management Contact may register any number of SP (Service Provider) entities. If the organisation has joined as an IDENTITY PROVIDER member, then the Management Contact can register production IdP (Identity Provider) entities as well.
Procedure for registering these types of software:
- Shibboleth SP
- OpenAthens SP
- Other SP
- Shibboleth IdP
- OpenAthens IdP
- Other IdP
- Microsoft Azure / AD FS
We also provide information for organisations that want to outsource some or all provision on our Outsourced Provider page.
The UK federation implements a policy of exporting all entities to eduGAIN (with some exceptions). More details concerning this can be found here:
https://www.ukfederation.org.uk/content/Documents/EduGAINParticipation
Shibboleth SP
The currently-supported version of the Shibboleth SP interoperates with all previous releases of Shibboleth and other software that supports the same standards.
- Set up a Shibboleth v3 SP
- Register a Shibboleth SP
- Once registered, you may need to modify your configuration according to our set up Shibboleth v3 SP page.
Upgrading from a Shibboleth v2 SP to v3
The currently-supported version of the Shibboleth SP is in the v3.x series. The Shibboleth wiki states that the upgrade process is designed to be seamless and is functionally the same as upgrading v2 in the past. However, please note that there is a particular combination of factors that may affect a small number of deployments in the UK federation. See also the Shibboleth wiki page "Upgrading from v2".
OpenAthens SP
The original OpenAthens SP software is now end-of-life. To install and register an OpenAthens Keystone SP:
- You purchase and configure the OpenAthens Keystone SP software.
- Register an OpenAthens SP
- Test and if necessary modify your configuration according to OpenAthens documentation.
Other SP
Install and register any other type of SP software
Shibboleth IdP
As at 23 April 2024, the current version of the Shibboleth IdP is v5.1.2.
- Shibboleth IdP v5 Installation
- Shibboleth IdP v4 deployment guide
- Registering a Shibboleth IdP
- Once registered, you may need to modify your configuration according to Shibboleth IdP v4 deployment guide
We recommend that you keep your software up-to-date within the v3.x series, by noting the supported versions of the v3 IdP and the process for updating a v3 IdP. We also recommend that you subscribe to the announce mailing list.
"Upgrading" from a Shibboleth v2 IdP to v3
We have put together some documentation about Integration of a new install of a Shibboleth v3 IdP into the UK federation to replace a Shibboleth v2 IdP.
Upgrading from a Shibboleth v3 IdP to v4
Please note that some deprecated features of the v3 IdP will be removed in v4 and this should be dealt with before upgrading your v3 IdP to v4.
Please contact the UK federation helpdesk for further advice.
Upgrading from a Shibboleth v4 IdP to v5
We have put together some documentation about upgrading your v4 IdP to v5
OpenAthens IdP
To install and register an OpenAthens IdP:
- You purchase and configure the OpenAthens MD software.
- Register an OpenAthens MD IdP
- Test and if necessary modify your configuration according to OpenAthens documentation.
Moving from other IdPs to an OpenAthens MD IdP
- From an (end-of-life) OpenAthens LA IdP.
- From a Shibboleth IdP.
In both cases, some WAYFless URLs will need updating. More details may be found at our page on changing from one IdP platform to another.
Other IdP
Install and register any other type of IdP software
Microsoft Azure / AD FS
In the past, some organisations have enquired about using Microsoft AD FS (Active Directory Federation Services) software as an IdP within the UK federation and our findings are here.
However, it is possible to use a technique called SAML Proxying to let your Shibboleth IdP proxy to another IdP (including Azure AD) to give your users a true single sign-on experience.
(:togglelink init=hide div=div5 lshow='[+]' lhide='[-]':)
Summary of application and registration process
Privacy notice
The information you provide to us is needed for us to manage your membership of, and / or participation in, the UK Access Management federation, operated by Jisc. We’ll use it, as described in our standard privacy notice (at https://www.jisc.ac.uk/website/privacy-notice), to provide the service you’ve requested, as well as to identify problems or ways to make the service better. We’ll keep the information until we are told that you no longer wish to be a member and / or participant. This service is covered by Jisc’s ISO `27001 Information Security certification.