This document discusses key concepts of federated access management (FAM) including: 1) FAM allows for single sign-on access to online resources across domains through distributing authentication, authorization, and accounting functions to appropriate parties like identity providers and service providers. 2) Identity providers handle authentication of their users while service providers control authorization based on attributes like role and affiliation. 3) Standards like SAML and Shibboleth facilitate trust between identity providers and service providers so users' access is managed according to their home institution's policies.

1. Federated Access Management 102 key concepts you need to become your institution’s local expert John Paschoud InfoSystems Engineer, LSE Library London School of Economics & Political Science, UK [email_address] Copyright John Paschoud 2007. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. The intellectual property of others in all contributed and referenced material is acknowledged.

2. Animation: even 2-dimensional people need Access Management

8. Access to internal resources: LSE Exam Papers collection

11. Access via a library portal to external resources The expanded list shows a link direct to the Service Provider, in this case Elsevier

12. Access via a library portal to external resources After clicking link in library portal:

14. How does FAM (using Shibboleth) work? Resource WAYF Identity Provider Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. AR Handle Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

19. www.ukfederation.org.uk www.jisc.ac.uk/federation.html http:// www.angel.ac.uk/ShibbolethAtLSE www.identity-project.info [email_address] [email_address]