CANARIE - Canadian Access Federation

For the past year, CUCCIO and CANARIE have shared management of the Canadian Access Federation (CAF) service, which provides a trusted access management environment for Canadian research and higher education communities. On April 1, 2012, the management of the Canadian Access Federation will officially transition from CUCCIO, representing Canada’s higher education IT leaders, to CANARIE, Canada’s Advanced Research and Innovation Network. CUCCIO is pleased to complete this critical step in ensuring the continued operation of the Canadian Access Federation and looks forward to working with CANARIE in its continued evolution.

For participants of CAF, the transition will be seamless: your users will continue to be able to use home credentials to access networks of other CAF participants via eduroam, as well as access remote content from Service Providers who are part of the Canadian Access Federation.

What You Need to Know

These things will remain true:

• Access management is easier and cheaper, while simplifying security, as compared to legacy solutions.
• Trust is the basis of any good relationship, and CAF enables participants to make sound decisions about trust between participants and service providers.
• CAF preserves CIOs’ control of their own infrastructure.
• Service providers can easily reach new users with CAF.

What’s new?

CANARIE looks forward to improving, evolving and growing CAF so that you get the greatest benefit.

• CANARIE will dedicate the necessary resources to operate and manage CAF.
• CANARIE is investing in the operational tools to streamline support and diagnosis of issues
• CANARIE will provide an online tool where we can post answers to questions, white papers, and training materials, to facilitate your deployment and integration of CAF. It will include a facility for you to post new queries.

What Participants Need to Do

We will be sending you a package in early April. There will be some things for you to take care of:

• Sign the new agreement.
  Participants will need to sign a new agreement with CANARIE.
• Pay an invoice.
  As noted in previous correspondence (fall 2011), all participants in CAF have been moved to a single renewal date of April 1. CANARIE is reviewing the pricing structure in consultation with the R&E community. The new pricing structure will be announced shortly and will be posted on the CANARIE website and reflected in the invoices.
• Submit a Trust Assertion Document (TAD).
  CAF is all about trust: each participant trusts that the others follow suitable practices. To support this reciprocal relationship a “trust assertion document” is required. Each participant will be required to complete the TAD. Additional details and directions will be provided as part of the renewal process.

Questions?

Find more information on the FAQ page.
Technical questions may be sent to: caftech@canarie.ca
Questions about participation or invoicing may be sent to: caf@canarie.ca.

Thank you for your participation in the Canadian Access Federation.

eduroam – Supporting access to secure wireless networking on campuses across Canada and the world

• Students, educators and researchers are mobile, using wireless connectivity as they travel to other organizations.  Normally this required the visitor to obtain a special temporary authentication credential. Additional effort was required by the visitor and the visited organization to maintain these extra credentials.
• When both the visitor's and the visited organizations participate in eduroam, the visitor is automatically permitted access to the wireless networks of the visited organizations by using their home-organization credentials.
• eduroam (education/roaming) is an international standard developed in Europe and now deployed in many countries around the world. www.eduroam.org  

Shibboleth — Providing students, educators and researchers access to many resources and services over the Internet using a web browser.

• In the past, access to controlled-access applications requires authentication, typically using an id and password maintained by each application provider.  Not only did the provider have to maintain credentials for all their clients, but users had to remember these additional credentials. More importantly, user's personal information was stored by many organizations they had limited relationships with.
• With Shibboleth, the user is granted access to a remote application based on verification of their credentials (id/password) at their home organization. The service provider is provided only pre-approved personal information necessary to provide the service. Changes by the home organization to the credentials or personal information are automatically reflected on subsequent transactions.
• Because the home organization controls user authentication, single sign-on can be implemented. Once the user’s identity is verified once, the home organization can automatically and transparently authenticate access for other services. The user can then access other services without having to log in again.
• Shibboleth, developed by the Internet 2 community in the United States, implements a standardized protocol for access management (SAML) being adopted by education and commercial sectors in many countries. www.shibboleth.internet2.edu