Home
Questions about the Transition
On April 1, 2012, the management of the Canadian Access Federation (CAF) officially transitioned from the Canadian University Council of CIOs (CUCCIO) to CANARIE.
For the past year, CUCCIO and CANARIE have shared management of this service, which provides a trusted access management environment for Canadian research and higher education communities. For participants of CAF, the transition will be seamless: your users will continue to be able to use their home credentials to log in to networks at other participant institutions and access Service Providers who are part of the Federation. CANARIE looks forward to improving, evolving and growing CAF so that you get the greatest benefit.
The following questions and answers specifically address the transition period. If you have further questions, please do not hesitate to contact the CAF Program Manager at caf@canarie.ca or 613-943-5372.
- What administrative changes will there be?
We will be sending participants a package in early April. There will be some things to take care of:
i. You will need to sign a CANARIE participation agreement.
ii. As part of the new agreement, you will need to send us a Trust Assertion Document (TAD) that explains your operating practices. We will post these on the CANARIE website as well as participants’ website (as currently required). You will also need to notify CANARIE of any changes to your practices.
iii. Billing will switch to an annual cycle. CANARIE invoices will be sent out in April of each year. - Why do we now have to submit a TAD to CANARIE?
Participation in CAF is all about trust. By ensuring that all participants have completed and submitted their operating practices (through TAD), your organization has the ability to check their practices and ensure they align with your policies. - I am a site operator, how do I contact CAF technical staff?
CANARIE will be introducing a ticketing system in a few weeks’ time. In the meanwhile, you can contact technical staff by sending an email to caftech@canarie.ca. - Are there any technical changes that participants should be aware of?
As part of the transition, CANARIE is formalizing the default release of the eduPersonTargetedID attribute for the CAF service. This identifier has been designed to be both privacy preserving and opaque and does not release any identifiable information about a user but is a viable unique id for Service Providers to key off of for their service. This reduces the configuration effort for both Service Providers and Identity Providers and streamlines enabling services with the CAF. - Have there been any changes to the fee structure?
Yes. CANARIE has reviewed its pricing structure after consulting with the R&E community. The pricing structure will be announced shortly and will be included in the new agreement and will be reflected in the invoices.
Frequently Asked Questions
What is Federated Access Management?
Federated Access Management builds a trust relationship between Identity Providers (e.g. institutions) and Service Providers (e.g. on-line content providers, web service providers, both commercial and institutional). Through this relationship the responsibility for authentication remains with the user's home institution, with the authorization for access to the service provided through a secure exchange of information (known as attributes) between the two parties.
What is the Canadian Access Federation?
The Canadian Access Federation is Canada’s answer to the need for these services in the Canadian research and education community. It is a participant-based organization focused on creating the common frameworks required (e.g. technical, policy and organizational) to support a collaborative, trusted environment in support of research and education in Canada and beyond.
Is the access federation model unique to Canada?
No, there are numerous international access federations, including InCommon in the USA, JISC in the UK, and the Australian Access Federation.
What does the Canadian Access Federation “do”?
The Canadian Access Federation makes sharing protected resources easier, safer, and more scalable in our age of digital resources and services. Leveraging standards based authentication and authorization systems such as SAML and eduroam:
- Canadian Access Federation enables participant institutions to participate in a cost-effective, privacy-preserving approach to access management;
- Canadian Access Federation helps to ensure the privacy of personal information by eliminating the need for researchers, students, and educators to maintain multiple, password-protected accounts; and
- Canadian Access Federation enables organizations to better manage access to their resources based on a user's status and privileges as presented by the user's home organization.
What are the benefits of joining of Canadian Access Federation?
Participation in Canadian Access Federation means:
- trust decisions regarding access to resources can be managed through the exchange of information in a standard format;
- economies of scale can be exploited by removing the need to repeat integration work for each new service or resource introduced by the service provider;
- increased security and more granular control as access to resources are driven by policies set by the service provider;
- reduced account management overhead as users can be authenticated from the home institution and provided access to the requested resources (as appropriate); and
- increased assurance of personal data being protected as the data will remain with the home institution.
How does Canadian Access Federation protect my user information?
Canadian Access Federation preserves privacy by allowing home institutions to protect the personal information of their users for those services (such as access to the institution’s wireless network) where access can be granted without having to disclose the identity of the user. For services requiring additional information in order to grant access, agreements with respect to what information is used, and how, are developed and implemented prior to the service being federated.
Who can join Canadian Access Federation?
In general, if your organization undertakes activities in support of research and development in Canada, then you’re eligible to join CAF. Please contact caf@canarie.ca to see if your organization is eligible.
What is required to join Canadian Access Federation?
Please refer to information on our "Join" page.
How do I implement the services of the Canadian Access Federation?
Organizations eligible to join the Canadian Access Federation and ready to implement one or both of the current services will be provided with additional technical information and support. Please contact us if you have further questions at caf@canarie.ca.
What is Shibboleth?
Shibboleth software enables the sharing of Web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies to control what type of user information can be released to each destination. For more information on Shibboleth please visit www.shibboleth.internet2.edu.
What is eduroam?
eduroam (education roaming) is the secure, world-wide roaming access service developed for the international research and education community. eduroam technology is based on 802.1X standard and a hierarchy of RADIUS proxy servers and allows students, researchers and staff from participating institutions to obtain Internet connectivity across campus and when visiting other participating institutions by simply opening their laptop.
What are CAF usage policies?
CAF usage policies for institutions (known as Identity Providers (IdP)) and Service providers (SP) are listed in the Participation Agreement. Please consult Schedules A, B and C of the agreement for specific policies.
