Home
The Canadian Access Federation is a trust framework supported by policies and agreements and enabled through two technologies (as of May 2011).
Users are authenticated by their home organization as they normally are in order to establish the affiliation and be provided a user-id for access to campus or organization level services.
The home organization is responsible for maintaining the user-related information and provides the user with the credentials. Home organizations (or identity providers) can be any research or education organization (e.g., universities, research organizations, university hospitals, etc.).
As access to services outside the home organization is requested by the user, authentication is requested from the home organization via the federated access management service. The home organization could also be asked to authenticate other attributes in order to determine if the users should have access to the services requested.
Access control decisions remain with the service provider.
Case Studies
inCommon, the American counterpart to the Canadian Access Federation, has published a number of case studies that demonstrate the value of innovative approaches to federating identity and access management systems. These case studies provide real-world examples for use with campus stakeholders, CIOs, and other audiences about the benefits of federating.
Information for individual users
To see if your organization is a participant, and to see the list of service providers, please click here.
If your organization is not a participant please contact your Chief Information Officer.
Information for the technical support community
Participation in the Canadian Access Federation provides participants with access to eduroam and Shibboleth services.
eduroam
eduroam – Supporting access to secure wireless networking on campuses across Canada and the world
Students, educators and researchers are mobile, using wireless connectivity as they travel to other organizations. Normally this requires the visitor to obtain a special temporary authentication credential. Additional effort is required by the visitor and the visited organization to maintain these extra credentials.
When both the visitor's and the visited organizations participate in eduroam, the visitor is automatically permitted access to the wireless networks of the visited organizations by using their home-organization credentials.
eduroam (education/roaming) is an international standard developed in Europe and now deployed in many countries around the world. www.eduroam.org
Shibboleth
Shibboleth — Providing students, educators and researchers access to many resources and services over the Internet using a web browser.
In the past, access to controlled-access applications required authentication, typically using an id and password maintained by each application provider. Not only did the provider have to maintain credentials for all their clients, but users had to remember many additional credentials. More importantly, a user's personal information was stored by many organizations they had limited relationships with.
With Shibboleth, the user is granted access to a remote application based on verification of their credentials (id/password) by their home organization. The service provider is provided only the pre-approved personal information necessary to provide the service. Changes by the home organization to the credentials or personal information are automatically reflected on subsequent transactions.
Because the home organization controls user authentication, single sign-on can be implemented. Once the user’s identity is verified, the home organization can automatically and transparently authenticate access for other services. The user can then access other services without having to log in again.
Shibboleth, developed by the Internet 2 community in the United States, implements a standardized protocol for access management (SAML) being adopted by education and commercial sectors in many countries. www.shibboleth.internet2.edu
