One of the issues that institutions face when joining the UK Access Management Federation is whether to sign up to ‘accountability’. This is a complex area, and has raised many questions, so I am hoping to address some of these issues here.

The Rules of the UK Federation (section 6.4.2) state that:

“where unique persistent Attributes (e.g. eduPersonTargetedID or eduPersonPrincipalName) are associated with an End User, the End User Organisation must ensure that these Attribute values are not re-issued to another End User for at least 24 months;”

Simply put, this means that you must not re-issue a targetedID or PrincipleName to another member of staff or student within 24 months and you must be able to declare that you will not do this. This is not a requirement for institutions; you can choose not to support this function. However choosing not to support this attributes means that an institution would not be able to use persistent attributes. For many resources this will be fine – but there are significant resources that require the release of at least an opaque persistent identifier for users, such as when using census data. It also means that personalisation is not possible for end-users, and will affect many of the emerging use-cases for federated access management.

At the moment, only about 33% of the Identity Providers within the Federation are asserting user accountability. We are sure that some of the institutions that are not declaring user accountability will wish to make use of resources that require this function. From this, I can make two assumptions:

• the people responsible for signing the Federation documents are not aware that this function will be required and are choosing the path of least resistance. This is understandable and very reversible once the requirement is known. To tackle this, the UK Federation has recently changed its joining processes to query accountability choices more closely and we have seen an increase in institutions declaring accountability since this process has been introduced. We strongly encourage institutions to involve library staff, IT staff and senior management in the process of joining the UK Federation to make sure that all requirements are fully understood before a decision is made

• Identity management within institutions is not mature enough to cope with the requirement. Federated access management does require effective identity management, and this will be a big leap for many institutions. There are many ways to get help in this area from case studies and advice from the JISC ‘early adopter’ projects to third-party support from commercial vendors. For more information, see the JISC Federation website.

Although declaring accountability is only a recommendation within the Federation, we would like to see all institutions getting the most out of the new system and would certainly encourage everyone to ‘aspire’ to meeting all of the recommendations made. If you would like further advice in this area, please do not hesitate to contact the JISC Access Management Team.