I have been asked by many people about OpenID and its role in the UK federation infrastructure. Rather than write about this myself, I am going to quote James Dalziel (see quotes below) who recently made an excellent post on this issue to the JISC Shibboleth list. You may also be interested in a recent Ariadne article by Andy Powell that looks at OpenID in more detail.

OpenID is a great, simple technology for fostering single-sign-on among some web applications. Many of the core concepts of OpenID are similar to Shibboleth (in particular, applications don’t manage users themselves, instead, they rely on a separate identity service), so the growth of interest in OpenID is helping us to move away from the endless proliferation of names and passwords, and towards more efficient handling of identity. However, there is a key difference between most OpenID use and national Shibboleth implementations like the Australian Access Federation (AAF). In the OpenID world, a person to can claim to be anyone they like when logging in to a service using OpenID. If I create an OpenID account called “Bill Gates”, then use this to log into your blog to post a comment, then the comment will come from Bill Gates.

In the case of the AAF, your home institution (eg, university) stands behind the Shibboleth assertion that you are who you say you are, and, for example, that you are a staff member (not a student). This trusted assertion is a combination of home institution policy and practices (eg, how your institution establishes who you are and your attributes) as well as the technology component enabled by Shibboleth.

This is, of course, true in relation to the UK Access Management Federation and is a required process for two reasons. In a trust network, Service Providers can fairly easily accept the idea that an institution can be trusted to follow certain identity management procedures and properly authenticate end-users. The institution is also the body that buys access to licensed resources in relation to a large variety of external resources and not the end-user. The challenge for the educational community now is to understand its relationship to identity and learning outside of this traditional model.

This difference between OpenID and Shibboleth is fundamental and important for the formal education and research environment - if I can assert anything I like about myself, this creates many potential risks. That’s not to suggest there are no potential risks with the AAF, but the level of trust behind assertions is of a significantly different kind. On a different note, the Shibboleth community has been closely tracking Open ID, and hopes to soon support OpenID as an alternative assertion that can be made from a trusted Shibboleth Identity provider - this means you can use your trusted home institution login for both Shibboleth federation logins, as well as any wider OpenID logins. Of course, this doesn’t stop anyone from having separate OpenID identities if they choose, and potentially in the future, associating (or not!) these external OpenID identities with their trusted home institution login.

JISC is also interested in other models of identity management and in particular for ‘orphans’ who do not have an institution to provide them with a set of authentication credentials. Both TypeKey and ProtectNetwork provide this functionality within the UK federation. It is important to note that these services only provide you with authentication credentials. Authorised access still has to be established with the Service Provider being accessed. This often means added verification and release of personal details (such as an e-mail address) to allow this verification.

This is not to say that Shibboleth can do everything today. The management of self-asserted attributes is an evolving area, but the MAMS work on the Autograph personal privacy management tool has made some progress in this area. The issues associated with retaining identities as people move between different educational organisations will also need further work - but the concepts of “account linking” from the related Liberty Alliance work seems to be the promising way to take this forward. And as noted, adding an OpenID module to Shibboleth will be very useful for those who want both approaches together.

Tools that allow end-users to better manage their identities and rights will be of growing interest in the JISC community as we see more and more institution adopting federated access management and tackling the challenges of lifelong learners, student mobility and the growth of learning experiences outside of the institutional infrastructure.

But the lack of trust in OpenID is a serious problem for its widespread use in the formal education and research sector; whereas “real trust” is a core component of the AAF work that sits behind the Shibboleth.

Thanks James

I made a presentation at a CPD25 event on Monday, and it was great to see a high proportion of library staff at the event. One of the key concerns expressed by library staff was that in a federated access management system like Shibboleth it was not possible for library staff to manage the list of resources that students and staff access - i.e. the authorisation part of the equation. I thought I would explore this a little further.

In a federated access management system, the institution does not necessarily need to maintain lists of which resources each student or staff member is entitled to access. Instead, the institution stores attributes about the user in its attribute registry (typically an enterprise directory service). The institute can then declare to a Service Provider that ‘this is a member of staff’. Service Providers then maintain information about which of their resources staff@thisinstitution.ac.uk are allowed to access, rather than the institution maintaining these long lists for each user or user type. The UK federation has some examples of how attribute usage works.

This is great for simple authorisation processes, but many of the interactions between institutions (Identity Providers) and Service Providers are more complicated than this and need the specialist input of those who have detailed information about the resources that members access, and the type of information that should be released to each resource.

Luckily, these tools do exist, and with friendly interfaces that mean they can be accessed, viewed and updated by people without an in-depth knowledge of xml attribute release policies!

ShARPE from MAMS in Australia allows institutions to create and maintain attribute release policies on a resource by resource basis. It’s primary aim is to ensure that only the correct information about users is released to any particular Service Provider, but it also acts as a great tool for managing information about resources - particularly information about license expiry dates! Autograph is part of the same suite and takes this one step further by allowing end-users to manage the information that is released to Service Providers.

I also wonder what role Electronic Resource Management (ERM) tools may have to play for managing both license subscriptions and attribute information? Current systems such as Endeavor’s Meridian certainly appear to have fields that could fill this function.

The Swiss Federation, SWITCH AAI have developed a central Resource Registry that allows institutions and Service Providers to discover and manage information about subscribed resources. This is an attractive approach, but may not scale well to the UK!

Other systems focus on the privileges that certain members may have within an institution and are particularly useful for managing access to internal resources. This mock-up of the Internet2 Signet tool shows just that process. It is supported by Grouper - a toolkit for managing, well, groups! PERMIS is a similar tool to Signet that has been used in many JISC projects over the last few years.

All of these tools have different roles to play within an institution and may be used by IT Staff, Library Staff and Administrative Staff to achieve different goals. As we become more sophisticated about the rights that we express via attributes, it is inevitable that we will see more and more take-up of these management tools. It is good to know that they are out there and being developed right now!

One of the unique issues facing the UK adoption of the SAML standard through the UK Access Management Federation is to ensure that the UK education community continues to be able to access Athens resources. To support this requirement, JISC has funded Eduserv to develop and maintain two gateways to the UK federation. These gateways are known as the Federation Gateway Services.

These Gateways are currently funded until July 2008, in line with the funding for the UK federation. Funding profiles have been agreed until July 2011 for both services and contracts will be put in place following the May round of JISC Committee meetings. It is worth highlighting that no JISC core funding has currently been contractually agreed post July 2008. This is typical practice as we have to wait for our grants from the funding councils to be confirmed.

We will continue to monitor future funding requirements beyond July 2011 in line with the JISC Services Strategy. JISC will continue to work with Eduserv on developing and enhancing the Gateway services and to ensuring that institutions adopting alternative SAML-compliant technologies such as Shibboleth will continue to be able to access Athens-protected resources at no extra cost to the institution.

The gateways allow:

• An institution using a SAML compliant technology such as Shibboleth to access Athens protected resources.
• An institution using Athens to access federated resources through the UK federation. To enable this functionality, an institution must join the UK federation and declare that they wish to use Eduserv as their ‘outsourced identity provider’.

More information can be found on the Athens website and the UK federation website.  Please note that institutions wishing to use the Athens - Shibboleth gateway will still be required to pay a subscription charge to Eduserv for direct Athens functionality - that is Athens acting on the behalf of the institution as an Identity Provider.  Charging models can be viewed here.  

There are no subscription costs for institutions adopting Shibboleth and using the Shibboleth-Athens Gateway.

If anyone has any concerns about use of these gateways please contact Nicole.

There has been some confusion over the use of the word ‘Shibboleth’ in relation to federated access management within the UK, so I thought I would spend a Friday afternoon looking at some of the complexities and also providing some lighter anecodotes around the S word.

There are many factual and not-so-factual explanations of the origins of Shibboleth. In my collection:

• President Bartlet explains Shibboleth to his staff in an episode of the West Wing.
• Wikipedia interprets Shibboleth.
• Shibboleth explained in lego.

There has been concern in the UK about the implications of the biblical implications of the name…and I think it is fair to say that the definition of Shibboleth as ‘a password’ is more commonly accepted in the US and that defining the origin of the word is sometimes not very helpful! It is more important to explain that Shibboleth software is an implementation of the SAML standard and was created by Internet2.

There has also been some confusion over the fact that JISC has appeared to move away from talking about Shibboleth — so have we changed our position?

Since 2002, JISC has been looking at improving the functionality of access management solutions for the UK. The primary drivers were to find a solution that was a) based on open standards and b) met the requirements for single sign-on to internal, external and collaborative resources. After extensive testing through the AAA Programme, Shibboleth emerged as an appropriate technology because it is based on SAML and met all other requirements. At the time, Shibboleth was the only SAML based solution to fill this gap…so inevitably got a lot of attention during the Core Middleware Programmes, which put in place the foundations for the UK Access Management Federation.
As we have moved on to 2007, I am now happy to say that there are lots of solutions that are based on SAML. One of the great things about open standards is that they open the market and give consumers more choices and greater freedom to move between choices. So, we now prefer to refer to federated access management and SAML-based technologies. These include Shibboleth, AthensIM, and Guanxi, and other commercial solutions such as Novell i-Chain have the potential to interact with SAML systems. So please feel free to explore the rich potential of Shibboleth - but remember there are other options out there!

A few confusion busters:

• The UK Access Management Federation is physically built on Shibboleth technology as the WAYF and metadata infrastructures use Shibboleth. This does not mean you must have Shibboleth to interact.
• JISC is not replacing Athens with Shibboleth. JISC is moving from funding a single technology to promoting the use of open standards to achieve federated access management.
• The Athens technology is still available to purchase according to the cost model published by Eduserv.
• JISC is committed to funding interoperability between Athens and the UK federation until July 2008, and has projected costs for support for this requirement until July 2010.

If all of that is too much there is always Shibboleth Art and of course Shibboleth Music.