I have been asked by many people about OpenID and its role in the UK federation infrastructure. Rather than write about this myself, I am going to quote James Dalziel (see quotes below) who recently made an excellent post on this issue to the JISC Shibboleth list. You may also be interested in a recent Ariadne article by Andy Powell that looks at OpenID in more detail.

OpenID is a great, simple technology for fostering single-sign-on among some web applications. Many of the core concepts of OpenID are similar to Shibboleth (in particular, applications don’t manage users themselves, instead, they rely on a separate identity service), so the growth of interest in OpenID is helping us to move away from the endless proliferation of names and passwords, and towards more efficient handling of identity. However, there is a key difference between most OpenID use and national Shibboleth implementations like the Australian Access Federation (AAF). In the OpenID world, a person to can claim to be anyone they like when logging in to a service using OpenID. If I create an OpenID account called “Bill Gates”, then use this to log into your blog to post a comment, then the comment will come from Bill Gates.

In the case of the AAF, your home institution (eg, university) stands behind the Shibboleth assertion that you are who you say you are, and, for example, that you are a staff member (not a student). This trusted assertion is a combination of home institution policy and practices (eg, how your institution establishes who you are and your attributes) as well as the technology component enabled by Shibboleth.

This is, of course, true in relation to the UK Access Management Federation and is a required process for two reasons. In a trust network, Service Providers can fairly easily accept the idea that an institution can be trusted to follow certain identity management procedures and properly authenticate end-users. The institution is also the body that buys access to licensed resources in relation to a large variety of external resources and not the end-user. The challenge for the educational community now is to understand its relationship to identity and learning outside of this traditional model.

This difference between OpenID and Shibboleth is fundamental and important for the formal education and research environment - if I can assert anything I like about myself, this creates many potential risks. That’s not to suggest there are no potential risks with the AAF, but the level of trust behind assertions is of a significantly different kind. On a different note, the Shibboleth community has been closely tracking Open ID, and hopes to soon support OpenID as an alternative assertion that can be made from a trusted Shibboleth Identity provider - this means you can use your trusted home institution login for both Shibboleth federation logins, as well as any wider OpenID logins. Of course, this doesn’t stop anyone from having separate OpenID identities if they choose, and potentially in the future, associating (or not!) these external OpenID identities with their trusted home institution login.

JISC is also interested in other models of identity management and in particular for ‘orphans’ who do not have an institution to provide them with a set of authentication credentials. Both TypeKey and ProtectNetwork provide this functionality within the UK federation. It is important to note that these services only provide you with authentication credentials. Authorised access still has to be established with the Service Provider being accessed. This often means added verification and release of personal details (such as an e-mail address) to allow this verification.

This is not to say that Shibboleth can do everything today. The management of self-asserted attributes is an evolving area, but the MAMS work on the Autograph personal privacy management tool has made some progress in this area. The issues associated with retaining identities as people move between different educational organisations will also need further work - but the concepts of “account linking” from the related Liberty Alliance work seems to be the promising way to take this forward. And as noted, adding an OpenID module to Shibboleth will be very useful for those who want both approaches together.

Tools that allow end-users to better manage their identities and rights will be of growing interest in the JISC community as we see more and more institution adopting federated access management and tackling the challenges of lifelong learners, student mobility and the growth of learning experiences outside of the institutional infrastructure.

But the lack of trust in OpenID is a serious problem for its widespread use in the formal education and research sector; whereas “real trust” is a core component of the AAF work that sits behind the Shibboleth.

Thanks James