JISC Access Management Team

I gave a talk to a very small and select group of people at the JISC Digitisation Conference last week. I wasn’t surprised by the size of the group… I would have rather talked about other things than access management at the digitisation conference! We did have a very interesting debate in the session though, and the question of ‘multiple identities’ came up.

As I’ve previously mentioned, I dislike the phrase multiple identities but that aside an interesting question sprung up: isn’t JISC adopting SAML and Shibboleth technologies to solve the multiple identity problem?

The simple answer to this is no. The more complex answer follows…

We cannot get away from the fact that we all have multiple sets of credentials to access multiple different resources based on our different affiliations (institutions, membership bodies, banks etc.) and different persona we present. It is a problem that needs addressing, but I think we have a long way to go. This is summed up in the steps below:

1. Put the framework in place so we can even start thinking about managing identities in a joined up way. This has to mean the promotion of open standards and systems that can interoperate and talk to each other rather than locking us in. I think that SAML is currently the most promising route for doing this.
2. Get basic identity management right. Most institutions that I talk to who are going through the process of adopting federated access management will quite readily admit that their identity management processes are a mess and the hardest piece of work is getting basic information held in a meaningful manner.
3. Question the number of credentials held and get rid of all of the usernames and passwords that we can. I want as few identity managers as possible with a focus on trusted affiliations (my bank, my institution, the passport office) where a high level of verified identity management is required and preferably just me when low / no verification is needed such as when I am only expressing persona information (blog comments etc.). The easiest ones to get rid of are of course all of the Service Providers who are also carrying out identity management when they don’t need to - and the includes institutions themselves!
4. At this stage, then question the number of credentials left and the role that educational institutions have to play in managing these or supporting user centric management.

There are of course technologies available that point towards user-centric identity management such as CardSpace and OpenID. The difficult question is not the technology, but whether or not institutions can manage and base their own business processes on a technology and infrastructure that is user-centric rather than institution-centric. This is part of the wider debate around the infrastructure services that institutions offer end-users, such as whether or not we need to give all users an institutional e-mail address when they are already likely to have access to several different e-mail account on enrolment.

In the world of identity management, the question has to be how much value does the end-user place in having an institutional identity and how much use will they make of it? The answer to this is likely to be very different for undergraduates to postgraduates to staff. I think this also links in to the comments that Andy Powell has recently made on multiple identities within the education sector. I don’t think multiple identity credentials should ever exist just to service access - they should only exist if we place value in having and using that identity.

Whilst institutional licensing still exists as the main approach for getting access to commercial resources, I can’t see the institutional identity disappearing. It is still interesting to explore the approaches that might be taken by institutions if this landscape did significantly change.