Mark writes:

Had a couple of comments asking if the Institutional support ITT mentioned below ( Calling third parties ) means a change in the JISC position regarding the access management alternatives faced by institutions. Actually, far from it. Once the mechanisms are in place it will actually increase choice. At the moment a well resourced College is in a position to choose any of the three access management options, but a less resourced one may well find their theoretical choice narrowed down to one, in practice. We don’t want cost or sheer size (and therefore resourcing) of an institution to be the single determining factor in how they choose to solve access management issues, the whole issue is just so much more complicated than that. So the ITT is designed to give choice back to the smaller institutions most at risk of currently not having access to all the options. The regret is that the £225000 available for funding the support can only go so far.

And in my personal experience, once institutions have cost removed from an issue, they tend to choose very wisely indeed….

Mark writes:

JISC has just issued an ITT for third parties experienced in access management to bid to provide support to institutions who want to deploy a IdP. You might say that such support is already there, and to a degree much of it is. Particulary if you are an Institution employing an IT staff with the correct skill set, have an organised directory service, a significant subscription to JISC Collections resources and the strategic ambition to move forward on access management. However, and it is a big HOWEVER, its clear that there are enough institutions who can use the business case toolkit to determine that they want access management (and I mean the 100% proof type, not devolved outsourcing to a delegated authority), but who have also determined that its currently financially / technically out of reach. It is that group of institutions, which the successfull respondent to the ITT will be working with. The time will come for such institutions to submit applications for the help that the project will provide, but for the present - if you are a third party provider of access management support, with a desire to spend long hours setting up IdPs in grateful institutions all over the country - we want YOUR interest. And remember we encourage questions……

Nicole Harris writes

The team is currently attending and speaking (lots) at the Fall Internet2 meeting in San Diego.

Day One we are focusing on Identity Management and Collaborative Tools. My very brief presentation followed on from some really interesting overviews by Ken Klingenstein and Michael Gettes (Internet2) and James Dalziel (AARnet).

All of our presentations focused on the need for:

• taking identity management out of services, and managing separately in a federated approach.
• providing tools for users and managers to cope with the complexity of managing identities, groups, attributes etc.

I was really happy, as nobody talked about having multiple identities, but the complexity of our relationships and rights in relation to member institutions and services.

Interesting developments are the COmanage and IAMSuite tools. These are bringing together a host of promising, but not complete solution tools: ShARPE, Grouper, Signet, MyVOCs and beginning to address some of the real interesting use cases behind the interest in more high profile tools such as OpenID and CardSpace.

Definitely a space to watch and one that will be growing.

Other points and questions from the session:

• Moving away from the idea of shib-enabled, iamsuite-enabled, federated etc. We just want well-behaved aps that will consume external identities and identity information. SAML compliance is clearly important here, but perhaps not the final answer.
• What should be on my identity management ‘dashboard’ to actually help me managed my identity?
• Should all group management tools be able to provide and release information about all group members?

Thirty JISC services attended an internal briefing event on 28^th September to learn more about the UK’s plans for federated access management. During the day service managers were asked to consider joining the UK federation and to adopt new standards-based access management technology to ensure consistency across JISC services for users and to enhance current and future service provision. For example, JISC Services (even those that provide free, unrestricted access to their service) could personalise their service eg. ‘my saved searches’, ‘my favourites’ and email alerts by using federated access management software through the use of attributes. They could also use the same software to provide authorisation for other services such as for their website content management system, wikis, blogs and other social software. Two JISC Services, JISCmail and EDINA, demonstrated how they had already implemented federated access management software.

JISC itself is soon to go out to tender for a directory service that will enable JISC staff to use single sign-on for its own internal services. The directory service will act as an Identity Provider (IdP) using federated access management software. JISC Collections and Regional Support Centres (RSCs) staff will be provided with a new username and password via this service for demonstration purposes, replacing the Athens ID they use at the moment.

Services staff also learned about changes to the JISC model licence which now requires publishers to join the UK federation and adopt federated access management technology and about recent JISC development projects in the area of identity and access management.

Attendees welcomed the fairly non-technical content of the presentations and the opportunity to ask questions during the panel sessions. Feedback from the day has been very positive - one attendee said “I got more out of it than I was expecting and made useful contacts for future work.”

Presentations from the day will be up on the JISC website soon at:

The following institutions are deemed as ‘aware but not quite there’ in terms of joining the UK federation. This means that we think the institutions listed are well aware of the introduction of the UK Access Management Federation, but are currently hitting barriers preventing them from taking forward the application to join. If you work at one of these institutions and can give us any more information, we would love to hear from you - particularly to discuss what those barriers might be.

Aston University
Bishop Grosseteste University College
Bournemouth University
Buckinghamshire Chilterns University College
Canterbury Christchurch University College
City University
Cranfield University
Dartington College of Arts
Edinburgh College of Art
Harper Adams University College, Newport
Institute of Education
Liverpool Hope University College
Newman College
North East Wales Institute
Norwich School of Art & Design
Oxford Brookes University
Ravensbourne College of Design and Communication
Roehampton University
Rose Bruford College
St Marys College
Swansea Institute of HE
The University of Northampton
University of Bedfordshire
University of Lancaster
University of St Andrews
University of Teeside
University of Wales College, Newport
University of Wales, Bangor
University of Winchester
York St John University

The following HE institutions are deemed as ‘nearly there’ in terms of joining the UK federation, i.e. we are fairly sure that we will see a membership request popping up fairly time soon. If you work at one of these institutions and can give us any more information, we would love to hear from you!

Glasgow Caledonian University
London Metropolitan University
Manchester Metropolitan University
Open University
RHUL
University of Birmingham
University of Brighton
University of Hertfordshire
University of Reading
University of Sheffield
University of Ulster

For Category 2 institutions, please see the next post.

Encouraging institutions to join the UK Access Management Federation, regardless of the technology choice made, is the priority for my team at the moment. We will shortly be writing to all Vice Chancellors and Principals to highlight both the importance and the ease of joining the UK federation, and to support this I was asked to categorise all HE institutions in to groups according to their current readiness to make this move.

It seems silly not to generally share this information for a variety of reasons - but most importantly to make sure that we have a good understanding of the status and position of each HE institution. All of the information we have compiled in based on previous contacts and discussions, but might not reflect the true status of an institution. The following posts summarise the position that we think institutions have reached - and we are incredibly keen to hear from each and every HE institution in the UK to make sure that we have got this right!

Two final points:

• many thanks to the 56 HE institutions that have already made the move and joined the UK federation - you can relax.
• we haven’t forgotten FE, and will shortly be announcing some new measures to support uptake for FE institutions.

Representatives from the UK Access Management Federation and JISC Outreach team attended the first ever International federation peering workshop in Prague last month to discuss the main drivers and possible use cases for inter-federation operability. Many countries were represented at the meeting, mostly from Europe but also from Australia, the United States, Japan and Brazil. There was very lively discussion at the workshop about various issues including federation models, levels of assurance, the use of attributes and privacy.

Different federation models and their definitions were discussed including confederation (agreement among several federations), peering (agreement between two federations) and leverage (membership of smaller federation and also an overarching federation). In particular we talked about how these models might work across different sectors eg. public sector and government, business and social and across international borders.

Levels of assurance and attributes are important issues to consider for inter-federation operability and some policy work on this is being carried out by JISC on a study looking at commonalities between national access management federation policies. It is important all members of federations have trust in the federation they are have a peering or confederation agreement with, particularly with regards to issues relating to the exchange of information about users and resources eg. levels of assurance for the protection of user’s privacy. Agreement on the levels of assurance and agreeing to a standard set of attributes will be important to the operability between federations.

Participants were asked to identify possible use cases for inter-federation peering or confederation, particularly where this would aid collaborative work and sharing of resources available at other institutions.

OpenID also seemed to be a hot topic, and there is currently some work being done on interoperability between SAML-based federations and OpenID.

We all know the trick to getting the best fastest piece of IT kit for your buck. -Locating the speed bottle neck. Its no use buying a hyper fast graphics card, if the speed of onboard memory is too slow, or having a fast shooting Digital SLR Camera if the compact flash card has a slow write speed. Well its the same with access management. So much of what we do in improving access to content depends on every link in the chain. One element which we tend to look at least (maybe because it doesn’t have a technical standard linked to it?) is licensing.

24/7, remote, finely grained access to content only happens when the license permits it too.

Lets not forget we need 21st century licenses for 21st century technology.

Tags: jisc-serv-am-briefing