Comments on: Opinions Wanted

By: Max Hammond

Max Hammond — Thu, 12 Jun 2008 13:59:22 +0000

At a discussion I was at yesterday with senior IS/IT managers, several people suggested that institutional managers would benefit from sharing ideas on how to secure buy-in, budget and staff time to develop their access management solutions. Various “trojan horses” were discussed as ways of getting the issue onto the table: lifelong learning networks, phsyical ID card access systems, and so on: various ways of selling the internal benefits of FAM. Perhaps there could be further opportunities for sharing these sorts of experience in confidence?

The Business case toolkit and supporting case studies which we prepared may provide some help in this regard.

By: Scott Wilson

Scott Wilson — Wed, 11 Jun 2008 14:45:31 +0000

At CETIS we were planning to do some consultation with the eLearning community to develop scenarios for exploring the use of oAuth; that would potentially be something that could feed into the programme planning. However, we weren’t planning on doing this until September.

By: Malcolm Teague

Malcolm Teague — Thu, 05 Jun 2008 12:36:33 +0000

I would like to support the suggestion of more work on account linking, particularly at the interface between Education and Research and other sectors. My interest of course is the interface with the NHS and as you know we are in discussions with the National Library for Health in England about the opportunities presented by SAML based federated access management. At the moment though this is about joint working with the two (at least)separate accounts for staff and students working across the two sectors but the holy grail is that the resource entitlements are merged seamlessly in some way.

By: Amber Thomas, JISC

Amber Thomas, JISC — Thu, 05 Jun 2008 08:26:17 +0000

At a discussion I was at yesterday with senior IS/IT managers, several people suggested that institutional managers would benefit from sharing ideas on how to secure buy-in, budget and staff time to develop their access management solutions. Various “trojan horses” were discussed as ways of getting the issue onto the table: lifelong learning networks, phsyical ID card access systems, and so on: various ways of selling the internal benefits of FAM. Perhaps there could be further opportunities for sharing these sorts of experience in confidence?

By: Alistair Young

Alistair Young — Wed, 04 Jun 2008 09:21:30 +0000

What do you mean by “toolkits across the community”? Are we allowed into the core code? i.e. to get rid of the griffin page. A lot of sites would like to customise/brand/document the error displayed by an SP. A small enhancement to the Shibboleth profile could provide that. Is that level of shibboleth code access allowed?

By: Alistair Young

Alistair Young — Wed, 04 Jun 2008 09:19:42 +0000

How about remote access management for electronic resources. With Athens, quite fine grained access could be done using permission sets, by institutional staff. With the move to shibboleth, that dynamic capability has gone. Allowing institutional staff to create sub collections of resources based on attributes and values, without having to go through a manual process of phoning the supplier and explaining it and having to go through them to update the attributes/collections.

By: Cal Racey

Cal Racey — Wed, 04 Jun 2008 08:10:15 +0000

Development of toolkits across the community would be very desirable. Once an institute has deployed shibboleth successfully they largely have to figure out how to use it themselves. Shibboleth has many different usage patterns and is usable in many different programming languages, making this a very complex decision, with little information in the community on how to do it. I would like to see example code and configuration for the major web application programming languages (java, php, .net, python, ruby, perl)when used on apache, IIS, and via connectors like mod_proxy/fastcgi. The examples could be how to consume shib headers, how to use lazy sessions, how to use session initiators to direct users to different wayfs in one app(eg “Americans login here, Brits here”), how to give meaningful error messages to unauthenticated users that enable them to remedy the problem, how to use shib to set up an application specific sessions (one of the easiest integration techniques). What the implications are about session timeouts e.g. if your session timesout in a long wiki edit all the editing is lost (shib relogin kills post data).

By: Andy Powell

Andy Powell — Wed, 04 Jun 2008 07:43:27 +0000

The “user experience” of OpenID interactions is well recognised as being an area that needs more work - hence the development of services like Clickpass and so on. I guess that the same can be said of the Federation. On that basis, funding activities that develop innovative approaches to hiding the R/SP->[WAYF]->IdP->R/SP chain or that simply try to make recommend good practice in this area might be worthwhile?

Andy.