At the co-sponsored JISC Collections / RSC NW / RSC Yorkshire and Humber event today. These events tend to be fairly informal, and as they are done on a regional basis. Participants often come for just a few hours- which perhaps is an indicator of how time pressed IT staff and Librarians are in FE. It’s a reminder that sometimes the major factor in FE IT / LRC decisions is sometimes not what’s the best technology, or the cheapest in the long run, or the most future proof, the big leverage is actual just “what can I implement in the time frame available”. It’s a factor that probably had a significant role in some FE institutions not deploying their own IdP the last academic year – however we now have a full year ahead, and institutions should be able to plan a migration to running an IdP by the beat of their own drum, if they so wish.

Normally I’m at these events principally to disseminate and present but today what I really want to do is to learn. So the question to institutions that have not deployed an IdP will be “Why not?” and hopefully the answers will inform some of the support we provide this academic year.

Bruce Vincent is first up in this session with “Registrars who federate and the middleware junkies who love them for it”.

The National Student Clearinghouse is a place for students to go to prove their enrollment at institutions and to get transcript verfiication. I’ve had several conversations with people over the years about online processes for verifying degrees - something we don’t really have in the UK so this is interesting with the access management angle.

At the moment the clearinghouse has to deal with a lot of personal data from a lot of individuals and schools - and nobody really wants to do this. Applications like shibboleth make sense in these situations. To make this work Stanford has been mapping shibboleth attributes to the PESC standard (which allows for electronic exchange of transcript information). The registrar is apparently very pleased with the results!

A lot of comparisons to the work in MIAP.

Currently the work between Stanford and the Student Clearing House is just a pilot…it will be interesting to see if this comes to fruition.

————-

Next up is InCommon’s work with TeraGrid, again similar to the work in the UK to use shibboleth within the framework of the National Grid Service. It’s all very similar for those of you who are familiar with the JISC work with the NGS, but good to see that we are not the only country thinking along these lines. TeraGrid has quite a neat User Portal for administrative functions, and this is where they are starting to implement shibboleth log-ins. This will then be rolled out across TeraGrid resources, training materials etc. etc.

Account linking is the main process used, linking a shibboleth account to a TeraGrid account using either ePPN or ePTID.

————

A demo of iTunesU completes the session. I don’t think there is much use of iTunesU in the UK at the moment, but there is development going on at the Open University, UCL and the Universities of Cambridge and Oxford. At the moment, access is only available to the host organisation: Cambridge would not be able to provide access to resources on its iTunesU to students from UCL for example. Apple are interested in looking at this, but are very much aware of the complexities of copyright that this would throw up so are understandably cautious! I have of course sent on information about joining the UK federation…

Finally getting used to securing the seat near a plug point

This session is from the University of South Carolina on the implementation of Google Apps. Of interest to me because they rolled it out with shib, because I use Google Apps for all of our team files and calendaring, and because I am always trying to convince people that it *might* be a good option to explore for JISC given our limited capability for internal spend on applications and hardware.

USC started with a focus on improving the e-mail service for students. At the project start they were providing e-mail accounts to 38,000 students, 75 MG per student account…but most students were forwarding their e-mail, and most were forwarding to Google! It seemed silly to try and compete.

The service was rolled out with shib 2.0 (USC did not want to provide enterprise passwords to Google), forwarding e-mail rather than changing DNS. This gave USC finer control over the need to disable accounts etc. - particularly without impacting on other Google Apps services. It also allowed departments to opt out of using Google if they had a different preferred supplier.

Students were asked to opt-in rather than being forced across to Google. There were also issues with potential helpdesk queries as these would all be handled by USC and not Google.

Privacy: you have to give Google first name, last name and e-mail address for all individuals. If a document is shared with other Gmail users, name and e-mail details can easily be revealed outside the USC domain.

Choice: students did not automatically migrate - only about a third opted in. This was lower than expected.

Limitations: no means of renaming an account with Google (USC does 200+ account renames a year), Google requires a first and last name (which not all students at USC have apparently), account names at USC could not be renamed (similar to discussions in the UK about reusing IDs!).

Main message seems to be that it took a very long time to integrate properly with the USC enterprise services. It is only easy if you throw Google Apps up as a completely separate service - but this was not what USC wanted.

Other issue: don’t forget to include your registrar in the process from the very beginning

Federation Soup is the term used to describe the complexity of making different approaches to federated access work together. It’s a problem many of us have been working on for some time.

The US starts with the issue of working across state federations and the Internet2 sponsored InCommon federation. Differing State laws are something I am very pleased we don’t have to deal with in the UK.

I gave an update on some things the US might be interested on with regard to the UK - including showing off NewsFilmOnline as an example of a federated application:

I2 Fedsoup

View SlideShare presentation.

InCommon and the UK federation have been working on an Interfederation agreement for sometime. If you are interested in the technical requirements behind this, see Ian Young’s blog.

The second presentation in the general session is on the C-SPAN Library - again, apologies for being off-topic today.

The C-SPAN Library Archive plans to create an online, Indexed, accessible, digital video collection of all C-SPAN Programming from 1987 - present, including 150,000 hours of programming. C-SPAN captures important political recordings as a public service, and the archive seeks to make this resource a permanent record.

I’m using NewsFilmOnline as an example of a federated resource in the UK in a session later today and it is interesting to look at the comparison with C-SPAN. The sustainability question that is being closely examined by the Strategic Content Alliance is also of interest - C-SPAN receives no government funding but is funded by fees paid by cable and satellite affiliates who carry C-SPAN programming.

The service has a lot of advanced searching capability, including the ability to track usage of certain words within congress. This is interesting for organisations such as Internet2 and JISC as hot-topics can be tracked across debates, speeches and other recorded events.

After the usual welcome from Doug and being treated to a New Orleans tradition of being bombarded with Mardi Gras beads, the general session will start with an update from Tulane University on the impact of Hurricane Katrina.

Scott Cowen highlights the fact that New Orleans is still a tale of two cities. Whilst the french quarter and business district now show little sign of the impact of Katrina, the residential areas are still struggling. It is important that events like Internet2 keep on coming to New Orleans - and this is the best sign of support for the city. Katrina was the worst storm to hit the US in over 100 years.

Tulane University itself survived the storm itself very well due to its hurricane planning strategy. It was the breaking of the levies that caused damage - putting a significant part of the university underwater. Much of New Orleans was under water for 57 days - and Tulane University had to close its campus for an entire semester. The cost to the University was $650 million dollars.

Scott also reveals that his own escape plan included hot wiring a golf cart - not something usually required of a University President

The Tulane University survival plan:

1. To keep everyone on payroll for as long as possible;
2. To reach out to the Higher Education community and ask other institutions to support Tulane students;
3. To reopen in January 2006 regardless.

These were all achieved, with an impressive response from other US universities to support Tulane students.

The ultimate challenge proved not to be making the campuses reusable - the problem was the fact that the rest of New Orleans was still not functioning making it impossible for staff and students to practically live in New Orleans.

1. All of the K-12 schools were closed - Tulane managed to get its own small campus school formally chartered and opened this with over 1000 students.
2. Over 4000 staff and students did not have housing. Tulane’s response?? They bought a cruise ship!
3. Students needed to be re-recruited. 87% of students returne.d
4. There were no hospitals open:Tulane opened a street-corner clinic which has now been adopted as a model across New Orleans.

The major impact was a complete change in the attitude of the University in relation to the city of New Orleans itself and its responsibility as a major business and employer. All students are now required to do some form of public service whilst they are studying at Tulane

Tulane’s efforts are now being rewarded by unprecedented applications from students, excellent staff retention and strong research activities.

The negatives? Still having to sue insurance companies, still $200million out of pocket, still dealing with negative reactions to working with New Orleans.

Apologies for blogging off-topic, but this was too interesting not to capture - a real insight in to the true impact of Katrina.

I’m having a break from shibboleth this morning and attending a session on students as content creators. This is looking a different ways to encourage children and university students to create more content online. This includes looking a video-creation, online voting to support interaction with the US elections, and online debating tools.

These are interesting initiatives showing schools working closely with commercial providers. Two of the big issues: anonymity and IPR. This is only being dealt with on a school by school basis at the moment and is highlighting the fact that policy and risk management in the approach to these two issues are wildly different. Responsibility is clearly passed back to the institution.

The Shibboleth Working Group is not the natural habitat for policy focused people like me. Apologies, but we are about to get technical.

Chad La Joie (shibboleth IdP architect guru) is talking about shibboleth 2.1 and new features: particularly the introduction of the ability to explicitly deny the release of certain attributes. 2.1 should be out sometime this week. The usual question has come up - is now the right time to upgrade from 1.3?? Internet2 are keen to move people across to shib2 and of course this will have the benefits offered by SAML2, but it seems to me that most people in the UK federation can happily stay on 1.3 for now.

Now we are talking about the inability to stop people from doing dumb things - the over-riding message being doAn’t ignore the things in bright red boxes in the installation guides on the Internet2 spaces wiki. Back-ups, change-logs also good

The wiki is also the place to look at the Shib2.2 roadmap.

User Consent is again the hot topic for shib2.2. Shib2.2 will have user consent attribute release capabilities based on the SWITCH Arpviewer that i mentioned a couple of weeks ago.

The rest of the session was covered by Scott Cantor who looks after the SP side of shib. Not so many new features on the SP side but a lot of bug fixing (mostly working through Apache bugs!).

The final slot looked at something that has been on the wish-list for sometime: n-tier access. This is still something that is being scoped and is not a promised feature, but the shib team is working on a use-case based around delegation in u-portal. It looks like this will be interesting stuff to track. Some of the questions include SOAP or REST?, links to Kerberos (more important in the US than back home), links to Info Cards, and the emergence of OAuth. More information on the Shib2.2 Roadmap.

The first update from the Internet2 Fall Member meeting, in New Orleans this time. This is the first formal session that I am attending at the meeting although I was at a general update on ‘Federation Soup’ yesterday (how we manage the relationships between different federations across different sectors) and have also managed to fit in a bit of sightseeing!

The InCommon forum is an opportunity for the members of InCommon to talk about their campus implementations of Shibboleth and other federated solutions. Some of the problems are very similar to the UK, although the primary usage drivers for US institutions tend to be internal applications and not commercial third-party resources. Shibboleth was after all initially designed for those scenarios and not the library-focused application that we see in the UK. This is a refreshing reminder after a couple of weeks of people arguing with me that shib is not designed for use with repositories, VLEs etc. etc.

Examples of use-cases include an upcoming implementation for Students Only. This is a site that allows cheap tickets for college students and staff. It uses shibboleth to ascertain a students affiliation to an institution - similar to the Microsoft DreamSpark application in the UK. This cuts down the need for the company to have to directly contact the registrars office at institutions. A three step verification process becomes a one step verification process.

Students are asked to commit to a Privacy Policy with the company. This brings up the questions that I’m hearing all the time at the moment: how do we get consent from students? is it an IdP or SP responsibility? how often does this consent need to be reverified?

The need for accuracy of name came up as well: airline tickets require the formal name of a person (e.g. Robert) and not diminutives (e.g. Bob). Can this be provided by the IdP?

A typo led this presentation to talk about ‘Walk Tough with Shibboleth’. Chuck Norris will now be used to promote shib applications….

Other examples include Research1, a research community with you-tube / facebook like applications.

The structure of InCommon was also discussed. InCommon is different from the UK federation in that it only has one member: Internet2. All other organisations are participants. The member has the power to shutdown Incommon, but has few other rights. The Funding Councils have a similar right in the UK under section 9.2.2 of the Federation Policy document. The idea of both of these structures is to protect the interests of the initial funding organisations and the institutions associated with them. The question was raised regarding institutions and other organisations that join InCommon and the UK federation - how are their interests protected? Should commercial SPs have a representative on the Federation Board for example?

The question is slightly different with InCommon (which charges membership fees) and the UK federation (which does not charge membership fees) but is still interesting to look at.

Now that a lot of the work in setting up Shibboleth IdPs has been completed at institutions, many people are now thinking about the ways in which the technology can be exploited away from the commercial third party supplier model. The most common uses are for blogs, wikis, repositories and Virtual Learning Environments.

A point that keeps on coming up is: ‘but the UK federation doesn’t allow the transfer of personal data’. This is simply not the case.

The UK federation provides recommendations for the use of personal data that follow the guidelines of the Data Protection Act - to which all UK institutions are already bound. To quote from this recommendation document (note, not policy!):

The basis for the Federation is that a user’s primary relationship is with their organisation and that personal data should normally be kept within this relationship. Many Service Providers will only need to know that an individual is a recognised user, having a particular status, at a member organisation. This involves no personal data being disclosed. Where Service Providers need to obtain additional personal data about individual users they may either request it from the appropriate User Organisation (this will usually need to be covered by a legal agreement), or ask the individual user to provide it, seeking free and
informed consent by informing the user what the data will be used for and what benefit the user will receive. Service Providers should endeavour to provide service, possibly at a reduced level, to users for whom personal data is not available.

So yes, personal data can be exchanged - as long as this exchanged is deemed necessary! Please don’t let this misconception put you off moving forward with broadening federated access.

Many of the international federations are looking at user consent modules for use with Shibboleth such as the FEIDE SimpleSAMLPhP Module
and the SWITCH ARPViewer. Others are taking the approach of using student registration to get permission, or simply taking the stance that user consent is not required as long as sharing personal data meets the goal of educating the student.

JISC is looking at some of the ways in which federated access can be used across its project portfolio including a study on federated access and personalisation, and a look at federated access and repositories building on the FAR Project.

It is also worth remembering that not all federated exchanges need to go through the UK federation. In the case of Virtual Learning Environments and Repositories, you may often be dealing with an in-house IdP and SP. The personal data issues become a lot more manageable in this environment.