It is nearly easter and although the access management D-Day is end of July, in many ways it’s actually right now. Institutions (and that means Libraries, It depts and Senior management together) will need to determine now where they actually want to be by August in order to implement whatever solution that they have chosen. For a significant number of FE institutions that means analysing their Library resources profile and IT skills and determing what they 1. want to do and b.what they can do.

Where they will be in August 2008 and more importantly Aug 2009 really has to start now. All the options are out there - don’t fall into one option later by a lack of decision now - prepare now! For many coming to the issue this late from a cold start, a stepped approach may well work best (one solution for this August while working to another longer term one by Aug 2009). Outsourcing, inhouse, IP - all options on the table - you’ll know whats best for your institution……

Deadline for applying for the JISC Institutional Access Management Support Project passed today. It would be fair to say that the bus is now full up, and over half the passengers from smaller FE institutions (I-J) which we particulary wanted to target. Although places on that project are now spoken for, there is still help for Institutions that have only just made a decision to deploy a shib Idp. Netskills are running excellent three day training course, JANET will be running courses of their own and of course JISC RCS’s have events planned. Most importantly the office here is still open, so if you missed the big bus give us a call and we can talk through other ways your institution can get help setting a shib Idp up.

Google tells me LEGO is fifty today. To that honour, I post this link to the Lego Bible, which should show just how important it is to authenticate correctly through shibboleth………….

Noticed Eduserv are funding FE / HE to explore an “examination of establishing an online identity in a particular community”. Thats good news as it complements the work JISC is doing on its own Identity project, and also highlights how social networking tools are impacting how we perceive identity. The blurring of traditional identity managemnet is also all the more reason why HE / FE institutions should adopt improved control over management of their own students identities, which of course, technologies such as Shibboleth allow. For those on the “do nothing” side of the access management fence, its worth looking at what a burning issue identity is becoming among students, who may well become aware of it through social networking, but will easily make the species / system leap and perhaps put under the microscope their own identity relationship with their host institutions.

With apologies to Edmond Burke, Such a warning reminds me that “all it takes for confusion to flourish is for librarians to do nothing”

There has obviously been a lot of debate in the last two days surrounding the regrettable announcement that JISC will no longer be funding the Federation Gateway Services. This has lead to people asking questions such as ‘why did we go down this Shibboleth route at all?’. I thought it might be useful to go back to the beginning. Below is the vision statement (we are very MSP here) for the Access Management Transition Programme. I think it sums things up quite nicely.

The JISC Access Management Transition Programme aims to change the access management landscape within UK Further and Higher Education from a system predominantly based on proprietary systems to one with open standards at its core. The primary enabler of this change will be the introduction of federation access management and a strong recommendation to all institutions and organisations involved in education to implement access management solutions based on the SAML (Security Assertion Mark-Up Language) standard.

In supporting an open standards approach, rather than any particular technology, JISC hopes to:

Improve the business decisions made by institutions in relation to identity, access and resource management

Increase the commercial choice to institutions in relation to identity and access management technologies.

Reduce the impact and cost of vendor lock-in within the JISC community.

Embed knowledge within the community, rather than within any one organisation.

Place the principles of the JISC Information Environment at the core of the implementation of access management within its community.

Move towards a single sign-on environment for UK Further and Higher Education institutions across internal, external, and collaborative resources.

The JISC Access Management Transition Programme runs from July 2006 – December 2008, and is funded and supported by the JISC Integrated Information Environment Committee (JIIE). Funding of £2.2 million has been allocated to this programme.

I will be attending the next meeting of the McShib group next friday, and I am looking forward to it very much!

As part of my preparation, I had a quick look at the UK federation membership status for all of the institutions in Scotland. Currently:

• Two FE Colleges within the remit of RSC Scotland North and East are members - Dundee College and Borders College. By my rough calculations, that leaves 21 to go.
• One FE College within the remit of RSC Scotland South and West is a member - Reid Kerr College. Again, that leaves about 19 to go.

It strikes me that these colleges might well think about a joint approach to the recent JISC call offering direct support to smaller FE colleges in adopting federated access management.

• 10 of the 18 Higher Education Institutions in Scotland are members of the UK federation, and most are fairly well advanced in the deployment of federated access technologies. A focus on the roll-out to users and library concerns would be helpful for these institutions.
• 3 Scottish HE institutions are considered to be in the most at risk category in terms of adopting federated access: University of the West of Scotland, RSAMD and Robert Gordon University.
• 2 Scottish HE institutions are considered to a risk 4 (out of 5): Glasgow School of Art and Queen Margaret University, Edinburgh.
• 2 Scottish HE institutions are considered to be a risk 2 (out of 5): University of St Andrews and Edinburgh College of Art
• 1 Scottish HE is considered to be a risk 1 (out of 5): Glasgow Caledonian University.

UK federation Members

Heriot-Watt University
Napier University
University of Aberdeen
University of Abertay Dundee
University of Dundee
University of Edinburgh
University of Glasgow
UHI
University of Stirling
University of Strathclyde

Scottish Higher Education - non members

Risk 5 - University of the West of Scotland
Risk 5 - Robert Gordon University Now Member!
Risk 5 - Royal Scottish Academy of Music and Drama
Risk 4 - Glasgow School of Art
Risk 4 - Queen Margaret University, Edinburgh
Risk 2 - University of St Andrews Now Member!
Risk 2 - Edinburgh College of Art
Risk 1 - Glasgow Caledonian University

RSC Scotland North and East

Aberdeen College, Aberdeen
The Adam Smith College, Glenrothes
Angus College, Angus
Banff and Buchan College, Fraserburgh
Borders College, Galashiels MEMBER
Dundee College, Dundee MEMBER
Edinburgh’s Telford College, Edinburgh Now Member!
Elmwood College, Cupar
Forth Valley College, Falkirk
Inverness College, Inverness
Jewel and Esk Valley College, Dalkeith
Lauder College, Dunfermline
Lews Castle College, Isle of Lewis
Moray College, Elgin
Newbattle Abbey College, Dalkeith
Oatridge Agriculture College, Broxburn
Orkney College, Orkney
Perth College, Perth
Sabhal Mor Ostaig, Isle of Skye
Shetland College of Further Education, Lerwick
Stevenson College, Edinburgh
The North Highland College, Thurso
West Lothian College, Livingston

RSC Scotland South and West

Anniesland College, Glasgow Now Member!
Ayr College, Ayr
Barony College, Parkgate
Cardonald College, Glasgow Now Member!
Central College of Commerce, Glasgow
Clydebank College, Clydebank
Coatbridge College, Coatbridge
Cumbernauld College, Cumbernauld Now Member!
Dumfries and Galloway College, Heathhall
Glasgow College of Nautical Studies, Glasgow
Glasgow Metropolitan College, Glasgow
James Watt College of Further and Higher Education, Greenock
John Wheatley College, Glasgow
Kilmarnock College, Kilmarnock
Langside College of Glasgow
Motherwell College, Motherwell
North Glasgow College, Springburn
Reid Kerr College, Paisley MEMBER
South Lanarkshire College, Cambuslang
Stow College, Glasgow

I have had several in-depth conversations with Service Providers over the last couple of days regarding concerns that institutions are not taking their obligations seriously enough in terms of identity management and in relation to devolved authentication processes. I thought it would be worth capturing some of the discussions here.

My first point is that Service Providers to institutional libraries have always been reliant on the institution to provide accurate information about valid end users for their services. This is not a new concept within a devolved approach, but the very nature of devolved authentication often means that errors (such as bad revocation or credential re-use policies) are more easily uncovered than with service provider or centralised access management systems. So, we should to some extent be pleased if more errors are being uncovered - it means the process is working.

Institutions are often simply not aware enough of the obligations that are put on them in terms of good identity management processes when they sign up to a licensed resource. More work needs to be done to get the license terms and conditions out of a dusty filing cabinet and in to the general consciousness of institutions.

The discussions have reinforced my faith in the policy approach of the UK federation, and its importance in addition to traditional licenses such as the JISC Model License. It is also reinforces the importance of ’section 6′ of the UK Access Management Federation Rules of Membership and I would urge all institutions to seriously considering signing up to it, and all service providers to review whether it should be a requirement of access. It is this section that truly places an obligation on institutions to demonstrate best practice in identity management.

Service Providers cannot expect institutions to demonstrate best practice unless there is a clear requirement - either in the license for the resource or within a policy document such as the UK Access Management Federation Rules of Membership.

Any devolved authentication system should have robust documentation in place to ensure that it is clear whether or not institutions using that system are following good practice in terms of identity management, and what accountability and traceability Service Providers can expect.

Overall, it is important that both institutions and Service Providers are taking identity management processes seriously, and it does worry me that Identity Management only makes number 10 on the UCISA Top Concerns list. To quote Lemony Snicket, We Are Very Concerned.

There is very little I can say about the very public example of identity mismanagement that hasn’t already been said, but it is worth noting the various reports detailing the loss of 25 million personal records relating to child benefit such as that in the Guardian and rather cheekily on e-bay.

Pertinent points have to be the fact that the data was not encrypted, the dangers of storing all data in a central location and the fact that security is only ever as good as your lowest common denominator (read junior employee!).

Mark writes:
Second part of our Institutional Support process, for Universities and Colleges seeking support to help set them up as IdPs, went out today. We know its not going to be a magic bullet to cure all issues that Institutions are having but like the best DNA treatments these days, it is tightly targetted. Traditionally, we (JISC) have been very good at getting historically early adopter institutions to, and you’ve guessed it - “early adopt”. The support model we are trying here goes beyond that. I sense (and please contact me if I’m wrong) that alot of FE institutions are fence sitting regards Access Management. Hopefully the institutions that get help through JIAMSP will really highlight the fact that Federated Access Mangement is both obtainable and desirable for all - and worth coming down off the fence for. We also know how small the window of opportunity is to get large scale IT projects done within the College academic calender, so another part of the support is an attempt to target by time - Institutions can choose slots as to when they would like to move forward, if they are applying for support. Questions (and with this kind of support modal, there really should be some) please.

Mark writes:

JISC has just issued an ITT for third parties experienced in access management to bid to provide support to institutions who want to deploy a IdP. You might say that such support is already there, and to a degree much of it is. Particulary if you are an Institution employing an IT staff with the correct skill set, have an organised directory service, a significant subscription to JISC Collections resources and the strategic ambition to move forward on access management. However, and it is a big HOWEVER, its clear that there are enough institutions who can use the business case toolkit to determine that they want access management (and I mean the 100% proof type, not devolved outsourcing to a delegated authority), but who have also determined that its currently financially / technically out of reach. It is that group of institutions, which the successfull respondent to the ITT will be working with. The time will come for such institutions to submit applications for the help that the project will provide, but for the present - if you are a third party provider of access management support, with a desire to spend long hours setting up IdPs in grateful institutions all over the country - we want YOUR interest. And remember we encourage questions……