We are often asked if the uptake of SAML is a purely educational process, and if there is any interest from outside the sector. The simple answer is, of course! The number of commercial service providers who have joined the UK Access Management Federation is testament to their acceptance of the SAML standard as a business requirement.

There are also significant signs of SAML being taken very seriously across other sectors within the UK and internationally. At the Mobile Gov Conference, Chris Haynes of the eDelivery Team in the Cabinet Office set out the roadmap for the development of the Government Gateway - with SAML at the core of the development.

Ian McKinnell will also be talking about the NHS and SAML at the next meeting of the NHS-HE forum.

JISC is also working with a small group of museums, libraries and archives in London to look at the potential application of SAML in these institutions.

All very interesting work presenting interesting new challenges but also added confidence on the benefits of implementation against a common standard.

Notice that BT seems to have taken a lot of flack over its test of Phorm , which matches adverts to users’ web habits. Advertisers will probably argue that examples of such tools allow them to offer better aligned services to their prospective customers – users may well wonder where the line is drawn regarding the gathering of data about their online habits.

In the UK Federation, the line is already firmly drawn. Any user accessing resources is identified to that publisher by a random string. It’s a different generated random string for the user accessing each publisher so there can be no danger of deductive matching up of identities.

That element of protection may not seem a big deal at the moment but protection and ownership of one’s online identity will be the big issue over the next year – all sectors will no doubt come under intense scrutiny, particularly as individuals will become much more aware and savvy of the issues and principles involved. Obviously the commercial sector will bear the brunt of such examination, but UK education will receive its fair share of attention eventually. Fortunately, the move to federated access management sets up a sound basis for the protection of learners identities online, while allowing scope for the degrees and types of personalisation that publishers and users want. Users (nominally institutions) determine how much info (in attributes) to release, resource providers determine how much info they require. The worst that can happen, is that nothing happens. No unpermitted exchange of data. But unpermitted does need a little unpacking. Institutions really do need to make learners aware of their information policies. Its probably not the first question on most fresher’s lips yet, but one day…………..

Noticed Eduserv are funding FE / HE to explore an “examination of establishing an online identity in a particular community”. Thats good news as it complements the work JISC is doing on its own Identity project, and also highlights how social networking tools are impacting how we perceive identity. The blurring of traditional identity managemnet is also all the more reason why HE / FE institutions should adopt improved control over management of their own students identities, which of course, technologies such as Shibboleth allow. For those on the “do nothing” side of the access management fence, its worth looking at what a burning issue identity is becoming among students, who may well become aware of it through social networking, but will easily make the species / system leap and perhaps put under the microscope their own identity relationship with their host institutions.

With apologies to Edmond Burke, Such a warning reminds me that “all it takes for confusion to flourish is for librarians to do nothing”

I will be attending the next meeting of the McShib group next friday, and I am looking forward to it very much!

As part of my preparation, I had a quick look at the UK federation membership status for all of the institutions in Scotland. Currently:

• Two FE Colleges within the remit of RSC Scotland North and East are members - Dundee College and Borders College. By my rough calculations, that leaves 21 to go.
• One FE College within the remit of RSC Scotland South and West is a member - Reid Kerr College. Again, that leaves about 19 to go.

It strikes me that these colleges might well think about a joint approach to the recent JISC call offering direct support to smaller FE colleges in adopting federated access management.

• 10 of the 18 Higher Education Institutions in Scotland are members of the UK federation, and most are fairly well advanced in the deployment of federated access technologies. A focus on the roll-out to users and library concerns would be helpful for these institutions.
• 3 Scottish HE institutions are considered to be in the most at risk category in terms of adopting federated access: University of the West of Scotland, RSAMD and Robert Gordon University.
• 2 Scottish HE institutions are considered to a risk 4 (out of 5): Glasgow School of Art and Queen Margaret University, Edinburgh.
• 2 Scottish HE institutions are considered to be a risk 2 (out of 5): University of St Andrews and Edinburgh College of Art
• 1 Scottish HE is considered to be a risk 1 (out of 5): Glasgow Caledonian University.

UK federation Members

Heriot-Watt University
Napier University
University of Aberdeen
University of Abertay Dundee
University of Dundee
University of Edinburgh
University of Glasgow
UHI
University of Stirling
University of Strathclyde

Scottish Higher Education - non members

Risk 5 - University of the West of Scotland
Risk 5 - Robert Gordon University Now Member!
Risk 5 - Royal Scottish Academy of Music and Drama
Risk 4 - Glasgow School of Art
Risk 4 - Queen Margaret University, Edinburgh
Risk 2 - University of St Andrews Now Member!
Risk 2 - Edinburgh College of Art
Risk 1 - Glasgow Caledonian University

RSC Scotland North and East

Aberdeen College, Aberdeen
The Adam Smith College, Glenrothes
Angus College, Angus
Banff and Buchan College, Fraserburgh
Borders College, Galashiels MEMBER
Dundee College, Dundee MEMBER
Edinburgh’s Telford College, Edinburgh Now Member!
Elmwood College, Cupar
Forth Valley College, Falkirk
Inverness College, Inverness
Jewel and Esk Valley College, Dalkeith
Lauder College, Dunfermline
Lews Castle College, Isle of Lewis
Moray College, Elgin
Newbattle Abbey College, Dalkeith
Oatridge Agriculture College, Broxburn
Orkney College, Orkney
Perth College, Perth
Sabhal Mor Ostaig, Isle of Skye
Shetland College of Further Education, Lerwick
Stevenson College, Edinburgh
The North Highland College, Thurso
West Lothian College, Livingston

RSC Scotland South and West

Anniesland College, Glasgow Now Member!
Ayr College, Ayr
Barony College, Parkgate
Cardonald College, Glasgow Now Member!
Central College of Commerce, Glasgow
Clydebank College, Clydebank
Coatbridge College, Coatbridge
Cumbernauld College, Cumbernauld Now Member!
Dumfries and Galloway College, Heathhall
Glasgow College of Nautical Studies, Glasgow
Glasgow Metropolitan College, Glasgow
James Watt College of Further and Higher Education, Greenock
John Wheatley College, Glasgow
Kilmarnock College, Kilmarnock
Langside College of Glasgow
Motherwell College, Motherwell
North Glasgow College, Springburn
Reid Kerr College, Paisley MEMBER
South Lanarkshire College, Cambuslang
Stow College, Glasgow

I have had several in-depth conversations with Service Providers over the last couple of days regarding concerns that institutions are not taking their obligations seriously enough in terms of identity management and in relation to devolved authentication processes. I thought it would be worth capturing some of the discussions here.

My first point is that Service Providers to institutional libraries have always been reliant on the institution to provide accurate information about valid end users for their services. This is not a new concept within a devolved approach, but the very nature of devolved authentication often means that errors (such as bad revocation or credential re-use policies) are more easily uncovered than with service provider or centralised access management systems. So, we should to some extent be pleased if more errors are being uncovered - it means the process is working.

Institutions are often simply not aware enough of the obligations that are put on them in terms of good identity management processes when they sign up to a licensed resource. More work needs to be done to get the license terms and conditions out of a dusty filing cabinet and in to the general consciousness of institutions.

The discussions have reinforced my faith in the policy approach of the UK federation, and its importance in addition to traditional licenses such as the JISC Model License. It is also reinforces the importance of ’section 6′ of the UK Access Management Federation Rules of Membership and I would urge all institutions to seriously considering signing up to it, and all service providers to review whether it should be a requirement of access. It is this section that truly places an obligation on institutions to demonstrate best practice in identity management.

Service Providers cannot expect institutions to demonstrate best practice unless there is a clear requirement - either in the license for the resource or within a policy document such as the UK Access Management Federation Rules of Membership.

Any devolved authentication system should have robust documentation in place to ensure that it is clear whether or not institutions using that system are following good practice in terms of identity management, and what accountability and traceability Service Providers can expect.

Overall, it is important that both institutions and Service Providers are taking identity management processes seriously, and it does worry me that Identity Management only makes number 10 on the UCISA Top Concerns list. To quote Lemony Snicket, We Are Very Concerned.

Mark writes:
Second part of our Institutional Support process, for Universities and Colleges seeking support to help set them up as IdPs, went out today. We know its not going to be a magic bullet to cure all issues that Institutions are having but like the best DNA treatments these days, it is tightly targetted. Traditionally, we (JISC) have been very good at getting historically early adopter institutions to, and you’ve guessed it - “early adopt”. The support model we are trying here goes beyond that. I sense (and please contact me if I’m wrong) that alot of FE institutions are fence sitting regards Access Management. Hopefully the institutions that get help through JIAMSP will really highlight the fact that Federated Access Mangement is both obtainable and desirable for all - and worth coming down off the fence for. We also know how small the window of opportunity is to get large scale IT projects done within the College academic calender, so another part of the support is an attempt to target by time - Institutions can choose slots as to when they would like to move forward, if they are applying for support. Questions (and with this kind of support modal, there really should be some) please.

Mark writes:

JISC has just issued an ITT for third parties experienced in access management to bid to provide support to institutions who want to deploy a IdP. You might say that such support is already there, and to a degree much of it is. Particulary if you are an Institution employing an IT staff with the correct skill set, have an organised directory service, a significant subscription to JISC Collections resources and the strategic ambition to move forward on access management. However, and it is a big HOWEVER, its clear that there are enough institutions who can use the business case toolkit to determine that they want access management (and I mean the 100% proof type, not devolved outsourcing to a delegated authority), but who have also determined that its currently financially / technically out of reach. It is that group of institutions, which the successfull respondent to the ITT will be working with. The time will come for such institutions to submit applications for the help that the project will provide, but for the present - if you are a third party provider of access management support, with a desire to spend long hours setting up IdPs in grateful institutions all over the country - we want YOUR interest. And remember we encourage questions……

We all know the trick to getting the best fastest piece of IT kit for your buck. -Locating the speed bottle neck. Its no use buying a hyper fast graphics card, if the speed of onboard memory is too slow, or having a fast shooting Digital SLR Camera if the compact flash card has a slow write speed. Well its the same with access management. So much of what we do in improving access to content depends on every link in the chain. One element which we tend to look at least (maybe because it doesn’t have a technical standard linked to it?) is licensing.

24/7, remote, finely grained access to content only happens when the license permits it too.

Lets not forget we need 21st century licenses for 21st century technology.

Tags: jisc-serv-am-briefing

While at the Janet UK Federation briefing event yesterday, someone sitting next to me asked me if I was a content supplier. Working in HE, that doesn’t happen to me very often – turned out it was all because of my laptop. I had a reasonably flash one, so I must be in commerce not education…… Moral of the story – sadly, all too often Librarians seem to be towards the bottom of the food chain when it comes to getting shiny toys. It’s important because it can be the shiny toys that inspire us to be ambitious in how we use IT. Could a particular institutions reluctance to adopt sophisticated access management be routed in a child-hood laptop deprivation of never having seen a dual core processor in action?

While on the topic of righting misconceptions, I’ve noticed the odd supplier using the JISC HE / FE banding as their pricing structure. Nothing wrong in that, however, care needs to be taken too not imply the pricing structure of a particular product is set by JISC- suppliers are welcome to use the structure, but it shouldn’t be implied that use of the structure means defacto JISC endorsement.

Just watched the Australian Federation (Introduction to AAF federated access management) remake of the JISC Introduction to Federated Access Management animation.

Glad to say that it seemed more like a shot by shot remake, in the same way that Gus Van Sant remade Psycho, rather than the “re-envisioning” of Planet of the Apes that Tim Burton did.

There is a serious point though, a major rational for Federating around the SAML standard – is interoperability. The Oz remake (the country, not one featuring CGI flying monkeys), proves that we face similar problems and that we would seem to be on the right track with similar solutions.

Certainly makes the sentence, “an international standard”, far more meaningful….