While at the Janet UK Federation briefing event yesterday, someone sitting next to me asked me if I was a content supplier. Working in HE, that doesn’t happen to me very often – turned out it was all because of my laptop. I had a reasonably flash one, so I must be in commerce not education…… Moral of the story – sadly, all too often Librarians seem to be towards the bottom of the food chain when it comes to getting shiny toys. It’s important because it can be the shiny toys that inspire us to be ambitious in how we use IT. Could a particular institutions reluctance to adopt sophisticated access management be routed in a child-hood laptop deprivation of never having seen a dual core processor in action?

While on the topic of righting misconceptions, I’ve noticed the odd supplier using the JISC HE / FE banding as their pricing structure. Nothing wrong in that, however, care needs to be taken too not imply the pricing structure of a particular product is set by JISC- suppliers are welcome to use the structure, but it shouldn’t be implied that use of the structure means defacto JISC endorsement.

Just watched the Australian Federation (Introduction to AAF federated access management) remake of the JISC Introduction to Federated Access Management animation.

Glad to say that it seemed more like a shot by shot remake, in the same way that Gus Van Sant remade Psycho, rather than the “re-envisioning” of Planet of the Apes that Tim Burton did.

There is a serious point though, a major rational for Federating around the SAML standard – is interoperability. The Oz remake (the country, not one featuring CGI flying monkeys), proves that we face similar problems and that we would seem to be on the right track with similar solutions.

Certainly makes the sentence, “an international standard”, far more meaningful….

There has been a lot of discussion on UK lists recently about the ‘discovery problem’ with federated access management. I think this can actually be translated in to three questions:

1. How do users know which ‘log-in link’ to click on when they are presented with a variety of options such as ‘organisational log-in’, ‘athens log-in’, ‘account log-in’ etc. and which credentials do they use?
2. Can users (and Service Providers) cope with the WAYF approach and should this be federation-centric or service provider-centric?
3. How do institutions ‘brand’ the log-in page they present to users and describe the network or institutional log-in, and can we gain consistency in use of this language?

There are a variety of opinions of how this should be done. Below, I’ve recorded my personal thoughts in relation to this, but I’d be very interested to hear from others…

• Identity Providers should use institutional branding on log-in pages where-ever possible, and particularly if the credentials for federated access are the same as a user’s typical organisation log-in.
• If an IdP uses different credentials for federated access management, they may wish to consider using UK federation branding to help differentiate. Some guidelines are available here. It is worth considering whether the UK federation will be the custodian of all federated access transactions before making this decision (i.e. internal federated resources, other collaborative resources etc.).
• Use of a centralised, federation-controlled WAYF is clearly not the most effective way of carrying out discovery and should be used as a ‘last resort’ when Identity Providers or Service Providers have no other ways of managing discovery.
• Users like embedded links in institutional repositories / portals, but more work is needed to make the creation and embedding of structured links easier and more maintainable.
• Service Providers should think long and hard about how they present log-in links to users.

I think there is some work for the access management team here…but there are some really good examples of good discovery in action.

From the Identity Provider perspective, I really like the approach taken by Margaret Flett at UCL, as described in her presentation to CPD25.

From the Service Provider perspective, I like the elegance of the SP-side WAYF created by JSTOR, which combines both Athens access and devolved access in to one process.

Saw some numbers concerning Federation membership being bandied around in an IWR article. Once the reader has got past some of the inconsistencies of the piece (such as the headline writer making the mistake of considering the Federation and Shibboleth as synonymous), the message that perhaps should be drawn out of the piece is one of JISC commitment to technical open standards, and general “openness”.

One of the benefits of a JISC approach combined with an open standards approach is that all of the information concerning the Federation is public and open – This includes TWO Institutional preparedness studies which are now available in full on the web (which incidentally cover a much larger sample than the survey sited in the IWR piece) and details of membership of the federation (Institutions and Service Providers) are freely available for all to see on the Federation website. UK HE / FE is a very complex and heterogeneous environment- where “one solution” certainly does not fit all. Different strokes for different folks means the future of access management is certainly not a zero-sum game, where there can only be one choice or winner, but one of an eclectic range of provision and solutions.

JISC championing of an open standards approach, public availability of surveys and development of the Athens Shibboleth Gateways demonstrates an awareness of the need for institutions to have real choices regarding access management, based on their own individual circumstances.

I spent a very interesting day at the ‘McShib’ event in Edinburgh last Wednesday. ‘McShib’ is a group that has come together to allow people with an interest in the adoption of Shibboleth to have a local (and nothern) focus. The first great thing about this event is that it was brought together because of community demand and through the hard work of Andy Swiffin and the RSC for Scotland North and East, rather than something driven by JISC itself. The second great thing was the enthusiasm at the event and the really practical focus of the presentations on adopting Shibboleth on a very practical basis. The event was initially scoped out for about 15 people and registration closed with over 50 attendees!

One of the key messages from the day was the importance of kicking off the legal part of joining the Federation. To quote Andy Swiffin:

There is no cost involved in doing this and even if you subsequently decide to outsource your identity provision your institution will still need to join. The great benefit in doing this as soon as possible is that when you do want to actively participate all of the paperwork is in place. In addition, if as many institutions as possible join now it sends a very clear message to Service Providers that this is something that the UK academic community is serious about and that its worth their while to put some effort in making their application Shibboleth aware. This in turn benefits us all!

I couldn’t agree more! Thanks to Andy, the RSC and all who took part in a very interesting event!

Andy Powell links to a presentation by Leigh Dodd at the Society for Scholarly Publishing on federated access. After years of struggling to explain federated access management, I realise that the missing component was South Park characters! My only comment is to question the statement that Shibboleth is library-centric. The original vision for Shibboleth was for internal use - such as the deployment at Ohio State which manages more than 70 unique internal Service Providers such as course management systems, portals and business reports systems. I don’t think we have realised the potential for this type of application within the UK as yet, and fear the library-focused moniker may be a legacy of the UK interest in Shibboleth and our focus on library-type resources.

I was also interested in the opening comments within the presentation that refers to the proliferation of identity and access management within web 2.0 applications such as Facebook and Flickr. Given the well documented problems and breaches in identity management within these systems it would be great to see such systems adopting a federated approach…but wonder what the incentive might be to these organisations in giving up the benefits they currently gain from managing their own identity management?

Facebook has exploded within JISC at the moment and immediately brought up the obvious question - do I really want my boss to see photos of the party I was at last Saturday? This can alternatively be phrased ‘what does Facebook offer in a professional or learning context?’.

Facebook recognises this to some extent by allowing a ‘limited profile’ option - but this only allows me to have one type of limit. This is OK for separating professional and social requirements at a very basic level but does not really address the complexity of relationships that we build in our social, working and learning lives.

Ideally I would like to be able to present a different ‘face’ to each each of the groups I am associated with. That doesn’t seem to be much of a stretch and fits in neatly with the discussions we have been having in JISC around Identity Management and its role in relation to user-centric environments.

Most people talk about the problem of us having ‘multiple identities’. I have always disliked this this phrase - I’m fairly sure that I only have one identity…I just choose to interact with people and systems in different ways. In this case, I really have multiple persona and want to express these persona in different ways in my online interactions.

Some of my persona are ‘affiliated’ to organisations (banks, institutions, work, local squash club) and that affiliation determines my behaviour both in terms of how I wish to present myself and in terms of what I am authorised to access or do. In most of these scenarios I present some element or attributes of my ‘real world identity’ (another term I dislike but can’t think of anything more intelligent to use instead).

Other persona I use are purely social and important because I am fully responsible for the management and protection of these persona, which means I have think very carefully about my personal attribute release policy (i.e. what I reveal about myself in these scenarios). A good example of this is my personal blog, which has no discernible relationship with my real world identity at all.

This also ties in neatly with the other problem that is being discussed in many different fora at the moment (including a debate on OpenID on the jisc-middleware-development list) - the difference between social trust and technical trust. I’ll leave that for another time!

This is an interesting article from e-week.com describing the use of SAML to enable single sign-on to Google Apps.  It fairly accurately reflects the world we all live in with a mixed economy of a Microsoft Active Directory infrastructure, VMWare, an Identity Management solution from an independent company (Sxip), web based applications from Google Apps all glued together with an open standard through SAML.   To me, a very sensible rather than purist approach to making the most of standards.

It also prompted me to download Sxipper.  This is a Firefox plug-in for managing identity information and access credentials, and also an OpenID provider.  Looks interesting…but have not had a chance to properly play with yet.

I have been asked by many people about OpenID and its role in the UK federation infrastructure. Rather than write about this myself, I am going to quote James Dalziel (see quotes below) who recently made an excellent post on this issue to the JISC Shibboleth list. You may also be interested in a recent Ariadne article by Andy Powell that looks at OpenID in more detail.

OpenID is a great, simple technology for fostering single-sign-on among some web applications. Many of the core concepts of OpenID are similar to Shibboleth (in particular, applications don’t manage users themselves, instead, they rely on a separate identity service), so the growth of interest in OpenID is helping us to move away from the endless proliferation of names and passwords, and towards more efficient handling of identity. However, there is a key difference between most OpenID use and national Shibboleth implementations like the Australian Access Federation (AAF). In the OpenID world, a person to can claim to be anyone they like when logging in to a service using OpenID. If I create an OpenID account called “Bill Gates”, then use this to log into your blog to post a comment, then the comment will come from Bill Gates.

In the case of the AAF, your home institution (eg, university) stands behind the Shibboleth assertion that you are who you say you are, and, for example, that you are a staff member (not a student). This trusted assertion is a combination of home institution policy and practices (eg, how your institution establishes who you are and your attributes) as well as the technology component enabled by Shibboleth.

This is, of course, true in relation to the UK Access Management Federation and is a required process for two reasons. In a trust network, Service Providers can fairly easily accept the idea that an institution can be trusted to follow certain identity management procedures and properly authenticate end-users. The institution is also the body that buys access to licensed resources in relation to a large variety of external resources and not the end-user. The challenge for the educational community now is to understand its relationship to identity and learning outside of this traditional model.

This difference between OpenID and Shibboleth is fundamental and important for the formal education and research environment - if I can assert anything I like about myself, this creates many potential risks. That’s not to suggest there are no potential risks with the AAF, but the level of trust behind assertions is of a significantly different kind. On a different note, the Shibboleth community has been closely tracking Open ID, and hopes to soon support OpenID as an alternative assertion that can be made from a trusted Shibboleth Identity provider - this means you can use your trusted home institution login for both Shibboleth federation logins, as well as any wider OpenID logins. Of course, this doesn’t stop anyone from having separate OpenID identities if they choose, and potentially in the future, associating (or not!) these external OpenID identities with their trusted home institution login.

JISC is also interested in other models of identity management and in particular for ‘orphans’ who do not have an institution to provide them with a set of authentication credentials. Both TypeKey and ProtectNetwork provide this functionality within the UK federation. It is important to note that these services only provide you with authentication credentials. Authorised access still has to be established with the Service Provider being accessed. This often means added verification and release of personal details (such as an e-mail address) to allow this verification.

This is not to say that Shibboleth can do everything today. The management of self-asserted attributes is an evolving area, but the MAMS work on the Autograph personal privacy management tool has made some progress in this area. The issues associated with retaining identities as people move between different educational organisations will also need further work - but the concepts of “account linking” from the related Liberty Alliance work seems to be the promising way to take this forward. And as noted, adding an OpenID module to Shibboleth will be very useful for those who want both approaches together.

Tools that allow end-users to better manage their identities and rights will be of growing interest in the JISC community as we see more and more institution adopting federated access management and tackling the challenges of lifelong learners, student mobility and the growth of learning experiences outside of the institutional infrastructure.

But the lack of trust in OpenID is a serious problem for its widespread use in the formal education and research sector; whereas “real trust” is a core component of the AAF work that sits behind the Shibboleth.

Thanks James

I made a presentation at a CPD25 event on Monday, and it was great to see a high proportion of library staff at the event. One of the key concerns expressed by library staff was that in a federated access management system like Shibboleth it was not possible for library staff to manage the list of resources that students and staff access - i.e. the authorisation part of the equation. I thought I would explore this a little further.

In a federated access management system, the institution does not necessarily need to maintain lists of which resources each student or staff member is entitled to access. Instead, the institution stores attributes about the user in its attribute registry (typically an enterprise directory service). The institute can then declare to a Service Provider that ‘this is a member of staff’. Service Providers then maintain information about which of their resources staff@thisinstitution.ac.uk are allowed to access, rather than the institution maintaining these long lists for each user or user type. The UK federation has some examples of how attribute usage works.

This is great for simple authorisation processes, but many of the interactions between institutions (Identity Providers) and Service Providers are more complicated than this and need the specialist input of those who have detailed information about the resources that members access, and the type of information that should be released to each resource.

Luckily, these tools do exist, and with friendly interfaces that mean they can be accessed, viewed and updated by people without an in-depth knowledge of xml attribute release policies!

ShARPE from MAMS in Australia allows institutions to create and maintain attribute release policies on a resource by resource basis. It’s primary aim is to ensure that only the correct information about users is released to any particular Service Provider, but it also acts as a great tool for managing information about resources - particularly information about license expiry dates! Autograph is part of the same suite and takes this one step further by allowing end-users to manage the information that is released to Service Providers.

I also wonder what role Electronic Resource Management (ERM) tools may have to play for managing both license subscriptions and attribute information? Current systems such as Endeavor’s Meridian certainly appear to have fields that could fill this function.

The Swiss Federation, SWITCH AAI have developed a central Resource Registry that allows institutions and Service Providers to discover and manage information about subscribed resources. This is an attractive approach, but may not scale well to the UK!

Other systems focus on the privileges that certain members may have within an institution and are particularly useful for managing access to internal resources. This mock-up of the Internet2 Signet tool shows just that process. It is supported by Grouper - a toolkit for managing, well, groups! PERMIS is a similar tool to Signet that has been used in many JISC projects over the last few years.

All of these tools have different roles to play within an institution and may be used by IT Staff, Library Staff and Administrative Staff to achieve different goals. As we become more sophisticated about the rights that we express via attributes, it is inevitable that we will see more and more take-up of these management tools. It is good to know that they are out there and being developed right now!