Notice that BT seems to have taken a lot of flack over its test of Phorm , which matches adverts to users’ web habits. Advertisers will probably argue that examples of such tools allow them to offer better aligned services to their prospective customers – users may well wonder where the line is drawn regarding the gathering of data about their online habits.

In the UK Federation, the line is already firmly drawn. Any user accessing resources is identified to that publisher by a random string. It’s a different generated random string for the user accessing each publisher so there can be no danger of deductive matching up of identities.

That element of protection may not seem a big deal at the moment but protection and ownership of one’s online identity will be the big issue over the next year – all sectors will no doubt come under intense scrutiny, particularly as individuals will become much more aware and savvy of the issues and principles involved. Obviously the commercial sector will bear the brunt of such examination, but UK education will receive its fair share of attention eventually. Fortunately, the move to federated access management sets up a sound basis for the protection of learners identities online, while allowing scope for the degrees and types of personalisation that publishers and users want. Users (nominally institutions) determine how much info (in attributes) to release, resource providers determine how much info they require. The worst that can happen, is that nothing happens. No unpermitted exchange of data. But unpermitted does need a little unpacking. Institutions really do need to make learners aware of their information policies. Its probably not the first question on most fresher’s lips yet, but one day…………..

Noticed Eduserv are funding FE / HE to explore an “examination of establishing an online identity in a particular community”. Thats good news as it complements the work JISC is doing on its own Identity project, and also highlights how social networking tools are impacting how we perceive identity. The blurring of traditional identity managemnet is also all the more reason why HE / FE institutions should adopt improved control over management of their own students identities, which of course, technologies such as Shibboleth allow. For those on the “do nothing” side of the access management fence, its worth looking at what a burning issue identity is becoming among students, who may well become aware of it through social networking, but will easily make the species / system leap and perhaps put under the microscope their own identity relationship with their host institutions.

With apologies to Edmond Burke, Such a warning reminds me that “all it takes for confusion to flourish is for librarians to do nothing”

I have had several in-depth conversations with Service Providers over the last couple of days regarding concerns that institutions are not taking their obligations seriously enough in terms of identity management and in relation to devolved authentication processes. I thought it would be worth capturing some of the discussions here.

My first point is that Service Providers to institutional libraries have always been reliant on the institution to provide accurate information about valid end users for their services. This is not a new concept within a devolved approach, but the very nature of devolved authentication often means that errors (such as bad revocation or credential re-use policies) are more easily uncovered than with service provider or centralised access management systems. So, we should to some extent be pleased if more errors are being uncovered - it means the process is working.

Institutions are often simply not aware enough of the obligations that are put on them in terms of good identity management processes when they sign up to a licensed resource. More work needs to be done to get the license terms and conditions out of a dusty filing cabinet and in to the general consciousness of institutions.

The discussions have reinforced my faith in the policy approach of the UK federation, and its importance in addition to traditional licenses such as the JISC Model License. It is also reinforces the importance of ’section 6′ of the UK Access Management Federation Rules of Membership and I would urge all institutions to seriously considering signing up to it, and all service providers to review whether it should be a requirement of access. It is this section that truly places an obligation on institutions to demonstrate best practice in identity management.

Service Providers cannot expect institutions to demonstrate best practice unless there is a clear requirement - either in the license for the resource or within a policy document such as the UK Access Management Federation Rules of Membership.

Any devolved authentication system should have robust documentation in place to ensure that it is clear whether or not institutions using that system are following good practice in terms of identity management, and what accountability and traceability Service Providers can expect.

Overall, it is important that both institutions and Service Providers are taking identity management processes seriously, and it does worry me that Identity Management only makes number 10 on the UCISA Top Concerns list. To quote Lemony Snicket, We Are Very Concerned.

Mark writes:
Second part of our Institutional Support process, for Universities and Colleges seeking support to help set them up as IdPs, went out today. We know its not going to be a magic bullet to cure all issues that Institutions are having but like the best DNA treatments these days, it is tightly targetted. Traditionally, we (JISC) have been very good at getting historically early adopter institutions to, and you’ve guessed it - “early adopt”. The support model we are trying here goes beyond that. I sense (and please contact me if I’m wrong) that alot of FE institutions are fence sitting regards Access Management. Hopefully the institutions that get help through JIAMSP will really highlight the fact that Federated Access Mangement is both obtainable and desirable for all - and worth coming down off the fence for. We also know how small the window of opportunity is to get large scale IT projects done within the College academic calender, so another part of the support is an attempt to target by time - Institutions can choose slots as to when they would like to move forward, if they are applying for support. Questions (and with this kind of support modal, there really should be some) please.

Jane writes:

In this podcast interview, Mark Williams from the JISC Access Management Outreach Team talks to Philip Pothen about the importance of federated access management and how this will enable better collaboration and sharing of common resources between institutions. Mark talks about the choices and challenges for institutions but also the opportunities federated access management can bring in the way of access to online resources and collaborative projects. He also highlights the support available to institutions through case studies, the business case toolkit and other materials on the JISC and UK federation websites, Netskills upskilling workshops and support available through 3rd party providers.

To listen to the full podcast interview please visit:

www.jisc.ac.uk/news/stories/2007/10/podcast15markwilliams

Mark writes:

JISC has just issued an ITT for third parties experienced in access management to bid to provide support to institutions who want to deploy a IdP. You might say that such support is already there, and to a degree much of it is. Particulary if you are an Institution employing an IT staff with the correct skill set, have an organised directory service, a significant subscription to JISC Collections resources and the strategic ambition to move forward on access management. However, and it is a big HOWEVER, its clear that there are enough institutions who can use the business case toolkit to determine that they want access management (and I mean the 100% proof type, not devolved outsourcing to a delegated authority), but who have also determined that its currently financially / technically out of reach. It is that group of institutions, which the successfull respondent to the ITT will be working with. The time will come for such institutions to submit applications for the help that the project will provide, but for the present - if you are a third party provider of access management support, with a desire to spend long hours setting up IdPs in grateful institutions all over the country - we want YOUR interest. And remember we encourage questions……

Nicole Harris writes

The team is currently attending and speaking (lots) at the Fall Internet2 meeting in San Diego.

Day One we are focusing on Identity Management and Collaborative Tools. My very brief presentation followed on from some really interesting overviews by Ken Klingenstein and Michael Gettes (Internet2) and James Dalziel (AARnet).

All of our presentations focused on the need for:

• taking identity management out of services, and managing separately in a federated approach.
• providing tools for users and managers to cope with the complexity of managing identities, groups, attributes etc.

I was really happy, as nobody talked about having multiple identities, but the complexity of our relationships and rights in relation to member institutions and services.

Interesting developments are the COmanage and IAMSuite tools. These are bringing together a host of promising, but not complete solution tools: ShARPE, Grouper, Signet, MyVOCs and beginning to address some of the real interesting use cases behind the interest in more high profile tools such as OpenID and CardSpace.

Definitely a space to watch and one that will be growing.

Other points and questions from the session:

• Moving away from the idea of shib-enabled, iamsuite-enabled, federated etc. We just want well-behaved aps that will consume external identities and identity information. SAML compliance is clearly important here, but perhaps not the final answer.
• What should be on my identity management ‘dashboard’ to actually help me managed my identity?
• Should all group management tools be able to provide and release information about all group members?

We all know the trick to getting the best fastest piece of IT kit for your buck. -Locating the speed bottle neck. Its no use buying a hyper fast graphics card, if the speed of onboard memory is too slow, or having a fast shooting Digital SLR Camera if the compact flash card has a slow write speed. Well its the same with access management. So much of what we do in improving access to content depends on every link in the chain. One element which we tend to look at least (maybe because it doesn’t have a technical standard linked to it?) is licensing.

24/7, remote, finely grained access to content only happens when the license permits it too.

Lets not forget we need 21st century licenses for 21st century technology.

Tags: jisc-serv-am-briefing

Today is the 3rd Meeting of JIIE for 2007, and the Committee was particularly focusing on the Information Environment (IE) Strategy, and the Users and Innovation Programme. A common theme was whether or not the word ‘presentation’ that is currently used in the IE architecture is appropriate in the changing world, or whether we should be talking more about ‘user interaction’.

Presentation of course suggests something managed by the institution and pushed out to the students - rather than user-lead model suggested by interaction.

This highlights the changing role of the institution as a broker between students and services, rather than as an infrastructure provider to students. It also refocuses on the scenarios where institutions do act as Service Providers - both to their own students and to students, institutions and indeed businesses elsewhere.

Ian Dolphin asked a series of questions, one of which was around the role of access management in this changing environment. Some of my thoughts on this:

• Federated Access does not negate user-centric identity and access management, as I often see suggested. Institutions should broker access for their students where appropriate..and it such as an institution brokering access to licensed resources on behalf of the student. This can be completely compatible with a user-lead approach.
• Users cannot effectively manage their own identities as yet, or verify their own identities - institutions are effective brokers in this scenario. The role of the broker and trusted verifier is very important to all user-centric identity management systems such as OpenID and identity metasystems.
• Attributes provide an effective way of providing information to enable user interaction, particularly when moving away from the concept that their is a presentation ‘layer’. JISC will shortly be issuing an ITT looking at the role attributes can play in providing a personalised experience.

Thankfully, this all fits nicely with the forward look for access and identity management within JISC - which is always a relief!

While at the Janet UK Federation briefing event yesterday, someone sitting next to me asked me if I was a content supplier. Working in HE, that doesn’t happen to me very often – turned out it was all because of my laptop. I had a reasonably flash one, so I must be in commerce not education…… Moral of the story – sadly, all too often Librarians seem to be towards the bottom of the food chain when it comes to getting shiny toys. It’s important because it can be the shiny toys that inspire us to be ambitious in how we use IT. Could a particular institutions reluctance to adopt sophisticated access management be routed in a child-hood laptop deprivation of never having seen a dual core processor in action?

While on the topic of righting misconceptions, I’ve noticed the odd supplier using the JISC HE / FE banding as their pricing structure. Nothing wrong in that, however, care needs to be taken too not imply the pricing structure of a particular product is set by JISC- suppliers are welcome to use the structure, but it shouldn’t be implied that use of the structure means defacto JISC endorsement.