Today is the 3rd Meeting of JIIE for 2007, and the Committee was particularly focusing on the Information Environment (IE) Strategy, and the Users and Innovation Programme. A common theme was whether or not the word ‘presentation’ that is currently used in the IE architecture is appropriate in the changing world, or whether we should be talking more about ‘user interaction’.

Presentation of course suggests something managed by the institution and pushed out to the students - rather than user-lead model suggested by interaction.

This highlights the changing role of the institution as a broker between students and services, rather than as an infrastructure provider to students. It also refocuses on the scenarios where institutions do act as Service Providers - both to their own students and to students, institutions and indeed businesses elsewhere.

Ian Dolphin asked a series of questions, one of which was around the role of access management in this changing environment. Some of my thoughts on this:

• Federated Access does not negate user-centric identity and access management, as I often see suggested. Institutions should broker access for their students where appropriate..and it such as an institution brokering access to licensed resources on behalf of the student. This can be completely compatible with a user-lead approach.
• Users cannot effectively manage their own identities as yet, or verify their own identities - institutions are effective brokers in this scenario. The role of the broker and trusted verifier is very important to all user-centric identity management systems such as OpenID and identity metasystems.
• Attributes provide an effective way of providing information to enable user interaction, particularly when moving away from the concept that their is a presentation ‘layer’. JISC will shortly be issuing an ITT looking at the role attributes can play in providing a personalised experience.

Thankfully, this all fits nicely with the forward look for access and identity management within JISC - which is always a relief!

While at the Janet UK Federation briefing event yesterday, someone sitting next to me asked me if I was a content supplier. Working in HE, that doesn’t happen to me very often – turned out it was all because of my laptop. I had a reasonably flash one, so I must be in commerce not education…… Moral of the story – sadly, all too often Librarians seem to be towards the bottom of the food chain when it comes to getting shiny toys. It’s important because it can be the shiny toys that inspire us to be ambitious in how we use IT. Could a particular institutions reluctance to adopt sophisticated access management be routed in a child-hood laptop deprivation of never having seen a dual core processor in action?

While on the topic of righting misconceptions, I’ve noticed the odd supplier using the JISC HE / FE banding as their pricing structure. Nothing wrong in that, however, care needs to be taken too not imply the pricing structure of a particular product is set by JISC- suppliers are welcome to use the structure, but it shouldn’t be implied that use of the structure means defacto JISC endorsement.

Just watched the Australian Federation (Introduction to AAF federated access management) remake of the JISC Introduction to Federated Access Management animation.

Glad to say that it seemed more like a shot by shot remake, in the same way that Gus Van Sant remade Psycho, rather than the “re-envisioning” of Planet of the Apes that Tim Burton did.

There is a serious point though, a major rational for Federating around the SAML standard – is interoperability. The Oz remake (the country, not one featuring CGI flying monkeys), proves that we face similar problems and that we would seem to be on the right track with similar solutions.

Certainly makes the sentence, “an international standard”, far more meaningful….

There has been a lot of discussion on UK lists recently about the ‘discovery problem’ with federated access management. I think this can actually be translated in to three questions:

1. How do users know which ‘log-in link’ to click on when they are presented with a variety of options such as ‘organisational log-in’, ‘athens log-in’, ‘account log-in’ etc. and which credentials do they use?
2. Can users (and Service Providers) cope with the WAYF approach and should this be federation-centric or service provider-centric?
3. How do institutions ‘brand’ the log-in page they present to users and describe the network or institutional log-in, and can we gain consistency in use of this language?

There are a variety of opinions of how this should be done. Below, I’ve recorded my personal thoughts in relation to this, but I’d be very interested to hear from others…

• Identity Providers should use institutional branding on log-in pages where-ever possible, and particularly if the credentials for federated access are the same as a user’s typical organisation log-in.
• If an IdP uses different credentials for federated access management, they may wish to consider using UK federation branding to help differentiate. Some guidelines are available here. It is worth considering whether the UK federation will be the custodian of all federated access transactions before making this decision (i.e. internal federated resources, other collaborative resources etc.).
• Use of a centralised, federation-controlled WAYF is clearly not the most effective way of carrying out discovery and should be used as a ‘last resort’ when Identity Providers or Service Providers have no other ways of managing discovery.
• Users like embedded links in institutional repositories / portals, but more work is needed to make the creation and embedding of structured links easier and more maintainable.
• Service Providers should think long and hard about how they present log-in links to users.

I think there is some work for the access management team here…but there are some really good examples of good discovery in action.

From the Identity Provider perspective, I really like the approach taken by Margaret Flett at UCL, as described in her presentation to CPD25.

From the Service Provider perspective, I like the elegance of the SP-side WAYF created by JSTOR, which combines both Athens access and devolved access in to one process.

Andy Powell links to a presentation by Leigh Dodd at the Society for Scholarly Publishing on federated access. After years of struggling to explain federated access management, I realise that the missing component was South Park characters! My only comment is to question the statement that Shibboleth is library-centric. The original vision for Shibboleth was for internal use - such as the deployment at Ohio State which manages more than 70 unique internal Service Providers such as course management systems, portals and business reports systems. I don’t think we have realised the potential for this type of application within the UK as yet, and fear the library-focused moniker may be a legacy of the UK interest in Shibboleth and our focus on library-type resources.

I was also interested in the opening comments within the presentation that refers to the proliferation of identity and access management within web 2.0 applications such as Facebook and Flickr. Given the well documented problems and breaches in identity management within these systems it would be great to see such systems adopting a federated approach…but wonder what the incentive might be to these organisations in giving up the benefits they currently gain from managing their own identity management?

I gave a talk to a very small and select group of people at the JISC Digitisation Conference last week. I wasn’t surprised by the size of the group… I would have rather talked about other things than access management at the digitisation conference! We did have a very interesting debate in the session though, and the question of ‘multiple identities’ came up.

As I’ve previously mentioned, I dislike the phrase multiple identities but that aside an interesting question sprung up: isn’t JISC adopting SAML and Shibboleth technologies to solve the multiple identity problem?

The simple answer to this is no. The more complex answer follows…

We cannot get away from the fact that we all have multiple sets of credentials to access multiple different resources based on our different affiliations (institutions, membership bodies, banks etc.) and different persona we present. It is a problem that needs addressing, but I think we have a long way to go. This is summed up in the steps below:

1. Put the framework in place so we can even start thinking about managing identities in a joined up way. This has to mean the promotion of open standards and systems that can interoperate and talk to each other rather than locking us in. I think that SAML is currently the most promising route for doing this.
2. Get basic identity management right. Most institutions that I talk to who are going through the process of adopting federated access management will quite readily admit that their identity management processes are a mess and the hardest piece of work is getting basic information held in a meaningful manner.
3. Question the number of credentials held and get rid of all of the usernames and passwords that we can. I want as few identity managers as possible with a focus on trusted affiliations (my bank, my institution, the passport office) where a high level of verified identity management is required and preferably just me when low / no verification is needed such as when I am only expressing persona information (blog comments etc.). The easiest ones to get rid of are of course all of the Service Providers who are also carrying out identity management when they don’t need to - and the includes institutions themselves!
4. At this stage, then question the number of credentials left and the role that educational institutions have to play in managing these or supporting user centric management.

There are of course technologies available that point towards user-centric identity management such as CardSpace and OpenID. The difficult question is not the technology, but whether or not institutions can manage and base their own business processes on a technology and infrastructure that is user-centric rather than institution-centric. This is part of the wider debate around the infrastructure services that institutions offer end-users, such as whether or not we need to give all users an institutional e-mail address when they are already likely to have access to several different e-mail account on enrolment.

In the world of identity management, the question has to be how much value does the end-user place in having an institutional identity and how much use will they make of it? The answer to this is likely to be very different for undergraduates to postgraduates to staff. I think this also links in to the comments that Andy Powell has recently made on multiple identities within the education sector. I don’t think multiple identity credentials should ever exist just to service access - they should only exist if we place value in having and using that identity.

Whilst institutional licensing still exists as the main approach for getting access to commercial resources, I can’t see the institutional identity disappearing. It is still interesting to explore the approaches that might be taken by institutions if this landscape did significantly change.

Facebook has exploded within JISC at the moment and immediately brought up the obvious question - do I really want my boss to see photos of the party I was at last Saturday? This can alternatively be phrased ‘what does Facebook offer in a professional or learning context?’.

Facebook recognises this to some extent by allowing a ‘limited profile’ option - but this only allows me to have one type of limit. This is OK for separating professional and social requirements at a very basic level but does not really address the complexity of relationships that we build in our social, working and learning lives.

Ideally I would like to be able to present a different ‘face’ to each each of the groups I am associated with. That doesn’t seem to be much of a stretch and fits in neatly with the discussions we have been having in JISC around Identity Management and its role in relation to user-centric environments.

Most people talk about the problem of us having ‘multiple identities’. I have always disliked this this phrase - I’m fairly sure that I only have one identity…I just choose to interact with people and systems in different ways. In this case, I really have multiple persona and want to express these persona in different ways in my online interactions.

Some of my persona are ‘affiliated’ to organisations (banks, institutions, work, local squash club) and that affiliation determines my behaviour both in terms of how I wish to present myself and in terms of what I am authorised to access or do. In most of these scenarios I present some element or attributes of my ‘real world identity’ (another term I dislike but can’t think of anything more intelligent to use instead).

Other persona I use are purely social and important because I am fully responsible for the management and protection of these persona, which means I have think very carefully about my personal attribute release policy (i.e. what I reveal about myself in these scenarios). A good example of this is my personal blog, which has no discernible relationship with my real world identity at all.

This also ties in neatly with the other problem that is being discussed in many different fora at the moment (including a debate on OpenID on the jisc-middleware-development list) - the difference between social trust and technical trust. I’ll leave that for another time!

According to Windows Messenger on my computer, I am now Melissa. Mel logged in to my laptop at a meeting last week and clearly made a memorable impression as it hasn’t wanted to forget her ever since. It doesn’t matter how many times I reset, it always goes back to Mel. The only way we have managed to stop this happening (and stop me having the temptation of some interesting chats with Mel’s friends incognito) is to reset Mel’s password.

As well as being slightly disappointed in the unfaithfulness of my machine, it is a good reminder of how easy it is to leave an identity trail everywhere…

This is an interesting article from e-week.com describing the use of SAML to enable single sign-on to Google Apps.  It fairly accurately reflects the world we all live in with a mixed economy of a Microsoft Active Directory infrastructure, VMWare, an Identity Management solution from an independent company (Sxip), web based applications from Google Apps all glued together with an open standard through SAML.   To me, a very sensible rather than purist approach to making the most of standards.

It also prompted me to download Sxipper.  This is a Firefox plug-in for managing identity information and access credentials, and also an OpenID provider.  Looks interesting…but have not had a chance to properly play with yet.

I have been asked by many people about OpenID and its role in the UK federation infrastructure. Rather than write about this myself, I am going to quote James Dalziel (see quotes below) who recently made an excellent post on this issue to the JISC Shibboleth list. You may also be interested in a recent Ariadne article by Andy Powell that looks at OpenID in more detail.

OpenID is a great, simple technology for fostering single-sign-on among some web applications. Many of the core concepts of OpenID are similar to Shibboleth (in particular, applications don’t manage users themselves, instead, they rely on a separate identity service), so the growth of interest in OpenID is helping us to move away from the endless proliferation of names and passwords, and towards more efficient handling of identity. However, there is a key difference between most OpenID use and national Shibboleth implementations like the Australian Access Federation (AAF). In the OpenID world, a person to can claim to be anyone they like when logging in to a service using OpenID. If I create an OpenID account called “Bill Gates”, then use this to log into your blog to post a comment, then the comment will come from Bill Gates.

In the case of the AAF, your home institution (eg, university) stands behind the Shibboleth assertion that you are who you say you are, and, for example, that you are a staff member (not a student). This trusted assertion is a combination of home institution policy and practices (eg, how your institution establishes who you are and your attributes) as well as the technology component enabled by Shibboleth.

This is, of course, true in relation to the UK Access Management Federation and is a required process for two reasons. In a trust network, Service Providers can fairly easily accept the idea that an institution can be trusted to follow certain identity management procedures and properly authenticate end-users. The institution is also the body that buys access to licensed resources in relation to a large variety of external resources and not the end-user. The challenge for the educational community now is to understand its relationship to identity and learning outside of this traditional model.

This difference between OpenID and Shibboleth is fundamental and important for the formal education and research environment - if I can assert anything I like about myself, this creates many potential risks. That’s not to suggest there are no potential risks with the AAF, but the level of trust behind assertions is of a significantly different kind. On a different note, the Shibboleth community has been closely tracking Open ID, and hopes to soon support OpenID as an alternative assertion that can be made from a trusted Shibboleth Identity provider - this means you can use your trusted home institution login for both Shibboleth federation logins, as well as any wider OpenID logins. Of course, this doesn’t stop anyone from having separate OpenID identities if they choose, and potentially in the future, associating (or not!) these external OpenID identities with their trusted home institution login.

JISC is also interested in other models of identity management and in particular for ‘orphans’ who do not have an institution to provide them with a set of authentication credentials. Both TypeKey and ProtectNetwork provide this functionality within the UK federation. It is important to note that these services only provide you with authentication credentials. Authorised access still has to be established with the Service Provider being accessed. This often means added verification and release of personal details (such as an e-mail address) to allow this verification.

This is not to say that Shibboleth can do everything today. The management of self-asserted attributes is an evolving area, but the MAMS work on the Autograph personal privacy management tool has made some progress in this area. The issues associated with retaining identities as people move between different educational organisations will also need further work - but the concepts of “account linking” from the related Liberty Alliance work seems to be the promising way to take this forward. And as noted, adding an OpenID module to Shibboleth will be very useful for those who want both approaches together.

Tools that allow end-users to better manage their identities and rights will be of growing interest in the JISC community as we see more and more institution adopting federated access management and tackling the challenges of lifelong learners, student mobility and the growth of learning experiences outside of the institutional infrastructure.

But the lack of trust in OpenID is a serious problem for its widespread use in the formal education and research sector; whereas “real trust” is a core component of the AAF work that sits behind the Shibboleth.

Thanks James