Mark writes:
Second part of our Institutional Support process, for Universities and Colleges seeking support to help set them up as IdPs, went out today. We know its not going to be a magic bullet to cure all issues that Institutions are having but like the best DNA treatments these days, it is tightly targetted. Traditionally, we (JISC) have been very good at getting historically early adopter institutions to, and you’ve guessed it - “early adopt”. The support model we are trying here goes beyond that. I sense (and please contact me if I’m wrong) that alot of FE institutions are fence sitting regards Access Management. Hopefully the institutions that get help through JIAMSP will really highlight the fact that Federated Access Mangement is both obtainable and desirable for all - and worth coming down off the fence for. We also know how small the window of opportunity is to get large scale IT projects done within the College academic calender, so another part of the support is an attempt to target by time - Institutions can choose slots as to when they would like to move forward, if they are applying for support. Questions (and with this kind of support modal, there really should be some) please.

Jane writes:

In this podcast interview, Mark Williams from the JISC Access Management Outreach Team talks to Philip Pothen about the importance of federated access management and how this will enable better collaboration and sharing of common resources between institutions. Mark talks about the choices and challenges for institutions but also the opportunities federated access management can bring in the way of access to online resources and collaborative projects. He also highlights the support available to institutions through case studies, the business case toolkit and other materials on the JISC and UK federation websites, Netskills upskilling workshops and support available through 3rd party providers.

To listen to the full podcast interview please visit:

www.jisc.ac.uk/news/stories/2007/10/podcast15markwilliams

Mark writes:

JISC has just issued an ITT for third parties experienced in access management to bid to provide support to institutions who want to deploy a IdP. You might say that such support is already there, and to a degree much of it is. Particulary if you are an Institution employing an IT staff with the correct skill set, have an organised directory service, a significant subscription to JISC Collections resources and the strategic ambition to move forward on access management. However, and it is a big HOWEVER, its clear that there are enough institutions who can use the business case toolkit to determine that they want access management (and I mean the 100% proof type, not devolved outsourcing to a delegated authority), but who have also determined that its currently financially / technically out of reach. It is that group of institutions, which the successfull respondent to the ITT will be working with. The time will come for such institutions to submit applications for the help that the project will provide, but for the present - if you are a third party provider of access management support, with a desire to spend long hours setting up IdPs in grateful institutions all over the country - we want YOUR interest. And remember we encourage questions……

We all know the trick to getting the best fastest piece of IT kit for your buck. -Locating the speed bottle neck. Its no use buying a hyper fast graphics card, if the speed of onboard memory is too slow, or having a fast shooting Digital SLR Camera if the compact flash card has a slow write speed. Well its the same with access management. So much of what we do in improving access to content depends on every link in the chain. One element which we tend to look at least (maybe because it doesn’t have a technical standard linked to it?) is licensing.

24/7, remote, finely grained access to content only happens when the license permits it too.

Lets not forget we need 21st century licenses for 21st century technology.

Tags: jisc-serv-am-briefing

Just watched the Australian Federation (Introduction to AAF federated access management) remake of the JISC Introduction to Federated Access Management animation.

Glad to say that it seemed more like a shot by shot remake, in the same way that Gus Van Sant remade Psycho, rather than the “re-envisioning” of Planet of the Apes that Tim Burton did.

There is a serious point though, a major rational for Federating around the SAML standard – is interoperability. The Oz remake (the country, not one featuring CGI flying monkeys), proves that we face similar problems and that we would seem to be on the right track with similar solutions.

Certainly makes the sentence, “an international standard”, far more meaningful….

Saw some numbers concerning Federation membership being bandied around in an IWR article. Once the reader has got past some of the inconsistencies of the piece (such as the headline writer making the mistake of considering the Federation and Shibboleth as synonymous), the message that perhaps should be drawn out of the piece is one of JISC commitment to technical open standards, and general “openness”.

One of the benefits of a JISC approach combined with an open standards approach is that all of the information concerning the Federation is public and open – This includes TWO Institutional preparedness studies which are now available in full on the web (which incidentally cover a much larger sample than the survey sited in the IWR piece) and details of membership of the federation (Institutions and Service Providers) are freely available for all to see on the Federation website. UK HE / FE is a very complex and heterogeneous environment- where “one solution” certainly does not fit all. Different strokes for different folks means the future of access management is certainly not a zero-sum game, where there can only be one choice or winner, but one of an eclectic range of provision and solutions.

JISC championing of an open standards approach, public availability of surveys and development of the Athens Shibboleth Gateways demonstrates an awareness of the need for institutions to have real choices regarding access management, based on their own individual circumstances.

I made a presentation at a CPD25 event on Monday, and it was great to see a high proportion of library staff at the event. One of the key concerns expressed by library staff was that in a federated access management system like Shibboleth it was not possible for library staff to manage the list of resources that students and staff access - i.e. the authorisation part of the equation. I thought I would explore this a little further.

In a federated access management system, the institution does not necessarily need to maintain lists of which resources each student or staff member is entitled to access. Instead, the institution stores attributes about the user in its attribute registry (typically an enterprise directory service). The institute can then declare to a Service Provider that ‘this is a member of staff’. Service Providers then maintain information about which of their resources staff@thisinstitution.ac.uk are allowed to access, rather than the institution maintaining these long lists for each user or user type. The UK federation has some examples of how attribute usage works.

This is great for simple authorisation processes, but many of the interactions between institutions (Identity Providers) and Service Providers are more complicated than this and need the specialist input of those who have detailed information about the resources that members access, and the type of information that should be released to each resource.

Luckily, these tools do exist, and with friendly interfaces that mean they can be accessed, viewed and updated by people without an in-depth knowledge of xml attribute release policies!

ShARPE from MAMS in Australia allows institutions to create and maintain attribute release policies on a resource by resource basis. It’s primary aim is to ensure that only the correct information about users is released to any particular Service Provider, but it also acts as a great tool for managing information about resources - particularly information about license expiry dates! Autograph is part of the same suite and takes this one step further by allowing end-users to manage the information that is released to Service Providers.

I also wonder what role Electronic Resource Management (ERM) tools may have to play for managing both license subscriptions and attribute information? Current systems such as Endeavor’s Meridian certainly appear to have fields that could fill this function.

The Swiss Federation, SWITCH AAI have developed a central Resource Registry that allows institutions and Service Providers to discover and manage information about subscribed resources. This is an attractive approach, but may not scale well to the UK!

Other systems focus on the privileges that certain members may have within an institution and are particularly useful for managing access to internal resources. This mock-up of the Internet2 Signet tool shows just that process. It is supported by Grouper - a toolkit for managing, well, groups! PERMIS is a similar tool to Signet that has been used in many JISC projects over the last few years.

All of these tools have different roles to play within an institution and may be used by IT Staff, Library Staff and Administrative Staff to achieve different goals. As we become more sophisticated about the rights that we express via attributes, it is inevitable that we will see more and more take-up of these management tools. It is good to know that they are out there and being developed right now!

There has been some confusion over the use of the word ‘Shibboleth’ in relation to federated access management within the UK, so I thought I would spend a Friday afternoon looking at some of the complexities and also providing some lighter anecodotes around the S word.

There are many factual and not-so-factual explanations of the origins of Shibboleth. In my collection:

• President Bartlet explains Shibboleth to his staff in an episode of the West Wing.
• Wikipedia interprets Shibboleth.
• Shibboleth explained in lego.

There has been concern in the UK about the implications of the biblical implications of the name…and I think it is fair to say that the definition of Shibboleth as ‘a password’ is more commonly accepted in the US and that defining the origin of the word is sometimes not very helpful! It is more important to explain that Shibboleth software is an implementation of the SAML standard and was created by Internet2.

There has also been some confusion over the fact that JISC has appeared to move away from talking about Shibboleth — so have we changed our position?

Since 2002, JISC has been looking at improving the functionality of access management solutions for the UK. The primary drivers were to find a solution that was a) based on open standards and b) met the requirements for single sign-on to internal, external and collaborative resources. After extensive testing through the AAA Programme, Shibboleth emerged as an appropriate technology because it is based on SAML and met all other requirements. At the time, Shibboleth was the only SAML based solution to fill this gap…so inevitably got a lot of attention during the Core Middleware Programmes, which put in place the foundations for the UK Access Management Federation.
As we have moved on to 2007, I am now happy to say that there are lots of solutions that are based on SAML. One of the great things about open standards is that they open the market and give consumers more choices and greater freedom to move between choices. So, we now prefer to refer to federated access management and SAML-based technologies. These include Shibboleth, AthensIM, and Guanxi, and other commercial solutions such as Novell i-Chain have the potential to interact with SAML systems. So please feel free to explore the rich potential of Shibboleth - but remember there are other options out there!

A few confusion busters:

• The UK Access Management Federation is physically built on Shibboleth technology as the WAYF and metadata infrastructures use Shibboleth. This does not mean you must have Shibboleth to interact.
• JISC is not replacing Athens with Shibboleth. JISC is moving from funding a single technology to promoting the use of open standards to achieve federated access management.
• The Athens technology is still available to purchase according to the cost model published by Eduserv.
• JISC is committed to funding interoperability between Athens and the UK federation until July 2008, and has projected costs for support for this requirement until July 2010.

If all of that is too much there is always Shibboleth Art and of course Shibboleth Music.