I will be attending the next meeting of the McShib group next friday, and I am looking forward to it very much!

As part of my preparation, I had a quick look at the UK federation membership status for all of the institutions in Scotland. Currently:

• Two FE Colleges within the remit of RSC Scotland North and East are members - Dundee College and Borders College. By my rough calculations, that leaves 21 to go.
• One FE College within the remit of RSC Scotland South and West is a member - Reid Kerr College. Again, that leaves about 19 to go.

It strikes me that these colleges might well think about a joint approach to the recent JISC call offering direct support to smaller FE colleges in adopting federated access management.

• 10 of the 18 Higher Education Institutions in Scotland are members of the UK federation, and most are fairly well advanced in the deployment of federated access technologies. A focus on the roll-out to users and library concerns would be helpful for these institutions.
• 3 Scottish HE institutions are considered to be in the most at risk category in terms of adopting federated access: University of the West of Scotland, RSAMD and Robert Gordon University.
• 2 Scottish HE institutions are considered to a risk 4 (out of 5): Glasgow School of Art and Queen Margaret University, Edinburgh.
• 2 Scottish HE institutions are considered to be a risk 2 (out of 5): University of St Andrews and Edinburgh College of Art
• 1 Scottish HE is considered to be a risk 1 (out of 5): Glasgow Caledonian University.

UK federation Members

Heriot-Watt University
Napier University
University of Aberdeen
University of Abertay Dundee
University of Dundee
University of Edinburgh
University of Glasgow
UHI
University of Stirling
University of Strathclyde

Scottish Higher Education - non members

Risk 5 - University of the West of Scotland
Risk 5 - Robert Gordon University Now Member!
Risk 5 - Royal Scottish Academy of Music and Drama
Risk 4 - Glasgow School of Art
Risk 4 - Queen Margaret University, Edinburgh
Risk 2 - University of St Andrews Now Member!
Risk 2 - Edinburgh College of Art
Risk 1 - Glasgow Caledonian University

RSC Scotland North and East

Aberdeen College, Aberdeen
The Adam Smith College, Glenrothes
Angus College, Angus
Banff and Buchan College, Fraserburgh
Borders College, Galashiels MEMBER
Dundee College, Dundee MEMBER
Edinburgh’s Telford College, Edinburgh Now Member!
Elmwood College, Cupar
Forth Valley College, Falkirk
Inverness College, Inverness
Jewel and Esk Valley College, Dalkeith
Lauder College, Dunfermline
Lews Castle College, Isle of Lewis
Moray College, Elgin
Newbattle Abbey College, Dalkeith
Oatridge Agriculture College, Broxburn
Orkney College, Orkney
Perth College, Perth
Sabhal Mor Ostaig, Isle of Skye
Shetland College of Further Education, Lerwick
Stevenson College, Edinburgh
The North Highland College, Thurso
West Lothian College, Livingston

RSC Scotland South and West

Anniesland College, Glasgow Now Member!
Ayr College, Ayr
Barony College, Parkgate
Cardonald College, Glasgow Now Member!
Central College of Commerce, Glasgow
Clydebank College, Clydebank
Coatbridge College, Coatbridge
Cumbernauld College, Cumbernauld Now Member!
Dumfries and Galloway College, Heathhall
Glasgow College of Nautical Studies, Glasgow
Glasgow Metropolitan College, Glasgow
James Watt College of Further and Higher Education, Greenock
John Wheatley College, Glasgow
Kilmarnock College, Kilmarnock
Langside College of Glasgow
Motherwell College, Motherwell
North Glasgow College, Springburn
Reid Kerr College, Paisley MEMBER
South Lanarkshire College, Cambuslang
Stow College, Glasgow

I have had several in-depth conversations with Service Providers over the last couple of days regarding concerns that institutions are not taking their obligations seriously enough in terms of identity management and in relation to devolved authentication processes. I thought it would be worth capturing some of the discussions here.

My first point is that Service Providers to institutional libraries have always been reliant on the institution to provide accurate information about valid end users for their services. This is not a new concept within a devolved approach, but the very nature of devolved authentication often means that errors (such as bad revocation or credential re-use policies) are more easily uncovered than with service provider or centralised access management systems. So, we should to some extent be pleased if more errors are being uncovered - it means the process is working.

Institutions are often simply not aware enough of the obligations that are put on them in terms of good identity management processes when they sign up to a licensed resource. More work needs to be done to get the license terms and conditions out of a dusty filing cabinet and in to the general consciousness of institutions.

The discussions have reinforced my faith in the policy approach of the UK federation, and its importance in addition to traditional licenses such as the JISC Model License. It is also reinforces the importance of ’section 6′ of the UK Access Management Federation Rules of Membership and I would urge all institutions to seriously considering signing up to it, and all service providers to review whether it should be a requirement of access. It is this section that truly places an obligation on institutions to demonstrate best practice in identity management.

Service Providers cannot expect institutions to demonstrate best practice unless there is a clear requirement - either in the license for the resource or within a policy document such as the UK Access Management Federation Rules of Membership.

Any devolved authentication system should have robust documentation in place to ensure that it is clear whether or not institutions using that system are following good practice in terms of identity management, and what accountability and traceability Service Providers can expect.

Overall, it is important that both institutions and Service Providers are taking identity management processes seriously, and it does worry me that Identity Management only makes number 10 on the UCISA Top Concerns list. To quote Lemony Snicket, We Are Very Concerned.

Mark writes:
Second part of our Institutional Support process, for Universities and Colleges seeking support to help set them up as IdPs, went out today. We know its not going to be a magic bullet to cure all issues that Institutions are having but like the best DNA treatments these days, it is tightly targetted. Traditionally, we (JISC) have been very good at getting historically early adopter institutions to, and you’ve guessed it - “early adopt”. The support model we are trying here goes beyond that. I sense (and please contact me if I’m wrong) that alot of FE institutions are fence sitting regards Access Management. Hopefully the institutions that get help through JIAMSP will really highlight the fact that Federated Access Mangement is both obtainable and desirable for all - and worth coming down off the fence for. We also know how small the window of opportunity is to get large scale IT projects done within the College academic calender, so another part of the support is an attempt to target by time - Institutions can choose slots as to when they would like to move forward, if they are applying for support. Questions (and with this kind of support modal, there really should be some) please.

Jane writes:

In this podcast interview, Mark Williams from the JISC Access Management Outreach Team talks to Philip Pothen about the importance of federated access management and how this will enable better collaboration and sharing of common resources between institutions. Mark talks about the choices and challenges for institutions but also the opportunities federated access management can bring in the way of access to online resources and collaborative projects. He also highlights the support available to institutions through case studies, the business case toolkit and other materials on the JISC and UK federation websites, Netskills upskilling workshops and support available through 3rd party providers.

To listen to the full podcast interview please visit:

www.jisc.ac.uk/news/stories/2007/10/podcast15markwilliams

Mark writes:

JISC has just issued an ITT for third parties experienced in access management to bid to provide support to institutions who want to deploy a IdP. You might say that such support is already there, and to a degree much of it is. Particulary if you are an Institution employing an IT staff with the correct skill set, have an organised directory service, a significant subscription to JISC Collections resources and the strategic ambition to move forward on access management. However, and it is a big HOWEVER, its clear that there are enough institutions who can use the business case toolkit to determine that they want access management (and I mean the 100% proof type, not devolved outsourcing to a delegated authority), but who have also determined that its currently financially / technically out of reach. It is that group of institutions, which the successfull respondent to the ITT will be working with. The time will come for such institutions to submit applications for the help that the project will provide, but for the present - if you are a third party provider of access management support, with a desire to spend long hours setting up IdPs in grateful institutions all over the country - we want YOUR interest. And remember we encourage questions……

Thirty JISC services attended an internal briefing event on 28^th September to learn more about the UK’s plans for federated access management. During the day service managers were asked to consider joining the UK federation and to adopt new standards-based access management technology to ensure consistency across JISC services for users and to enhance current and future service provision. For example, JISC Services (even those that provide free, unrestricted access to their service) could personalise their service eg. ‘my saved searches’, ‘my favourites’ and email alerts by using federated access management software through the use of attributes. They could also use the same software to provide authorisation for other services such as for their website content management system, wikis, blogs and other social software. Two JISC Services, JISCmail and EDINA, demonstrated how they had already implemented federated access management software.

JISC itself is soon to go out to tender for a directory service that will enable JISC staff to use single sign-on for its own internal services. The directory service will act as an Identity Provider (IdP) using federated access management software. JISC Collections and Regional Support Centres (RSCs) staff will be provided with a new username and password via this service for demonstration purposes, replacing the Athens ID they use at the moment.

Services staff also learned about changes to the JISC model licence which now requires publishers to join the UK federation and adopt federated access management technology and about recent JISC development projects in the area of identity and access management.

Attendees welcomed the fairly non-technical content of the presentations and the opportunity to ask questions during the panel sessions. Feedback from the day has been very positive - one attendee said “I got more out of it than I was expecting and made useful contacts for future work.”

Presentations from the day will be up on the JISC website soon at:

The following institutions are deemed as ‘aware but not quite there’ in terms of joining the UK federation. This means that we think the institutions listed are well aware of the introduction of the UK Access Management Federation, but are currently hitting barriers preventing them from taking forward the application to join. If you work at one of these institutions and can give us any more information, we would love to hear from you - particularly to discuss what those barriers might be.

Aston University
Bishop Grosseteste University College
Bournemouth University
Buckinghamshire Chilterns University College
Canterbury Christchurch University College
City University
Cranfield University
Dartington College of Arts
Edinburgh College of Art
Harper Adams University College, Newport
Institute of Education
Liverpool Hope University College
Newman College
North East Wales Institute
Norwich School of Art & Design
Oxford Brookes University
Ravensbourne College of Design and Communication
Roehampton University
Rose Bruford College
St Marys College
Swansea Institute of HE
The University of Northampton
University of Bedfordshire
University of Lancaster
University of St Andrews
University of Teeside
University of Wales College, Newport
University of Wales, Bangor
University of Winchester
York St John University

The following HE institutions are deemed as ‘nearly there’ in terms of joining the UK federation, i.e. we are fairly sure that we will see a membership request popping up fairly time soon. If you work at one of these institutions and can give us any more information, we would love to hear from you!

Glasgow Caledonian University
London Metropolitan University
Manchester Metropolitan University
Open University
RHUL
University of Birmingham
University of Brighton
University of Hertfordshire
University of Reading
University of Sheffield
University of Ulster

For Category 2 institutions, please see the next post.

Encouraging institutions to join the UK Access Management Federation, regardless of the technology choice made, is the priority for my team at the moment. We will shortly be writing to all Vice Chancellors and Principals to highlight both the importance and the ease of joining the UK federation, and to support this I was asked to categorise all HE institutions in to groups according to their current readiness to make this move.

It seems silly not to generally share this information for a variety of reasons - but most importantly to make sure that we have a good understanding of the status and position of each HE institution. All of the information we have compiled in based on previous contacts and discussions, but might not reflect the true status of an institution. The following posts summarise the position that we think institutions have reached - and we are incredibly keen to hear from each and every HE institution in the UK to make sure that we have got this right!

Two final points:

• many thanks to the 56 HE institutions that have already made the move and joined the UK federation - you can relax.
• we haven’t forgotten FE, and will shortly be announcing some new measures to support uptake for FE institutions.

We all know the trick to getting the best fastest piece of IT kit for your buck. -Locating the speed bottle neck. Its no use buying a hyper fast graphics card, if the speed of onboard memory is too slow, or having a fast shooting Digital SLR Camera if the compact flash card has a slow write speed. Well its the same with access management. So much of what we do in improving access to content depends on every link in the chain. One element which we tend to look at least (maybe because it doesn’t have a technical standard linked to it?) is licensing.

24/7, remote, finely grained access to content only happens when the license permits it too.

Lets not forget we need 21st century licenses for 21st century technology.

Tags: jisc-serv-am-briefing