Authentication

One of the things that i often hear quoted at me when talking about the work JISC and TERENA are undertaking to improve the user experience of federated login is the work undertaken by Google on federated login. Now, don’t get me wrong, I’m definitely not a Google ludite, I use Google tools all the time (although Wave and Buzz really have done nothing for me). I also really appreciate the fact that Google as a company invest in this kind of research – it is important for us all.

However, my recent experience of usernames and passwords in Google-sphere does not convince me that e-mail address as the primary identifier is the right way to go, as it assigns an identifier function to that address in contexts that it was not intended for.

Let me demonstrate.

I’ve had a google account for ages, and I use the mailing list address for access management at JISC as the e-mail identifier as i use google docs etc for work. Very easy, makes sense. It is also a familiar pattern – I login in to Amazon with my hotmail account, similar user flow. All well and good.

However, Google are also in the business of offering e-mail services, and this is where it gets complicated. For various reasons, I recently decided to set up a Google mail account for the first time. Now it is true that you can set up Google mail from scratch without needing to link to your account used for other google activities – but then I would simply be creating multiple profiles to manage and would inevitably get in to a muddle – particularly as google automatically fires up access to all of its other services wherever you create an account.

So I set one up from within my existing user account. No problem – I created federatedaccess@googlemail.com. Fine. I then sent a message to that address to test it. Nothing came through. Huh? A few minutes later and ping! my test e-mail arrives at jisc-access-management@jiscmail.ac.uk. OK, something strange is happening. It turns out that Googlemail defaults to the e-mail address you use to login rather than the e-mail address you create. Weird, but OK – I can change that.

All done. Woah, now what has happened? Now my login name has changed at the top of the page! So who am I logged in as?

Further clicking assures me that I am still logged in against my normal Google account and can still access everything as normal. But I am confused. Which is my login? Do they have the same password? Which do I need to enter when?

A big plus is that they both work, but I still think that whole process is conceptually very confusing. I think this is where we need to think about where it makes sense to use an e-mail address as part of the credential process, and where it doesn’t. With Amazon, it makes sense to me as the e-mail account plays a primary role in the transaction process – it is where Amazon send transaction information. Within Google, I just don’t think this holds true. I think the process would have been much simpler if Google had originally allowed me to create a username / user identifier, and then offered me the chance to have this identifier as the first part of my email address (or not) when I started using Google mail.

By taking an external address and turning it in to a primary identifier, I think Google run the risk of creating a bad user experience and confusing the function of address (as locator) and identifier. To quote Natwest, there must be another way…

You may remember a while back we were asking for comments on the Publisher Interface Study undertaken for JISC by Cardiff University and JISC Collections.

I thought it was probably about time I updated you on what we are doing with this!

The TERENA REFEDs group has set up a small working group to take forward the recommendations from the report. This will be in three stages:

1. The creation of a full business case aligned to the recommendations, with a particular focus on affordability and achievability for the sector (including publishers and institutions).
2. Following on from the acceptance (or indeed rejection!) of the business case, the development of appropriate branding and style guide using design experts.
3. Roll-out and dissemination as appropriate.

We are hoping this work will not only focus on the specific FAM implementation issues but also other problems such as user understanding and recognition of IP sessions etc.

In the meantime, lots of the other work will be going on. The SDSS group at EDINA are busily contributing to the Shibboleth codebase to improve the usability of the WAYF.

The UK federation has completed an indepth usability review of its own WAYF and is implementing the recommendations.

JISC Collections are planning some workshops to help inform the business case work. This is timely as it links in with other interface reviews such as the uBird study.

And me? Well I’m sitting on the TERENA REFEDS working group and will also be working closely with UKSG to help promote and discuss this work so keep an eye out for more on this!

So, it had to be done really. Having been super organised and managed to get son to bed, food in me, and exercise complete last night I found myself with time to watch Panorama. I really didn’t want to. I knew it would annoy me. Believe me, had it clashed with Glee, I would have jumped channel faster than JISC staff run in to the kitchen at the word ‘cake’.

The Digital Economy Bill is obviously getting a lot of attention, and a lot of criticism. I’m less interested in the rights and the wrongs of the government putting in place legislation to protect multi-million pound industries. What interests me is the pointlessness and the waste of money in putting in place legislation that the internet-savvy will gracefully step around.

It was the quiet, well-informed and unremarkable segment from Dr Richard Clayton from the University of Cambridge that for me was the crux of this programme. The legislation depends on rights holders and subsequently ISPs being able to identify that a breach came from a specific IP address, or IP range. It is ridiculously easy to mask, hide, confuse, change or disguise your IP address right now. I was very amused to see that traffic on Proxify had caused it to switch over to subscriber only mode straight after Panorama. Even if it wasn’t, the people who are interested in file sharing will quickly ensure this type of annonymity is as easy a clicking a box.

I often have ‘discussions’ with people about ensuring that technology can actually deliver the legal framework that is being built around electronic resources – normally in a licensing context. However, as different groups try different approaches to ‘control’ the wild wild web, we will see this disjuncture between legal limitations and technical possibilities come up more and more.

As I said, I don’t want to get in to the right and wrong arguments about copyright on an access management blog, but a couple of observations to throw in to the pot.

• Record companies seem to assume that every illegal download equates to a lost sale. There is plenty of evidence to suggest that illegal downloads can lead to sales, and the converse – if the illegal file was not there it does not necessarily mean the user would turn to a paid for resource.
• Panorama cited figures that clearly showed that illegal downloaders spend more money per year than those who always pay for downloads. I’m no marketing expert, but disenfranchising your most lucrative customer base seems a little odd to me…

I had a very interesting discussion yesterday with a colleague about how it might be possible to make federated access management work for public libraries. As usual, it gets down to the the two basic questions of access management:

• Who is managing credential information to allow authentication?
• Who is authorised to access the resource?

I’ll deal with the second question first as it is perhaps the more interesting. I know very little about how public libraries license electronic resources, but I do know that many are underused. To give you an idea of how the extent of information available online at libraries – have a look at Manchester Public Library’s e-resources.

Manchester Public Library currently manages access via library barcode number – i.e. you have to be a member of the library to access that resource. Interestingly, Manchester City Council is actually responsible for the identity management – you get passed to their website to login and then passed on to the resource.

I wonder if the licence for Manchester Public Library is for library members, or is based on some other criteria? The reason that this is an interesting question is that anyone in the UK is entitled to join Manchester Public Library. I can join from my home in Surrey online, and quickly get access to all of those resources. Fantastic for me! Not a great business model for the publishers. The only reason this is not a real issue is because very few people exploit these access paths.

A different model for public libraries may be not to look at licensing for members, but licensing regionally. Pricing is normally agreed based on regional population, but conversely access is offered to members – a set of criteria that does not add up.

So that is authorisation. Now, authentication.

It does make sense for public libraries to look at using FAM. Barcode access processes are often clunky, often insecure and it is yet another system for both libraries and publishers to have to manage.

If public libraries continue to offer access based on membership, the library or a body related to that library would have to run an Identity Provider in a federated access management environment, as they have the membership information. It may be possible for some libraries to make use of the work being undertaken by Local Authorities to provide federated access for schools – but there will still be technical implementation costs.

A more interesting model might be to exploit the planned interfederation between the UK federation and the Government Gateway. This will allow people with a ‘citizen’ credential within the Government Gateway to access resources within the UK federation. If we then assume that these citizen accounts contain some sort of standard location information (i.e. I live or work within the boundaries of Greater Manchester) it would be very easy to authorise all users against a regionally negotiated licence as opposed to a member negotiated licence. This could be achieved with very little expenditure on technical infrastructure by libraries, local authorities or publishers, but would require a change in the way the libraries negotiate licences. That surely has to be an interesting approach to explore?

So yesterday was the first programme meeting of the JISC AIM Programme, being ably led by Chris Brown. I won’t go in to too much detail about all of the nine projects, as you can see for yourself on the JISC website. Instead, I will try and tell you the things that struck me from the day.

Things I am excited about:

• I think I may have already mentioned that I am very interested in the RAPTOR project as I think the stats tool they are producing will provide real and immediate benefit to universities and colleges throughout the UK. They are looking for people who would be willing to product test for them – so do get in touch if you would like to be involved!
• The SMART project will look at the emerging UMA (User Managed Access) protocol that is part of the Kantara Initiative. I’m really pleased to see some real UK effort going in to Kantara, and as far as I know, this is the first project we have funded that really looks at the tricky problem of getting students firmly engaged as the ‘managers’ of their identity. This is definitely one to watch.

Things I am curious about:

• The Identity and Access Using Social Networking Technologies Project (phew, now you know why we use acronyms) is a fascinating look at how we might use the Friend-of-a-Friend vocabulary within the NGS and the UK federation access management approaches. I find this really interesting, particularly as it tackles the complexities of both describing people’s relationships rather than just their memberships and the tricky issue of delegation. As I mentioned on twitter, I’m worried about creating a user-friendly interface to allow this complexity to be managed. I’m sure the project team are up for the challenge though!

Things I am worried about:

The recurring theme of the day was, ‘how do we make institutions populate x…..’. Encouraging institutions within the UK to both use richer attributes sets and tackle the group management problem is something I am very keen on. It is something that is encouraged within the recently published Identity Management Toolkit but is a problem we have yet to solve. I would really like to see JISC fund some more projects to help universities and colleges take the next steps to have rich attributes and well manged group systems and would be interested to hear your views on what we should do next in this space to make this happen.

My advice to the projects was to really understand their use case. Do they have attributes they need everyone in the UK to adopt? Is there instead a small group of target institutions? Are there IdPs in other federations that would need to adopt the attributes? Is this a virtual organisation or larger community problem? I also encouraged the projects to use each other as test sites and to make use of the lovely people on the jisc-shibboleth mailing list who are always happy to come forward and give their opinions and support!

My final recommendation is that smaller VO style projects might be more interested in looking at lightweight metadata aggregation than working within the structures of formal national federations. Andreas Solberg has some really interesting tools and ideas on his blog that are definitely worth looking at. I’m interested in these concepts as they challenge our expectations of where ‘federation’ metadata is published, where it is aggregated and by whom.

Challenging our processes and exploring new ways of implementing ideas is what innovation is all about, so I very much look forward to seeing more from these projects from the innovation arm of the JISC Access Management stable!

A colleague of mine in JISC Collections recently said to me that what was a dealbreaker for me with publishers was not necessarily a dealbreaker for them. I totally understand this position – I’m obviously a bit puritanical about wanting publishers to adopt SAML! However, recent discussions on the lis-e-resources list got me thinking about whether access management should or shouldn’t be a dealbreaker for licensed resources. This is further supported by an article by Sarah Taylor in Serials.

During February there were three separate discussions on the lis-e-resources list about access management issues all reflecting the problematic situation of publishers who only offer allocated usernames and passwords or who have complex access routes in to resources. The question was posed – would you cancel a resource because of ‘bad’ access management? Is access management a dealbreaker, or not, and should it be?

When I first joined JISC I worked for the then emerging e-research ‘team’ (of 1!) and had very little to do with the JISC Collections team, who were busy building up a strong portfolio of negotiated deals for the UK educational community. So I was very interested to hear Lorraine Estelle presenting on the Nesli agreement process at the first ever JISC Away Day back in 2003. What impressed me most about Nesli was the fact that institutions agreed not to go to the publishers separately, but only used the Nesli route for the purchase of these specific journal deals. This gave the Nesli team it’s negotiating platform. Without this buy-in, it would have been difficult to get the publishers involved.

The JAM team have been working hard to persuade publishers of the benefits of adopting SAML as an access management route, and nearly all of the major publishers have now adopted. However, there are still a large number of smaller publishers that have not adopted, and will only use allocated username and password or IP access. This leaves librarians having to manage SAML access, IP access, EZ-Proxy routes, and publisher provided credentials – clearly a difficult management task and something that is not effective for end-users. Regrettably there are still a large number of JISC Collections resources that aren’t compliant – although SAML compliance is in the license it is not currently treated as a dealbreaker and publishers are allowed to come on board on the understanding they will adopt at a future date. In my experience, regrettably this future date rarely arrives.

There is no real reason for non-adoption of a SAML based access routes. There are a plethora of support options for publishers available, such as the offer from Semantico, the Atypon SAML SP, support from organisations such as VLE Middleware and the OpenAthensSP. Non-adoption really boils down to one thing:

if people will buy the resource without compliance, there is no incentive for the publisher to adopt.

So how can we get beyond this? Is it time for access management to become a dealbreaker? Or is it something that we can continue to live with and manage? I’d be interested in your views….

The following text is taken from a briefing paper I prepared for the UK federation Policy and Advisory Board – i thought it might be of broader interest!

1. Introduction

One of the most discussed topics within the federation space at the moment is ‘interfederation’. This describes the process of two or more federations exchanging metadata to allow members within different federations to connect via a federated access management exchange. This process results in a ‘metadata aggregation’ – the subject of a useful paper by Ian Young and Chad La Joie. This briefing paper is intended to give an overview of the current thinking behind interfederation at the current time.

In most interfederation models, the principle that Identity Providers are static, and Service Providers are mobile is used. This means that Identity Providers are expected to join their ‘home’ federation (their local education and research federation) but that Service Providers have no such natural affiliation. At the present time, this means that Service Providers have to join multiple federations to interact with each separate group of national Identity Providers. This is clearly sub-optimal for Service Providers, who have to deal with multiple agreements different approaches to discovery, attributes etc. and differing approaches to charging. The interfederation approach aims to solve this problem as effectively as possible.

Whilst these assumptions generally form the basis of most discussions, there is no requirement for Identity Providers to be ‘static’ within federations and future models may see more mobility from IdPs.

2. Available approaches

2.1 Aligning Policy

Whilst not strictly an ‘interfederation’ approach, the complexities faced by Service Providers could be addressed through more work on ensuring that education and research federations use policies that are aligned. This would mean that SPs could be given assurances that the policy of federation A is the same as federation B, with perhaps minor changes to clauses x,y and z, thus cutting down on the lead time and legal expenses of SPs as they join multiple federations. This approach was the subject of a JISC funded study: “Investigation into the Feasiblity of a Cross-Jurisdictional Common Access Management Federation Agreement”. This report noted that there were no significant legal reasons why federations have adopted different policy agreements, and that most differences were based on cultural and funding issues.

Advantages

• Supports SPs by improving their experience of approaching multiple federations.
• Does not impact on charging models adopted by many federations.
• No need for interfederation agreements to be signed.

Disadvantages

• Still requires SPs to join multiple federations.

Whilst it is unlikely that we will see a wholesale change in policy across federations, the study has been useful in making small changes to policies in order to support interfederation – such as the alignment of meaning assigned to values in the eduPersonScopedAffiliation field.

2.2 Interfederation

Interfederation is achieved by two federations bilaterally agreeing to exchange metadata, and agreeing a policy for achieving this aim. Uses for the UK federation would be interfederation with the Government Gateway to allow parents to use their citizen ID to access school data, and interfederation with organisations such as InCommon, with Service Providers are of interest to UK Identity Providers.

Advantages

• Solves the problem of SPs joining multiple federations;
• Interfederation agreement can be lightweight;
• Model template agreement is available.

Disadvantages

• Getting commitment and agreement from two federations to take forward;
• Legal issues surrounding the agreements.

This model is now well developed, and an interfederation agreement for use by educational and esearch federations has been tabled. However, no real use is being made of the process. For this approach to be successful, it will be necessary for two federations to take the plunge and sign an agreement and start testing with Service Providers.

2.3 Confederation

Confederation involves multiple federations all agreeing to abide by a single agreement on how metadata will be published, issued and aggregating. This model is being explored by the GEANT funded eduGain project.

Advantages

• Federations only need to agree to one policy;
• Easier for entities to understand the process when centrally managed.

Disadvantages

• Not all federations are likely to be in each confederation ‘club’ so bi-lateral agreements will still be needed;
• Sensitivity over charging models used by each federation;
• Complex to achieve widescale agreement;
• Complexities over ‘lowest common denominator’ for assurance.

As this approach requires many different parties to agree on an approach, it is the most complex to finalise. The eduGain model is suffering from this, and has built up quite a complex set of agreements: a constitution that federations will need to sign, a policy agreement that federations will need to sign and a metadata terms of use (which seems redundant in the light of the preceding agreements). This will act as a significant barrier to entry for many federations, including the UK federation.

Another example of this in action is Kalmar2. This is a collaboration between four of the Nordic countries, allowing confederation to be achieved between a set of like-minded federations.

2.4 Metadata Terms of Use

In this approach, a Federation Operator simply publishes a set of metadata, with a terms of use attached to it (similar to an opensource software license). Any other Federation Operator, or indeed any other metadata distributor, may use the metadata file subject to the terms of use. Trust is established by the consuming Federation Operator obeying the terms of use and the publishing Federation Operator providing a ‘Federation Operator Practise’ statement that the consuming Operator can read, assess and chose to trust.

Advantages

• No need for complex legal agreements;
• Allows metadata aggregation at many levels – does not need to involve a Federation Operator / Registrar;
• Advantageous for ‘virtual organisations’ that cross multiple federations.

Disadvantages

• Does not provide the ‘safety net’ of a signed legal agreement.

This approach is popular among technical developers and federations that have very limited liability, but is less popular with those who are naturally risk adverse or have concerns about legal liability. As this is the easiest way to achieve interfederation, it is beginning to be used extensively amongst small projects. This ‘bottom up’ approach is likely to grow rapidly, and as federations mature it is likely to be the process of choice for achieving simple interfederation.

One of the things that we are looking at closely with the UK federation at the moment is a move towards a more seamless approach to metadata management. Metadata is clearly one of the most important things about a federation – it has all the information to allow IdPs and SPs to connect to each other. It is also critically important that the metadata is accurate – bad metadata could easily break the trust model of a federation.

However, metadata takes a long time to process, check and verify. One approach that federations have been taking to help streamline this process is to introduce systems where by members can automagically update their own metadata. A good example of this is the SWITCH AAI Resource Registry.

Implementing something like this for the UK federation is an interesting concept, but I still have a number of questions:

• What is the impact on members in terms of additional cost / time from having to upload their own metadata information?
• Is there a corresponding reduction in staff time and effort at the federation operator, and it is right to switch the balance of effort?
• How do we maintain integrity and accuracy of data? What would be the impact of incorrect data being passed through?
• What is an appropriate level of human intervention / checking of data with this automated process?

I’d be really interested to hear people’s thoughts on this process.

Of course, another option would be to adopt a more radical approach whereby Identity Providers and Service Providers host their own metadata and merely inform the federation of its location. This embraces the idea of a truly distributed service model…but is perhaps a step we are not yet ready for.

This week, I’m getting excited about statistics! Well, I need something down to earth to balance out the amazing experience of being at APAN29 in Sydney.

Just before I started at JISC, we had some long and detailed conversations about statistics as part of the ANGEL project. Whilst usage statistic work has mumbled on in the background but there hasn’t been any significant work in this area….until now. Like buses, JISC usage statistic projects all come at once.

Something I am very happy to see funded, particularly as I saw the birth of the project idea whilst walking on a very hot day in San Antonio, is the RAPTOR project at Cardiff University. At the moment, Shibboleth Identity Providers can produce very useful access logs for institutions, but in a format that is not particularly friendly or helpful to the needs of librarians who need to be able to quickly review and assess resource usage. RAPTOR will produce a toolkit to not only provide this functionality but also to integrate these statistics with EZProxy logs – a joined up approach which I’m sure will be appreciated.

Hand in hand with this, the UK federation are planning on producing a portal to allow institutions to upload appropriately anonymised statistics….possible using the outputs from RAPTOR if we are smart about it. This will give us an interesting national view of resource usage, useful for both JISC and JISC Collections in focusing attention on the requirements of our community.

At the other end of the picture, it is equally important that we look at Service Provider statistics to provide the more detailed view of user behaviour beyond the authentication point. JISC Collections have been examining the potential of a usage statistics portal that will aggregate statistics from COUNTER compliant reports provided by publishers. Again, the point here is to reduce the amount of time librarians are forced to spend aggregating this information.

To complete the picture, the PIRUS project is looking at usage statistics right down at the article level across both publisher resources and repositories. More information is available in this post from Ben Wynne. PIRUS has produced a review of what information would be required to provide article level statistics. My only concern about this report is ‘who’ section and the options described for identifying unique users. eduPersonTargetedID and eduPersonPrincipleName seem obvious candidates for potential unique identifiers but are missing from the report. The challenge here will be any suggestion that looks at tracking the same user across multiple Service Providers. Obviously this is useful information for institutions, publishers and authors, but the privacy issues and management of Personally Identifiable Information (PII) will have to be carefully examined.

So that is your usage stats round-up – certainly lots of good stuff to keep an eye on.

According to recent reports, nicole is the 11th most likely password in a survey of one million (hacked) user accounts.

This leads me to the following conclusions:

1. My impact on the access management world is so significant, I have become a standard password….OR
2. People called Nicole are generally so dumb they are the most likely to use their own name as their password.

I’ll leave it to you to decide