Authentication

Given the current economic issues for HEFCE and the education sector as a whole, I read with interest the HEFCE Grant letter for 2010 / 11. The figures are reasonably unintelligible unless you are significantly involved in grant allocations, but the interesting part of these letters is always the wording around the objectives expected of HEFCE. Can we learn anything from this that relates to access and identity management?

The key focus seems to be on greater flexibility, more part-time courses, more modular courses, more partnership courses etc. etc. This does present new challenges, particularly for identity and access management.

Current models of identity management tend to assume that the student’s primary affiliated institution will provide the student with an identity / identities – predominantly an e-mail address and credentials. A more flexible model may make it increasingly difficult to manage such a process, and also raise questions about the importance of such an approach in delivering a service to the student.

The complexity of licensing and assigning authorised rights associated with a license also becomes much more complex. If I am effectively attending four institutions, at what point in time am I authorised to access which resources in which institutions and how will you assign me these rights? Four sets of credentials? We obviously need to do much more work to look at managing multiple affiliations from an access management perspective, and also perhaps the model of institutional licensing for cross-collaboration courses. The upcoming multiple affiliations study final report from LSE and funded by Eduserv will be an interesting read, as will linking services such as the Shintau model.

The overarching model in all of this is ensuring the trust model in federated access. As we look to combine accounts and add authorisations to identities not managed by specific affiliations, how can we assure that these are well managed, revocated at the right point in time, and correctly asserted so we maintain trust? An interesting challenge for all of us I feel!

Now, how are we going to pay for it?!

You’ve probably seen the notice from JANET concerning shib 1.3 -2.0 migration.

“We strongly recommend that sites currently running Shibboleth 1.3 in production plan to upgrade to the current version of Shibboleth well in advance of the announced EOL date. This will protect against the possibility of a forced but unplanned migration from 1.3 should a security issue or incompatibility be discovered after the EOL date has been reached.”

Well the time factor here is June, which given that falls within the teaching calender means for many institutions the next appropriate downtime when they can schedule such a transition is easter. I know of a number of institutions who are already planning what they will do IT infrastructure wise during Easter, so if you are a 1.3 institution get it onto the agenda! In some cases where the library has been pushing the Shib agenda, and the IT dept has been doing the actual work- it might mean flagging the issue again to the IT team. I would be interestedto hear any migration experiences….?

Some advice here.

if I were an Institution with shib 1.3;
I’d migrate to shib 2
if I were a Publisher who has implemented access management with shib;
I’d migrate to shib 2
if I were a publisher who has not implemented access management but said they would in 2010;
I’d go ahead and deploy shib or other SAML compatible product
if I were a member of JISC access management team;
I’d federate everything I use so it wouldn’t matter that I come back after xmas holidays and can’t remember a million passwords…..

Post our FAM09 event, feeling a little bit like a child post the Xmas excitement, where all the stockings have been emptied, all the presents have been opened up and played with and specifically in my case the entire turkey has been devoured.

So to alleviate that feeling Nicole has asked me to write a blog (my first one) about the organisation of this event.

Basing my organisation of the FAM09 event around the fundamental principles of my ‘other’ favourite federation which are “the values of universal liberty, equality, justice, peace, and cooperation”. (cheeky quote from Wikipedia, I was never allowed to do this in my studies : ) Wikipedia not being an authorative source, albeit its usefulness for Star Trek facts)

Universal Liberty
We decided very early on in the organization of this event that we would throw off the feudal shackles of a heavily paper based event by creating a ‘green event’ as we all need to ‘go green’. I believe it sets a good example as our primary importance within our community is online resources. We received extremely positive feedback on this. I think aided by the fact our delegates received a pretty 2GB USB stick upon registration.

Equality
It was important for us to make sure that all delegates needs were met ‘techie’ and ‘librarian’ alike. We intentionally organized our main and parallel sessions so people received information that they found useful but equally didn’t exclude or pigeon hole the delegates into feeling they had to attend a particular session.

Justice
Using a combination of our website, Google site and the #FAM09 tag for the tweeting of our event gave all our delegates fora to contribute through giving opinion and feedback in an environment they felt comfortable with.

Peace
Keeping all our delegates happy and relatively ‘peaceful’ I think is crucial to a successful event and this was achieved at this event through wine, food and most importantly a good wireless connection.

Cooperation
It is our hope that sharing the delegate list and enabling all of you to network in a relaxed environment, has potentially created a more open, transparent and cooperative environment which will further your interest and participation in the Access Management Federation.

One of the highlights of this event for me was seeing the excitement on the faces of our delegates when they walked into a room full of Wii and other assorted games and started playing them all immediately, and knowing that this was without question the perfect after dinner entertainment for this group.

Important things, I learnt;
• Never underestimate the importance of wireless and wine at an access management event
• Never call someone a geek until they self proclaim it
• There is more than one kind of zombie

The enjoyment in organising this event was only surpassed by attending it and meeting the community who work so hard in contributing to my other favourite federation.
Live long and shibbolise!

Well, OK, not that great but I like alliteration

For #FAM09, we decided to make use of the Google Sites facility to manage all of our information flow around the event. We did mount information formally on the JISC website, but there is much richer information on the JISC FAM09 Google Site. This was really part of an experiment on my part as I wanted to know how efficiently Google could support our information requirements, as information is their business!

We were already using Google Docs to manage most of our information. Normally, I would then use the JISC website for the programme+BOS Surveys for the registration+slideshare for slides (copied to the JISC website)+a.n.other for audio / video+this blog+possibly something like Ning for delegates to talk about the event. Given that the JAM team is not overly resourced, I wanted to make life a lot easier for myself, so decided to see if Google could duplicate most of this functionality with a reasonable amount of ease.

My observations?

• Ease of Use: Google Sites is pretty easy to use, and has some nice built in tools like the ability to create different types of pages such as html pages, announcement pages, document pages, and widgit pages. None of the team had used Google Sites before and we all picked it up pretty quickly.
• Look and feel: Google Sites has a number of templates that you can chose from, and there are a variety of tools available for editing the templates. I managed to get ours looking a bit JISC-y. It would be nice to be able to create a formal JISC template, but I couldn’t see a way of uploading your own template. The urls for pages are fairly sensible, and you can chose to have word or number strings for pages.
• Forms: the forms function was very helpful and the outputs automagically created an Excel spreadsheet in our Google Docs. This was so much better and easier to manage than out normal form system so was a really big win.
• Upload: it is fairly easy to embed a document from your Google Docs into a Google Site. Making sure that all of the permissions are set so that people can download or embed in other sites (particularly presentations) was more complex and I had to revisit permission in both Google Docs and Google Sites several times before I got this right – leading to some requests for documents to be shared with delegates (sorry all). It was better than previously as Google does now let you set share permission across a whole folder of documents, but still annoying. The biggest grumble was the document page template on the Google Site. This doesn’t link to Google Docs at all and you have to physically upload files on to the Sites area. an unnecessary and annoying duplication. The presentation facilities aren’t as advanced or pretty as slide share, but the convenience of not having to upload on yet another site was helpful.
• Access Management: this was one of the most disappointing features of the site. To even be able to leave a comment, you needed to be logged in, and the only way to log in was with a Google ID. This was despite the fact that the site was fully open. Given this was a federated access event, this was a big fail for me.
• User Profiles: this really links in to the point above, but it was not possible to create a proper user profile on the site. This really cut down on some of the interaction features that I would expect from a site like Ning. However, at events I have attended in the past where Ning has been used, actual meaningful use of the functions have been low. Is this really in demand as a facility?

So overall, it was a helpful, if not completely professional approach to managing all the information for the event. I still have to finalise some details – I want to pull in some RSS feeds and look at embedding some other tools but it worked pretty well. I will really need to consider the access management, document management and template issues before using again. I’m also slightly worried now the Developer Happiness Days have gone all website posh on me…must keep up with the Jones’!

One of the most impressive presentations at Educause2009 was given by Lawrence Lessig. Not surprising really, given his track record for being brilliant, but it really was a very refreshing view of the world we live in. Lessig of course played a critical role in the establishment of Creative Commons and still argues strongly and favourably for the ethos of Commons. The core points being:

• Copyright law was established in a world that was not impacted by the capabilities of the Internet. UK Copyright Law for example was established in 1710, and the latest version is the Copyright, Designs and Patents Act of 1988. That’s 21 years without any significant changes.
• Copyright law has a time and place to protect the rights of individuals. Lessig does not believe that educators and scientists should try and enforce copyright in the same way that performing artists do – it is inappropriate to our field.

It struck me immediately that there were many similarities between his arguments regarding Copyright Law, and the arguments being had in the FAM community at the moment around Data Protection. The Data Protection Act in the UK is somewhat newer that copyright laws, having been established in 1998. I don’t think that the basic concepts and key principles of data protection are wrong – you can read up on them on wikipedia if you are interested in a crash course. It is important that our personal information is protected. However, in a world where people will give away all their personal information to Facebook without a bat of an eyelid, is our current law – or the typical interpretation of our current law in some areas – forcing our institutions to offer a service to its users that can’t compete with the Web 2.0 world?

There are two things that worry me:

1. The definition of what personal data actually constitutes. It is often argued that an IP address – with no other data attached to it – is still personal data, or personally identifiable information (PII) to use the lingo. This seems bewildering and I wonder if a bunch of lawyers merely saw the name ‘address’ and decided it was the same as my postcode?
2. Issues around consent. The crux of the DPA is that if you want to pass PII, then you must have explicit consent from the end user. Again, it is argued that educational institutions cannot pass PII because they simply cannot prove that they have consent, or provide tools that will allow users to effectively remove consent. This is a real bind for organisations wanting to make good use of the personalisation possibilities of federated access. The commercial world operates very well with simple tick boxes at the end of forms – we seem to be making this much more difficult for educational institutions than we need to.

Lessig’s excellent presentation is available on the Educause website (it starts a good half hour in so fast forward!) and if you would like to know more about consent management please do come along to the session at #FAM09!

being a Federation catalyst goes to Nicole Harris (and I2 and SWITCH).

The award really shows how far access management has come, with parts of the UK experience considered so embedded that they have become informative history as Norman Wisemans excellentpresentation at Educause demonstrates.

Jim Collins wants us all to be great. He wants everything we do to be great for everyone. Good is the enemy of great. That’s quite an interesting challenge for the opening session of Educause 2009. Collins believes that greatness is not a function of circumstance but of choice, and he believes that Universities can and should be great. Apparently this can all be achieved by a culture of discipline, and not by trying to turn institutions in to businesses.

I was immediately struck by how this approach to thinking about improving educational institutions could be compared with Mandelson’s speech and the recent launch of the Higher Ambitions report.

To be truthful, the presentation was all a bit self-helpy for me, but I think that Collins identified some important points. He highlighted the fact that the power base within educational institutions is incredibly diffuse, particularly within higher education. This makes the pattern of leadership very different from that found in business environments. People who come in to this environment and try to act as if they have concentrated power inevitably fail in the face of tenured professors! Conversation, debate and involvement of staff in decision making is far more important within education than dictation.

There are lots of nice shots from Collins’ presentation on twitter including this which shows his five stages of decline, which i found amusing.

The message that Collins had for education was don’t over-reach, serve your core first and foremost and most importantly have the right people in the right seats. This focus on the best staff does seem somewhat at odds with the Higher Ambitions approach and the discussions around students as “customers”.

I’ll finish with what Collins defines as the “right people”. I thought it was a really interesting list:

• The right people share your values. Values cannot be taught.
• The right people don’t need to managed – guided, directed but not managed.
• The right people don’t talk about their job, they talk about their responsibilities.
• The right people always do what they say they will do, so are careful about what they commit to.
• The right people take responsibility.
• The right people come to work with enthusiasm.

David Kennedy from Duke presented an incommon sponsered study concerning vendor (what Yanks call Service Providers) best practice regarding access management. Interesting to see how some common themes aligned with our publisher study and it supports us in making arguments to publishers from both sides of the Atlantic.

Up very early this morning to chair a meeting on the Publisher Interface Study. A very simple proposition really – how do we improve the user experience when logging in with federated access, and can we get international agreement on this position?

Mark’s presentation is a very good overview of some of the differences of approach that we are dealing with and have to improve if we are not going to disenfranchise users.

Rhys Smith, who carried out the study on behalf of Cardiff University and Kidderminster College had a very simple message:

Users do not want to understand what is going on. They want to get to the content as quickly and easily as possible. Do not try and describe it, users won’t understand it. Users want one simple term they can learn and look for.

One of the big problems that was discussed was that academic users are not necessarily the main customer base for a lot of publishers. People queried why these publishers don’t consider using OpenID rather than providing usernames and passwords themselves. It may be worth promoting this as a focus alongside the use of an educational log-in process (OpenID / eduID?). Can we work with Kantara to provide a combined voice of federated technologies (including OpenID, Apple, Microsoft, Google) to talk to browser vendors to implement a cookie approach?

This is a much loftier aim than improving the current user experience on Service Providers, which we will take forward regardless….but it does seem possible that all of the new access management technologies have a real opportunity to work together.