Authorisation

So yesterday was the first programme meeting of the JISC AIM Programme, being ably led by Chris Brown. I won’t go in to too much detail about all of the nine projects, as you can see for yourself on the JISC website. Instead, I will try and tell you the things that struck me from the day.

Things I am excited about:

• I think I may have already mentioned that I am very interested in the RAPTOR project as I think the stats tool they are producing will provide real and immediate benefit to universities and colleges throughout the UK. They are looking for people who would be willing to product test for them – so do get in touch if you would like to be involved!
• The SMART project will look at the emerging UMA (User Managed Access) protocol that is part of the Kantara Initiative. I’m really pleased to see some real UK effort going in to Kantara, and as far as I know, this is the first project we have funded that really looks at the tricky problem of getting students firmly engaged as the ‘managers’ of their identity. This is definitely one to watch.

Things I am curious about:

• The Identity and Access Using Social Networking Technologies Project (phew, now you know why we use acronyms) is a fascinating look at how we might use the Friend-of-a-Friend vocabulary within the NGS and the UK federation access management approaches. I find this really interesting, particularly as it tackles the complexities of both describing people’s relationships rather than just their memberships and the tricky issue of delegation. As I mentioned on twitter, I’m worried about creating a user-friendly interface to allow this complexity to be managed. I’m sure the project team are up for the challenge though!

Things I am worried about:

The recurring theme of the day was, ‘how do we make institutions populate x…..’. Encouraging institutions within the UK to both use richer attributes sets and tackle the group management problem is something I am very keen on. It is something that is encouraged within the recently published Identity Management Toolkit but is a problem we have yet to solve. I would really like to see JISC fund some more projects to help universities and colleges take the next steps to have rich attributes and well manged group systems and would be interested to hear your views on what we should do next in this space to make this happen.

My advice to the projects was to really understand their use case. Do they have attributes they need everyone in the UK to adopt? Is there instead a small group of target institutions? Are there IdPs in other federations that would need to adopt the attributes? Is this a virtual organisation or larger community problem? I also encouraged the projects to use each other as test sites and to make use of the lovely people on the jisc-shibboleth mailing list who are always happy to come forward and give their opinions and support!

My final recommendation is that smaller VO style projects might be more interested in looking at lightweight metadata aggregation than working within the structures of formal national federations. Andreas Solberg has some really interesting tools and ideas on his blog that are definitely worth looking at. I’m interested in these concepts as they challenge our expectations of where ‘federation’ metadata is published, where it is aggregated and by whom.

Challenging our processes and exploring new ways of implementing ideas is what innovation is all about, so I very much look forward to seeing more from these projects from the innovation arm of the JISC Access Management stable!

A colleague of mine in JISC Collections recently said to me that what was a dealbreaker for me with publishers was not necessarily a dealbreaker for them. I totally understand this position – I’m obviously a bit puritanical about wanting publishers to adopt SAML! However, recent discussions on the lis-e-resources list got me thinking about whether access management should or shouldn’t be a dealbreaker for licensed resources. This is further supported by an article by Sarah Taylor in Serials.

During February there were three separate discussions on the lis-e-resources list about access management issues all reflecting the problematic situation of publishers who only offer allocated usernames and passwords or who have complex access routes in to resources. The question was posed – would you cancel a resource because of ‘bad’ access management? Is access management a dealbreaker, or not, and should it be?

When I first joined JISC I worked for the then emerging e-research ‘team’ (of 1!) and had very little to do with the JISC Collections team, who were busy building up a strong portfolio of negotiated deals for the UK educational community. So I was very interested to hear Lorraine Estelle presenting on the Nesli agreement process at the first ever JISC Away Day back in 2003. What impressed me most about Nesli was the fact that institutions agreed not to go to the publishers separately, but only used the Nesli route for the purchase of these specific journal deals. This gave the Nesli team it’s negotiating platform. Without this buy-in, it would have been difficult to get the publishers involved.

The JAM team have been working hard to persuade publishers of the benefits of adopting SAML as an access management route, and nearly all of the major publishers have now adopted. However, there are still a large number of smaller publishers that have not adopted, and will only use allocated username and password or IP access. This leaves librarians having to manage SAML access, IP access, EZ-Proxy routes, and publisher provided credentials – clearly a difficult management task and something that is not effective for end-users. Regrettably there are still a large number of JISC Collections resources that aren’t compliant – although SAML compliance is in the license it is not currently treated as a dealbreaker and publishers are allowed to come on board on the understanding they will adopt at a future date. In my experience, regrettably this future date rarely arrives.

There is no real reason for non-adoption of a SAML based access routes. There are a plethora of support options for publishers available, such as the offer from Semantico, the Atypon SAML SP, support from organisations such as VLE Middleware and the OpenAthensSP. Non-adoption really boils down to one thing:

if people will buy the resource without compliance, there is no incentive for the publisher to adopt.

So how can we get beyond this? Is it time for access management to become a dealbreaker? Or is it something that we can continue to live with and manage? I’d be interested in your views….

The following text is taken from a briefing paper I prepared for the UK federation Policy and Advisory Board – i thought it might be of broader interest!

1. Introduction

One of the most discussed topics within the federation space at the moment is ‘interfederation’. This describes the process of two or more federations exchanging metadata to allow members within different federations to connect via a federated access management exchange. This process results in a ‘metadata aggregation’ – the subject of a useful paper by Ian Young and Chad La Joie. This briefing paper is intended to give an overview of the current thinking behind interfederation at the current time.

In most interfederation models, the principle that Identity Providers are static, and Service Providers are mobile is used. This means that Identity Providers are expected to join their ‘home’ federation (their local education and research federation) but that Service Providers have no such natural affiliation. At the present time, this means that Service Providers have to join multiple federations to interact with each separate group of national Identity Providers. This is clearly sub-optimal for Service Providers, who have to deal with multiple agreements different approaches to discovery, attributes etc. and differing approaches to charging. The interfederation approach aims to solve this problem as effectively as possible.

Whilst these assumptions generally form the basis of most discussions, there is no requirement for Identity Providers to be ‘static’ within federations and future models may see more mobility from IdPs.

2. Available approaches

2.1 Aligning Policy

Whilst not strictly an ‘interfederation’ approach, the complexities faced by Service Providers could be addressed through more work on ensuring that education and research federations use policies that are aligned. This would mean that SPs could be given assurances that the policy of federation A is the same as federation B, with perhaps minor changes to clauses x,y and z, thus cutting down on the lead time and legal expenses of SPs as they join multiple federations. This approach was the subject of a JISC funded study: “Investigation into the Feasiblity of a Cross-Jurisdictional Common Access Management Federation Agreement”. This report noted that there were no significant legal reasons why federations have adopted different policy agreements, and that most differences were based on cultural and funding issues.

Advantages

• Supports SPs by improving their experience of approaching multiple federations.
• Does not impact on charging models adopted by many federations.
• No need for interfederation agreements to be signed.

Disadvantages

• Still requires SPs to join multiple federations.

Whilst it is unlikely that we will see a wholesale change in policy across federations, the study has been useful in making small changes to policies in order to support interfederation – such as the alignment of meaning assigned to values in the eduPersonScopedAffiliation field.

2.2 Interfederation

Interfederation is achieved by two federations bilaterally agreeing to exchange metadata, and agreeing a policy for achieving this aim. Uses for the UK federation would be interfederation with the Government Gateway to allow parents to use their citizen ID to access school data, and interfederation with organisations such as InCommon, with Service Providers are of interest to UK Identity Providers.

Advantages

• Solves the problem of SPs joining multiple federations;
• Interfederation agreement can be lightweight;
• Model template agreement is available.

Disadvantages

• Getting commitment and agreement from two federations to take forward;
• Legal issues surrounding the agreements.

This model is now well developed, and an interfederation agreement for use by educational and esearch federations has been tabled. However, no real use is being made of the process. For this approach to be successful, it will be necessary for two federations to take the plunge and sign an agreement and start testing with Service Providers.

2.3 Confederation

Confederation involves multiple federations all agreeing to abide by a single agreement on how metadata will be published, issued and aggregating. This model is being explored by the GEANT funded eduGain project.

Advantages

• Federations only need to agree to one policy;
• Easier for entities to understand the process when centrally managed.

Disadvantages

• Not all federations are likely to be in each confederation ‘club’ so bi-lateral agreements will still be needed;
• Sensitivity over charging models used by each federation;
• Complex to achieve widescale agreement;
• Complexities over ‘lowest common denominator’ for assurance.

As this approach requires many different parties to agree on an approach, it is the most complex to finalise. The eduGain model is suffering from this, and has built up quite a complex set of agreements: a constitution that federations will need to sign, a policy agreement that federations will need to sign and a metadata terms of use (which seems redundant in the light of the preceding agreements). This will act as a significant barrier to entry for many federations, including the UK federation.

Another example of this in action is Kalmar2. This is a collaboration between four of the Nordic countries, allowing confederation to be achieved between a set of like-minded federations.

2.4 Metadata Terms of Use

In this approach, a Federation Operator simply publishes a set of metadata, with a terms of use attached to it (similar to an opensource software license). Any other Federation Operator, or indeed any other metadata distributor, may use the metadata file subject to the terms of use. Trust is established by the consuming Federation Operator obeying the terms of use and the publishing Federation Operator providing a ‘Federation Operator Practise’ statement that the consuming Operator can read, assess and chose to trust.

Advantages

• No need for complex legal agreements;
• Allows metadata aggregation at many levels – does not need to involve a Federation Operator / Registrar;
• Advantageous for ‘virtual organisations’ that cross multiple federations.

Disadvantages

• Does not provide the ‘safety net’ of a signed legal agreement.

This approach is popular among technical developers and federations that have very limited liability, but is less popular with those who are naturally risk adverse or have concerns about legal liability. As this is the easiest way to achieve interfederation, it is beginning to be used extensively amongst small projects. This ‘bottom up’ approach is likely to grow rapidly, and as federations mature it is likely to be the process of choice for achieving simple interfederation.

One of the things that we are looking at closely with the UK federation at the moment is a move towards a more seamless approach to metadata management. Metadata is clearly one of the most important things about a federation – it has all the information to allow IdPs and SPs to connect to each other. It is also critically important that the metadata is accurate – bad metadata could easily break the trust model of a federation.

However, metadata takes a long time to process, check and verify. One approach that federations have been taking to help streamline this process is to introduce systems where by members can automagically update their own metadata. A good example of this is the SWITCH AAI Resource Registry.

Implementing something like this for the UK federation is an interesting concept, but I still have a number of questions:

• What is the impact on members in terms of additional cost / time from having to upload their own metadata information?
• Is there a corresponding reduction in staff time and effort at the federation operator, and it is right to switch the balance of effort?
• How do we maintain integrity and accuracy of data? What would be the impact of incorrect data being passed through?
• What is an appropriate level of human intervention / checking of data with this automated process?

I’d be really interested to hear people’s thoughts on this process.

Of course, another option would be to adopt a more radical approach whereby Identity Providers and Service Providers host their own metadata and merely inform the federation of its location. This embraces the idea of a truly distributed service model…but is perhaps a step we are not yet ready for.

This week, I’m getting excited about statistics! Well, I need something down to earth to balance out the amazing experience of being at APAN29 in Sydney.

Just before I started at JISC, we had some long and detailed conversations about statistics as part of the ANGEL project. Whilst usage statistic work has mumbled on in the background but there hasn’t been any significant work in this area….until now. Like buses, JISC usage statistic projects all come at once.

Something I am very happy to see funded, particularly as I saw the birth of the project idea whilst walking on a very hot day in San Antonio, is the RAPTOR project at Cardiff University. At the moment, Shibboleth Identity Providers can produce very useful access logs for institutions, but in a format that is not particularly friendly or helpful to the needs of librarians who need to be able to quickly review and assess resource usage. RAPTOR will produce a toolkit to not only provide this functionality but also to integrate these statistics with EZProxy logs – a joined up approach which I’m sure will be appreciated.

Hand in hand with this, the UK federation are planning on producing a portal to allow institutions to upload appropriately anonymised statistics….possible using the outputs from RAPTOR if we are smart about it. This will give us an interesting national view of resource usage, useful for both JISC and JISC Collections in focusing attention on the requirements of our community.

At the other end of the picture, it is equally important that we look at Service Provider statistics to provide the more detailed view of user behaviour beyond the authentication point. JISC Collections have been examining the potential of a usage statistics portal that will aggregate statistics from COUNTER compliant reports provided by publishers. Again, the point here is to reduce the amount of time librarians are forced to spend aggregating this information.

To complete the picture, the PIRUS project is looking at usage statistics right down at the article level across both publisher resources and repositories. More information is available in this post from Ben Wynne. PIRUS has produced a review of what information would be required to provide article level statistics. My only concern about this report is ‘who’ section and the options described for identifying unique users. eduPersonTargetedID and eduPersonPrincipleName seem obvious candidates for potential unique identifiers but are missing from the report. The challenge here will be any suggestion that looks at tracking the same user across multiple Service Providers. Obviously this is useful information for institutions, publishers and authors, but the privacy issues and management of Personally Identifiable Information (PII) will have to be carefully examined.

So that is your usage stats round-up – certainly lots of good stuff to keep an eye on.

According to recent reports, nicole is the 11th most likely password in a survey of one million (hacked) user accounts.

This leads me to the following conclusions:

1. My impact on the access management world is so significant, I have become a standard password….OR
2. People called Nicole are generally so dumb they are the most likely to use their own name as their password.

I’ll leave it to you to decide

Given the current economic issues for HEFCE and the education sector as a whole, I read with interest the HEFCE Grant letter for 2010 / 11. The figures are reasonably unintelligible unless you are significantly involved in grant allocations, but the interesting part of these letters is always the wording around the objectives expected of HEFCE. Can we learn anything from this that relates to access and identity management?

The key focus seems to be on greater flexibility, more part-time courses, more modular courses, more partnership courses etc. etc. This does present new challenges, particularly for identity and access management.

Current models of identity management tend to assume that the student’s primary affiliated institution will provide the student with an identity / identities – predominantly an e-mail address and credentials. A more flexible model may make it increasingly difficult to manage such a process, and also raise questions about the importance of such an approach in delivering a service to the student.

The complexity of licensing and assigning authorised rights associated with a license also becomes much more complex. If I am effectively attending four institutions, at what point in time am I authorised to access which resources in which institutions and how will you assign me these rights? Four sets of credentials? We obviously need to do much more work to look at managing multiple affiliations from an access management perspective, and also perhaps the model of institutional licensing for cross-collaboration courses. The upcoming multiple affiliations study final report from LSE and funded by Eduserv will be an interesting read, as will linking services such as the Shintau model.

The overarching model in all of this is ensuring the trust model in federated access. As we look to combine accounts and add authorisations to identities not managed by specific affiliations, how can we assure that these are well managed, revocated at the right point in time, and correctly asserted so we maintain trust? An interesting challenge for all of us I feel!

Now, how are we going to pay for it?!

if I were an Institution with shib 1.3;
I’d migrate to shib 2
if I were a Publisher who has implemented access management with shib;
I’d migrate to shib 2
if I were a publisher who has not implemented access management but said they would in 2010;
I’d go ahead and deploy shib or other SAML compatible product
if I were a member of JISC access management team;
I’d federate everything I use so it wouldn’t matter that I come back after xmas holidays and can’t remember a million passwords…..

David Kennedy from Duke presented an incommon sponsered study concerning vendor (what Yanks call Service Providers) best practice regarding access management. Interesting to see how some common themes aligned with our publisher study and it supports us in making arguments to publishers from both sides of the Atlantic.

Up very early this morning to chair a meeting on the Publisher Interface Study. A very simple proposition really – how do we improve the user experience when logging in with federated access, and can we get international agreement on this position?

Mark’s presentation is a very good overview of some of the differences of approach that we are dealing with and have to improve if we are not going to disenfranchise users.

Rhys Smith, who carried out the study on behalf of Cardiff University and Kidderminster College had a very simple message:

Users do not want to understand what is going on. They want to get to the content as quickly and easily as possible. Do not try and describe it, users won’t understand it. Users want one simple term they can learn and look for.

One of the big problems that was discussed was that academic users are not necessarily the main customer base for a lot of publishers. People queried why these publishers don’t consider using OpenID rather than providing usernames and passwords themselves. It may be worth promoting this as a focus alongside the use of an educational log-in process (OpenID / eduID?). Can we work with Kantara to provide a combined voice of federated technologies (including OpenID, Apple, Microsoft, Google) to talk to browser vendors to implement a cookie approach?

This is a much loftier aim than improving the current user experience on Service Providers, which we will take forward regardless….but it does seem possible that all of the new access management technologies have a real opportunity to work together.