Identity Management

Up very early this morning to chair a meeting on the Publisher Interface Study. A very simple proposition really – how do we improve the user experience when logging in with federated access, and can we get international agreement on this position?

Mark’s presentation is a very good overview of some of the differences of approach that we are dealing with and have to improve if we are not going to disenfranchise users.

Rhys Smith, who carried out the study on behalf of Cardiff University and Kidderminster College had a very simple message:

Users do not want to understand what is going on. They want to get to the content as quickly and easily as possible. Do not try and describe it, users won’t understand it. Users want one simple term they can learn and look for.

One of the big problems that was discussed was that academic users are not necessarily the main customer base for a lot of publishers. People queried why these publishers don’t consider using OpenID rather than providing usernames and passwords themselves. It may be worth promoting this as a focus alongside the use of an educational log-in process (OpenID / eduID?). Can we work with Kantara to provide a combined voice of federated technologies (including OpenID, Apple, Microsoft, Google) to talk to browser vendors to implement a cookie approach?

This is a much loftier aim than improving the current user experience on Service Providers, which we will take forward regardless….but it does seem possible that all of the new access management technologies have a real opportunity to work together.

This morning at Internet2 started with me and a very croaky throat talking about the work the UK federation is undertaking with the Government Gateway to solve an issue related to parental access to children’s records held at schools.

I was followed by Bob Morgan talking about the far more complex interactions with the US Government. This picked up on my post about the current administration in the US being very interested in social networking and identity.

A simple question comes out of this session – who should provide my citizen ID? In the same way that we have questioned the provision of credentials by institutions within Higher and Further education, is there any need for the Government to act as an Identity Provider for transactions currently managed by the Government Gateway or could commercial systems be used instead?

A big concern is the ability to provide complete trust in systems such as Facebook in terms of establishing the true identity of an individual. Bob highlighted that trust in these scenarios is often established via network of peers who will associate themselves with an entity or not depending on their trust in the ‘true’ identity of the persona being presented. This is very different from the trust in an affiliated institution that is established by federations – but is an interesting concept to consider.

I’ve also spoken before about not reinventing the wheel when it comes to identity assurance profiles, and it seems like the Kantara Assurance work may be worth investigating for the UK federation InCommon will be seeking to be verified via this route.

Hitting the ground running at Internet2 by diving straight in to the technical with the Shibboleth Working Group Meeting. So far San Antonio has been a surprise – certainly nothing like the other venues used by Internet2 over the years.

Shib 2.2 as a release on the SP side primarily provided a response to security incidents that happened over the summer. Otherwise, the main features are delegation, support for xml-valued attribute data, metadata tagging (something the UK federation has been doing for some time), simple attribute aggregation (which will be important as we move forward with the ‘interfederation’ process, and advanced metadata signature processes (good for the signer, good for security).

The meeting moved on to a discussion on user consent, and the importance of consent being built in to the shib codebase. Consent is still a topic that is wide open for discussion within federated access, but tools are emerging such as the Swiss UApprove and to some extent use of OAuth. A per-transaction consent module within shib could be taken forward, but is it the best place for it??

Hand in hand with this comes the idea of handing the same TargetedID across a group of services, as opposed to a particular service. The current IdP implementation does not do this, but the next release is likely to do exactly this. This is interesting for the UK, as I have had several SPs ask me for this functionality as a preference to using PrincipleName. It will be interesting to see what the people concerned with Personally Identifiable Information (PII) will say about this change!

Discussions moved on to ‘interfederation’. One of the important places to start when thinking about interfederation is that federations do not ‘own’ entities and the entities themselves have no real concept of the construct that is a federation. This, and the standards basis of SAML2, makes entities highly mobile. One of the ways of dealing with the interfederation question is to look at metadata aggregation. In this module:

• Metadata registrars take on the technical trust (e.g. registering an entity).
• ‘Federations’ then deal with behavioural trust (e.g. policies for a specific community).
• Registrars and federations MAY be colocated.
• Federations can use multiple registrars to create a metadata aggregation with specific processes wrapped around it for the community requirements.

Metadata ‘richness’ was then discussed. Metadata aggregation should be able to cope with this, but it is important that policy is not implemented at this level – for example metadata extensions could point to policies, but should never direct them.

JISC Collections have a blog now running. Slightly strange as I’ll be posting on this one and the JC blog. It feels like I need identity management not just for access to multiple wordpress sites but for my own head. Different blogs, different styles, different things you can / should say. Anyone who follows Brian Kellys blog will have seen those issues discussed before – I for one await the day when our overlords put chips in our heads that will deal with attribute release and role management in my brain.

Inspired by a discussion on twitter, I find myself once more in the position of having to explain why I am not a fan of the use of proxy referral services in libraries. I should start by saying that I am not a fan of the typical trend of using IP access on library campuses and it is the general move away from any sort of IP-based system that I am actually promoting. I also completely understand why libraries like to use them – the best known proxy products are quick, clean and easy to implement and maintain.

Sometime ago, JSTOR took a strong position on the use of proxy servers, noting:

Without special configuration, these proxy servers often have no access restrictions in place. If the computer is within a range of IP addresses that have access to JSTOR, then the result is that literally anyone in the world can use that proxy server to enter JSTOR, as well as other licensed electronic products and restricted campus resources. It is important to note that this is not a fault of any institution or library, but a weakness inherent in the current system of using IP addresses for authentication to restricted resources.

Now, most library proxies are well enough set-up that they are not providing an open proxy access route. However, easy to set up can sometimes mean sloppily set up, particularly in the use of administrative passwords. We have had many examples of the administrative passwords to proxy servers being made available freely on the internet. So if you are going to use a proxy, make sure that administrative passwords are well looked after and frequently changed – they provide access to nearly ALL your resources!

My second point is that proxies are often set-up without much thought to the credentials being used with the proxy server. Sometimes, only a small set of credentials are used or credentials that a user would have no qualms in sharing. So again, if you are setting up a proxy server tie-in a sensible credential option such as local authentication using shibboleth to increase security.

Thirdly, I just don’t like something that pretends to be something it is not. When using the proxy service, you are basically claiming to be visiting the Service Providers in question from an agreed set of IP addresses ‘owned’ by an institution. In reality, you could be on any computer anywhere in the world. There are a host of security issues that have been caused from such a set up.

Fourthly, there is the problem of accounting and statistics. It is very difficult to provide authoritative data on resource use from proxy servers, or from IP access for that matter! In a time where we need to justify spending constantly, it seems that better resource usage statistics can only be a good thing. I’ve heard this as an argument away from proxies from Service Providers as well – they would like to better understand the market they are serving rather than just receiving access requests from an IP-range.

Finally, there is the user experience. Proxies mirror IP access and plain old IP access routes don’t offer much added value for the user such as personalisation etc.

I really do understand why libraries use proxies, and why they continue to use IP access on-site. There is a particular job of work to be done with US-based publishers on pushing the advantages of more sophisticated access routes and moving away from IP-based licenses. We continue to work with publishers. In the meantime, I hope it is OK if I continue to see the place and role of proxies, but continue to shudder and dislike them. Maybe I am just suffering from access management OCD.

In the meantime, maybe you can tell me why on-site IP access is really a good thing for the user??

Understandably over the last couple of years there has been a slow shift in the access management community to talk more about identity management than access management. The two definitely come hand in hand, but I think we need to be careful about what we actually mean when we use the terms. A trend has started which takes the term federated access and replaces it wholesale with federated identity. I think this is a mistake, as I think the two are actually very different things.

Federated access is all about allowing disparate systems to make use of the same access credentials. It makes use of identity information to ensure that the correct authorisation decisions are made – but at the end of the day its primary focus is on ensuring that users are effectively connected to the resources and services that they require access to.

The entry on wikipedia for federated identity is interesting:

In information technology, federated identity has two general meanings:

• The virtual reunion, or assembled identity, of a person’s user information (or principal), stored across multiple distinct identity management systems. Data are joined together by use of the common token, usually the user name.
• A user’s authentication process across multiple IT systems or even organizations.

I don’t agree with this. I think the first point describes federated identity very well. I think the second point describes federated access. The main difference is that federated access as currently used tends to a) rely on one identity source and b) focuses on access provision rather than identity information. A federated identity system should take us in to the world of multiple identity sources providing both access and identity solutions – such as managing personalisation features, loyalty schemes, recommmendations etc.

Whilst we have federated access in place within the UK, federated identity is definitely the next step. We need to be able to allow users to call identity information from different places and we need to be able to effectively combine user-managed identities with affiliation-managed identities. Technologies like Information Cards are an interesting step on this path – but are still complex for end-users to navigate. I still think there is a different technological solution around the corner that may help us more effectively tackle this challenge…and will wait with interest to see it!

In the meantime, don’t forget that JISC is looking for projects under its latest innovation call. These could tackle both federated access and federated identity and who knows, may produce that illusive new direction!

It is probably not surprising that the current White House is interested in identity. To some extent, Obama’s campaign was all about identity – from the need to publish his birth certificate to quieten the slightly nuttier rumour mongers to his reluctance to trade on his racial and religious background as part of his campaign.

As part of an open social White House, Obama is encouraging federal sites to make use of OpenID. Immediately, we see a bunch of major companies signing up to be OpenID identity providers. Of course, it is actual in the interests of all of these companies to be identity providers – there is a significant value to be had in identity information and companies would much rather manage these identities than let them be locked away behind federal identity systems. I’d be much more excited if any of these companies were properly embracing OpenIDs as consumers – and by this I mean with no need to provide additional information, register separately etc etc as we have seen with the much lauded Facebook adoption of OpenID that amounts to little more than account linking.

What is much more interesting is the announcement of the Open Identity Initiative – an initiative working with InCommon, Kantara, the OpenID Foundation and the InfoCard Foundation across a range of standards to provide efficient access routes to federal resources. This is where the benefits of working with an open standard access management solution really begins to show, and helps demonstrate how shibboleth-based federations can work well with other standards based solutions.

We’re organizing the FAM event for November and I’ve been slightly surprised at the fact that a few people have returned their forms indicating that they don’t wish to have their face in any photos or have their voice recorded.

Of course the right to privacy is key and in many ways what a huge part of access management is all about. And we should never assume consent. Apart from the fact that sometimes should we?

Your average public sector event is going to be attended by public sector employers, who I’m assuming will get their fares and accommodation paid for by their host institutions and they are certainly attending in an official capacity. So should we be able to say “no I don’t want my comments or questions recorded”?

Web casting is becoming more and more common – events in our field actively take into account that many more people will be actually participating than physically at the event. So is standing up for the rights of privacy doing anyone any good in this case?

There is a flip side to this – recording and broadcasting everything does make it harder to ask or make off the record comments and can inhibit frank discussion which is a key reason for events like our FAM one to take place.

I know the law on this one, but I’m not sure if I know the answer…..there is certainly a fight to be had over privacy which I’m happy to get behind but should public sector events be the battleground?

I’ve been asked several times if it is possible to restrict access to users by geographical location using federated access. This is normally from a Service Provider who wants to restrict access to a resource to people physically present somewhere in the UK. My begrudging answer is, yes, there are ways of doing this. eduPerson has a locality field that could be populated, or you could ask for postcodes to query against. Of course this doesn’t ensure that the person is physically within the UK, only that the IdP believes that the person in question is normally resident in the UK.

To ensure that people are physically within a specific location, IP checking is normally relied upon. This in itself is not a particularly reliable process – machines in the UK often have IP addresses that would be flagged as belonging to another country and proxy servers and VPN access will get around all of these issues.

My main reaction however would have to be WHY, oh WHY would you want to try and do this? As you can see from the above, it is a fairly difficult thing to achieve, so you are immediately placing an expectation on your customer that they are likely to fail to meet. I also don’t understand why restricting access just to the UK would be perceived as more secure. Downloaded information could easily be passed beyond the boundaries of the UK in a instant because of that interweb thingamy I can almost I guess understand why BBC iPlayer would only be available in the UK because of license payer issues, but as a license player I think I should be able to access iPlayer when I’m in other countries, especially so I don’t miss the final episode of The Apprentice! The right is not a geographical one – it is actual a personal one based on my license fee payment.

In a world of ubiquitous electronic access, I think it is foolish to try and restrict access by location (and yes, I’m afraid that for me this includes ‘on site only’ access). Location is often inaccurately identified as the restricting element for access – but when properly analysed, you can nearly always find a better way of managing such a process. Does a publisher, for example, actual mean that they would be uncomfortable with students permanently resident overseas using a resource, rather than it can only be used in the UK?

I think it is such a shame that we are still dealing with these issues, and that it automatically cuts the publisher off from developing their resources for use on iPhones and netbooks and in other truly mobile locations due to what I see as an inaccurate interpretation of security. Lets hope we can move on!

I spent most of Friday at a meeting with the DCSF discussing some of the trickier elements of access to online services that they are grappling with. I came away most glad that I don’t work for a government department, but also appreciative of some of the problems that are facing to meet targets related to online access.

DCSF are required to provide online access to parents about their children by 2011 in a variety of ‘online reporting’ areas, including behaviour, attendance, attainment and performance. This smacks a little like one of the those goals that have not been thought through fully in terms of what parents actually want to see, and how they wished it to be delivered. For example, if the purpose of the online reporting is to show me that the school thinks my child has been in attendance for 80% of the year, whereas I think it is 100%, therefore offering me the chance to challenge official records that is all well and good. If the purpose of the online reporting is to tell me that my child is not in school – I’d rather have a phonecall please

The meeting talked around three key areas – credentialing, interface and claims assertion, with the third area being the most problematic.

The question of credentialing for parents is being addressed by an interfederation agreement between the Government Gateway and the UK federation. Schools and local authorities are already establishing services within the UK federation, but should not have the additional burden of having to provide credentials to parents. Many people will already have a Government Gateway login, perhaps without realising it (have you ordered your car tax, or done your tax return online?) and it is a sensible and secure credential to use. The main concern in this area is that if this work does not move forward quickly enough, schools will be forced to supply local credentials. In the longterm, the Government Gateway and Direct.gov are looking at ways of integrating other credentials in to this system – such as OpenID.

Interface is an interesting question as of course a familiar look and feel across all of the services will be beneficial for parents, but many of these developments are currently happening on an individual school by school basis. Direct.gov is recognising the benefits of single branding across public sector services, and pulling in parental access to this makes sense. Becta is encouraging schools to at least aggregate and work at a local authority or regional broadband consortia level, but this will be a space where more work is needed.

The most problematic area is managing the policy around asserting your claim as parent to a child. Technically, this is a very simple process as claims-based access fits in well to the current architectures for the UK federation and Government Gateway. Managing the process whereby a claim is validated, a token for this claim applied, and most importantly claims revocated where appropriate is very complex. It is recognised that this is actually badly managed in the real world at the moment – the Local Authority where I wish to send my child to school accepts my school application without much identity validation or checking. This information is then sent on to the school, and I become the primary contact for that child. Therefore, my claim as parent is fundamentally self-asserted. It is assumed that a stronger validation is needed in the online environment, but this assumption needs further work to establish a process. This may need stronger identity validation at the school application point, or could be a weaker process where tokens are handed out to children via the ‘book bag’. Schools also recognise that they tend to default to creating a core relationship with the mother – a fact that is often not valid in today’s environment.

Overall, I think more work is needed on the services that parents will feel are beneficial for online access. I’d much rather see combined online access for the school application with payments for trips, consent forms for trips, payments for school meals, and all the other administrative functions of being a parent. Behaviour and reporting? Well there is a lot to say in this area for the old-fashioned school report and parents evening