Joining the UK Federation

Unfortunately just metaphorical BEER at the moment I’m afraid in the form of the BEER project. BEER (I’m sure we will have a more grownup name when it is operational!) is a bit of a confusing concept if you don’t spend all your time thinking about access management metadata exchange like us enthusiasts (read weirdos) so I thought I would try and tease the concept out a bit more here.

I think I would start by saying that it is still very difficult to gauge the exact level of trust and assurance you need in any set of metadata exchanged for access management purposes (as opposed to the level of trust and assurance in the credentials provided). At a very basic level, you just need to be fairly sure that the metadata was provided by the person who it appears to be coming from. This in turn scales upwards to the sort of trust provided by the ‘vetting’ undertaken by federations right up to the more directive policies of interfederations like eduGain. BEER pushes at the other end of the spectrum, by trying to strip the trust level down to a minimum. I think it is important that we are exploring both ends of the scale.

The problem with creating a very robust trust framework is it cost money! Any type of vetting of end-entities inevitably creates the type of process that requires human interaction to check and verify the metadata and its assertions at a variety of levels. This in turn creates a burden for the entities registering metadata who have to meet the requirements of the metadata registrar – a burden they may not be able to achieve not through being untrustworthy but just from not having the resource to dedicate to the process.

Say I am a teeny-weeny little Service Provider (and note I am just focusing on Service Providers in the BEER context) of Edublob, but I just happen to have customers in academic institutions all around the world. I really want to offer federated access to my users, but I don’t have the time or resources or ability to manage the legal costs of signing contractual agreements with lots of academic federations. Instead, I chose to register my metadata with BEER and tell my customers to consume it, or get their federation to consume BEER.

The consumer has a certain amount of faith in the metadata as BEER does some checking and has also had a bilateral exchange (all be it minimal by email) with Edublob telling them that their metadata is in BEER. If it appears in a metadata aggregation and you don’t know anything about Edublob…well don’t attempt to connect to it, and reject all authentication requests from said service!

Yes this is very basic, we but we need to test the boundaries of what basic can achieve via metadata exchange for access management. There are other challenges ahead for BEER. It may be that the very basic level of testing promised – such as domain name checks – may create a service that cannot be maintained. It may be that the trust level is perceived as too low by federations and other consumers of metadata. It is, however, a very important route to try. I can see it being very unpopular with strict security folks, and with those who prefer the notion of monolithic federations, but I’m fully bought up to the idea that fully distributed, self asserted metadata may be the norm in the future (really cloud-y stuff!) and this is a step towards that.

So keep an eye on BEER and have a think about the implications for you if you should consume it.

A colleague of mine in JISC Collections recently said to me that what was a dealbreaker for me with publishers was not necessarily a dealbreaker for them. I totally understand this position – I’m obviously a bit puritanical about wanting publishers to adopt SAML! However, recent discussions on the lis-e-resources list got me thinking about whether access management should or shouldn’t be a dealbreaker for licensed resources. This is further supported by an article by Sarah Taylor in Serials.

During February there were three separate discussions on the lis-e-resources list about access management issues all reflecting the problematic situation of publishers who only offer allocated usernames and passwords or who have complex access routes in to resources. The question was posed – would you cancel a resource because of ‘bad’ access management? Is access management a dealbreaker, or not, and should it be?

When I first joined JISC I worked for the then emerging e-research ‘team’ (of 1!) and had very little to do with the JISC Collections team, who were busy building up a strong portfolio of negotiated deals for the UK educational community. So I was very interested to hear Lorraine Estelle presenting on the Nesli agreement process at the first ever JISC Away Day back in 2003. What impressed me most about Nesli was the fact that institutions agreed not to go to the publishers separately, but only used the Nesli route for the purchase of these specific journal deals. This gave the Nesli team it’s negotiating platform. Without this buy-in, it would have been difficult to get the publishers involved.

The JAM team have been working hard to persuade publishers of the benefits of adopting SAML as an access management route, and nearly all of the major publishers have now adopted. However, there are still a large number of smaller publishers that have not adopted, and will only use allocated username and password or IP access. This leaves librarians having to manage SAML access, IP access, EZ-Proxy routes, and publisher provided credentials – clearly a difficult management task and something that is not effective for end-users. Regrettably there are still a large number of JISC Collections resources that aren’t compliant – although SAML compliance is in the license it is not currently treated as a dealbreaker and publishers are allowed to come on board on the understanding they will adopt at a future date. In my experience, regrettably this future date rarely arrives.

There is no real reason for non-adoption of a SAML based access routes. There are a plethora of support options for publishers available, such as the offer from Semantico, the Atypon SAML SP, support from organisations such as VLE Middleware and the OpenAthensSP. Non-adoption really boils down to one thing:

if people will buy the resource without compliance, there is no incentive for the publisher to adopt.

So how can we get beyond this? Is it time for access management to become a dealbreaker? Or is it something that we can continue to live with and manage? I’d be interested in your views….

You’ve probably seen the notice from JANET concerning shib 1.3 -2.0 migration.

“We strongly recommend that sites currently running Shibboleth 1.3 in production plan to upgrade to the current version of Shibboleth well in advance of the announced EOL date. This will protect against the possibility of a forced but unplanned migration from 1.3 should a security issue or incompatibility be discovered after the EOL date has been reached.”

Well the time factor here is June, which given that falls within the teaching calender means for many institutions the next appropriate downtime when they can schedule such a transition is easter. I know of a number of institutions who are already planning what they will do IT infrastructure wise during Easter, so if you are a 1.3 institution get it onto the agenda! In some cases where the library has been pushing the Shib agenda, and the IT dept has been doing the actual work- it might mean flagging the issue again to the IT team. I would be interestedto hear any migration experiences….?

Some advice here.

I spent most of Friday at a meeting with the DCSF discussing some of the trickier elements of access to online services that they are grappling with. I came away most glad that I don’t work for a government department, but also appreciative of some of the problems that are facing to meet targets related to online access.

DCSF are required to provide online access to parents about their children by 2011 in a variety of ‘online reporting’ areas, including behaviour, attendance, attainment and performance. This smacks a little like one of the those goals that have not been thought through fully in terms of what parents actually want to see, and how they wished it to be delivered. For example, if the purpose of the online reporting is to show me that the school thinks my child has been in attendance for 80% of the year, whereas I think it is 100%, therefore offering me the chance to challenge official records that is all well and good. If the purpose of the online reporting is to tell me that my child is not in school – I’d rather have a phonecall please

The meeting talked around three key areas – credentialing, interface and claims assertion, with the third area being the most problematic.

The question of credentialing for parents is being addressed by an interfederation agreement between the Government Gateway and the UK federation. Schools and local authorities are already establishing services within the UK federation, but should not have the additional burden of having to provide credentials to parents. Many people will already have a Government Gateway login, perhaps without realising it (have you ordered your car tax, or done your tax return online?) and it is a sensible and secure credential to use. The main concern in this area is that if this work does not move forward quickly enough, schools will be forced to supply local credentials. In the longterm, the Government Gateway and Direct.gov are looking at ways of integrating other credentials in to this system – such as OpenID.

Interface is an interesting question as of course a familiar look and feel across all of the services will be beneficial for parents, but many of these developments are currently happening on an individual school by school basis. Direct.gov is recognising the benefits of single branding across public sector services, and pulling in parental access to this makes sense. Becta is encouraging schools to at least aggregate and work at a local authority or regional broadband consortia level, but this will be a space where more work is needed.

The most problematic area is managing the policy around asserting your claim as parent to a child. Technically, this is a very simple process as claims-based access fits in well to the current architectures for the UK federation and Government Gateway. Managing the process whereby a claim is validated, a token for this claim applied, and most importantly claims revocated where appropriate is very complex. It is recognised that this is actually badly managed in the real world at the moment – the Local Authority where I wish to send my child to school accepts my school application without much identity validation or checking. This information is then sent on to the school, and I become the primary contact for that child. Therefore, my claim as parent is fundamentally self-asserted. It is assumed that a stronger validation is needed in the online environment, but this assumption needs further work to establish a process. This may need stronger identity validation at the school application point, or could be a weaker process where tokens are handed out to children via the ‘book bag’. Schools also recognise that they tend to default to creating a core relationship with the mother – a fact that is often not valid in today’s environment.

Overall, I think more work is needed on the services that parents will feel are beneficial for online access. I’d much rather see combined online access for the school application with payments for trips, consent forms for trips, payments for school meals, and all the other administrative functions of being a parent. Behaviour and reporting? Well there is a lot to say in this area for the old-fashioned school report and parents evening

Those of you deeply embroiled in the finer details of federation constructions (no, it’s not just me!) cannot have avoided being in a conversation recently about the need to separate the role of Federations as registrars of metadata and the role of metadata aggregation and distribution.

Simply put, Federations add useful assurance and trust qualities to metadata through registration processes. This is particularly important at the moment in the UK federation, which has been focusing in on commercial content provision via the federated model. However, there are use cases where the geo-centric nature of Federations is not helpful.

We looked at such a case within the REFEDS meeting on Sunday at #tnc2009. All those involved in the REFEDS group need to be able to use federated access to use the REFEDS wiki space and the Kantara wiki space (Kantara is the new Liberty Alliance, watch that space!). It does not make any sense for organisations like Kantara and TERENA to attempt to join all of the Federations involved in REFEDS – even the most lightweight agreements still involve a contract signature process that is difficult to obtain in such organisations.

The solution? A metadata aggregation of all of the entities involved in REFEDS. In this sense, we are talking about a real virtual organisation in operation. John Paschoud rightly queried me on how trust will be maintained within such an arrangement without a Federation. There are various ways of adding trust and assurance to this aggregation. Firstly, the metadata aggregator will come from within the REFEDS group and will only aggregate the metadata of members of the group. In this sense, the virtual organisation itself provides the trust assurances through its operation.

The more interesting point is controlling the way in which Service Providers use the aggregated metadata. Well, in the case of TERENA and Kantara I think we can have a reasonable amount of trust through the status and position of the organisations themselves. For other service providers, the simple approach is to provide ‘terms of use’ for the metadata – akin to an open source software license. Leif has described this approach on several occasions, and it seems very likely now that this will be taken forward. It is the driver behind the new focus of eduGAIN.

The long term impact of this approach will be interesting. In the short-term, I think it will only be used for lightweight applications (such as blogs and wikis) in virtual organisations – in short, the role of the geographically organised federation will not be impacted. In the longer-term, this could put an end to the need for Service Providers to join Federations. Service Provider use of the metadata will be controlled by the metadata ‘terms of use’, negating the need for the providers to join up to membership – they can consume the metadata as long as they follow the terms. It could also affect the concerns that some people have regarding the need for Federations to have strict legal liability cover – I feel that this concern has hindered the progress of interfederation agreements, and of course such a focus will always make Federations more static…and more expensive!

This is a fundamental change to the way that federations might operate in the future. I’ve tried to capture some of this thinking in a presentation…more to follow!

We are starting to see the first signs of federated access being used as a core decision point in business planning. In this uncertain market, publishers and institutions are having to make decisions about the best possible way to maximise their markets and maximise their spending power.

We’ve recently been helping institutions review their resource lists against federation compliant publishers, and several have mentioned that they are willing to cancel subscriptions to non-compliant publishers. Regrettably, this is often the smaller publishers who perhaps have not had the chance to be able to fully exploit the new technology. I know it is difficult for librarians to even consider cancelling subscriptions to the larger publishers…but there are two major publishers whose names may start with W and I and a major aggregator whose name may also start with I who are still dragging their feet about meeting the customer requirement for federated access. It would be interesting to see what their reaction might be if faced with cancellations because of lack of compliance.

On the aggregator front, we are starting to see signs of the smaller publishers moving away from aggregators because of non-compliance with federated access. I think this is a sensible reaction – don’t let your platform provider dictate your requirements in a market where you might lose custom based on slow-uptake of technologies.

Federated access is definitely the new black and a must have in your technical wardrobe if you want to be taken seriously at the scholarly publishing party.

One of the problems faced by access management federations as they are currently being developed is the ‘two worlds collide’ problem of establishing trust. For most federations, the trust relationship is currently defined by a legal or quasi-legal agreement between members (typically distinguished as Identity Providers and Service Providers) in the form of a signed set of rules, agreements or policies. A lot of good work and effort has been put in to getting these agreements right, and I think most of the national education and research federations have developed appropriate lightweight agreements that cover the necessary trust issues in a coherent (although often culturally slightly different) way.

The problem with a legal agreement is that at some point it is inevitable that the lawyers become involved…and lawyers and technologists simply don’t mix! I have lost count of the number of times I have seen a perfectly well defined technical clause tortured to death by lawyer-ese and turned in to something incomprehensible, often factually inaccurate and in some cases potentially capable of invalidating the contract. I cannot stress enough how important it is for anyone developing or thinking of signing any contract involving technology to take good advice from people who know what they are talking about when it comes to ‘techie stuff’.

Here are some of my ideas to help improve this situation:

• Librarians, DO ask your IT colleagues to run an eye over licenses before you commit yourself to them. They are more likely to spot those odd clauses where you are being asked to reveal student passwords or carry out convoluted and impossible identity management processes.
• If in doubt, leave the technology out. One of the simple ways of gaining consensus on these issues is to have the contract refer to signatories following a technical specification and asking an appropriately qualified technical person to draft this specification.
• Lawyers, contracts managers, license negotiators, DO seek technical advice as well as getting your documentation approved by your legal department. DON’T be afraid to admit where you don’t properly understand a technical term or process and get these sections properly written up. A badly worded definition of security could be a costly mistake.
• Technologists, DO try to think about documenting your processes in a way that can be interpreted by other people within your organisation to help effectively support this process.

It will be interesting to see how long federations rely on policy agreements to gain trust between members. The alternative of each organisation exposing their metadata with appropriate technical trust attached (such as digital signatures, better use of digital certificates etc.) is already possible but I don’t think education institutions within the UK would be ready for such a step. I also think that librarians and publishers in particular like the fact that the current federation infrastructure reflects the known licensing process. It would also mean we would have to be even more careful about license terms surrounding technology that are agreed in the standard bi-lateral agreements between library and publisher…and that is a big challenge.

I wonder if we will see a divergence of approach to federated access, with commercially valuable resources preferring the current legal framework of federations whilst other resources take advantage of more flexible technical trust? Time will tell…

I will be attending the next meeting of the McShib group next friday, and I am looking forward to it very much!

As part of my preparation, I had a quick look at the UK federation membership status for all of the institutions in Scotland. Currently:

• Two FE Colleges within the remit of RSC Scotland North and East are members – Dundee College and Borders College. By my rough calculations, that leaves 21 to go.
• One FE College within the remit of RSC Scotland South and West is a member – Reid Kerr College. Again, that leaves about 19 to go.

It strikes me that these colleges might well think about a joint approach to the recent JISC call offering direct support to smaller FE colleges in adopting federated access management.

• 10 of the 18 Higher Education Institutions in Scotland are members of the UK federation, and most are fairly well advanced in the deployment of federated access technologies. A focus on the roll-out to users and library concerns would be helpful for these institutions.
• 3 Scottish HE institutions are considered to be in the most at risk category in terms of adopting federated access: University of the West of Scotland, RSAMD and Robert Gordon University.
• 2 Scottish HE institutions are considered to a risk 4 (out of 5): Glasgow School of Art and Queen Margaret University, Edinburgh.
• 2 Scottish HE institutions are considered to be a risk 2 (out of 5): University of St Andrews and Edinburgh College of Art
• 1 Scottish HE is considered to be a risk 1 (out of 5): Glasgow Caledonian University.

UK federation Members

Heriot-Watt University
Napier University
University of Aberdeen
University of Abertay Dundee
University of Dundee
University of Edinburgh
University of Glasgow
UHI
University of Stirling
University of Strathclyde

Scottish Higher Education – non members

Risk 5 – University of the West of Scotland
Risk 5 – Robert Gordon University Now Member!
Risk 5 – Royal Scottish Academy of Music and Drama
Risk 4 – Glasgow School of Art
Risk 4 – Queen Margaret University, Edinburgh
Risk 2 – University of St Andrews Now Member!
Risk 2 – Edinburgh College of Art
Risk 1 – Glasgow Caledonian University

RSC Scotland North and East

Aberdeen College, Aberdeen
The Adam Smith College, Glenrothes
Angus College, Angus
Banff and Buchan College, Fraserburgh
Borders College, Galashiels MEMBER
Dundee College, Dundee MEMBER
Edinburgh’s Telford College, Edinburgh Now Member!
Elmwood College, Cupar
Forth Valley College, Falkirk
Inverness College, Inverness
Jewel and Esk Valley College, Dalkeith
Lauder College, Dunfermline
Lews Castle College, Isle of Lewis
Moray College, Elgin
Newbattle Abbey College, Dalkeith
Oatridge Agriculture College, Broxburn
Orkney College, Orkney
Perth College, Perth
Sabhal Mor Ostaig, Isle of Skye
Shetland College of Further Education, Lerwick
Stevenson College, Edinburgh
The North Highland College, Thurso
West Lothian College, Livingston

RSC Scotland South and West

Anniesland College, Glasgow Now Member!
Ayr College, Ayr
Barony College, Parkgate
Cardonald College, Glasgow Now Member!
Central College of Commerce, Glasgow
Clydebank College, Clydebank
Coatbridge College, Coatbridge
Cumbernauld College, Cumbernauld Now Member!
Dumfries and Galloway College, Heathhall
Glasgow College of Nautical Studies, Glasgow
Glasgow Metropolitan College, Glasgow
James Watt College of Further and Higher Education, Greenock
John Wheatley College, Glasgow
Kilmarnock College, Kilmarnock
Langside College of Glasgow
Motherwell College, Motherwell
North Glasgow College, Springburn
Reid Kerr College, Paisley MEMBER
South Lanarkshire College, Cambuslang
Stow College, Glasgow

I have had several in-depth conversations with Service Providers over the last couple of days regarding concerns that institutions are not taking their obligations seriously enough in terms of identity management and in relation to devolved authentication processes. I thought it would be worth capturing some of the discussions here.

My first point is that Service Providers to institutional libraries have always been reliant on the institution to provide accurate information about valid end users for their services. This is not a new concept within a devolved approach, but the very nature of devolved authentication often means that errors (such as bad revocation or credential re-use policies) are more easily uncovered than with service provider or centralised access management systems. So, we should to some extent be pleased if more errors are being uncovered – it means the process is working.

Institutions are often simply not aware enough of the obligations that are put on them in terms of good identity management processes when they sign up to a licensed resource. More work needs to be done to get the license terms and conditions out of a dusty filing cabinet and in to the general consciousness of institutions.

The discussions have reinforced my faith in the policy approach of the UK federation, and its importance in addition to traditional licenses such as the JISC Model License. It is also reinforces the importance of ’section 6′ of the UK Access Management Federation Rules of Membership and I would urge all institutions to seriously considering signing up to it, and all service providers to review whether it should be a requirement of access. It is this section that truly places an obligation on institutions to demonstrate best practice in identity management.

Service Providers cannot expect institutions to demonstrate best practice unless there is a clear requirement – either in the license for the resource or within a policy document such as the UK Access Management Federation Rules of Membership.

Any devolved authentication system should have robust documentation in place to ensure that it is clear whether or not institutions using that system are following good practice in terms of identity management, and what accountability and traceability Service Providers can expect.

Overall, it is important that both institutions and Service Providers are taking identity management processes seriously, and it does worry me that Identity Management only makes number 10 on the UCISA Top Concerns list. To quote Lemony Snicket, We Are Very Concerned.

Mark writes:
Second part of our Institutional Support process, for Universities and Colleges seeking support to help set them up as IdPs, went out today. We know its not going to be a magic bullet to cure all issues that Institutions are having but like the best DNA treatments these days, it is tightly targetted. Traditionally, we (JISC) have been very good at getting historically early adopter institutions to, and you’ve guessed it – “early adopt”. The support model we are trying here goes beyond that. I sense (and please contact me if I’m wrong) that alot of FE institutions are fence sitting regards Access Management. Hopefully the institutions that get help through JIAMSP will really highlight the fact that Federated Access Mangement is both obtainable and desirable for all – and worth coming down off the fence for. We also know how small the window of opportunity is to get large scale IT projects done within the College academic calender, so another part of the support is an attempt to target by time – Institutions can choose slots as to when they would like to move forward, if they are applying for support. Questions (and with this kind of support modal, there really should be some) please.