Joining the UK Federation

I spent a very interesting day at the ‘McShib’ event in Edinburgh last Wednesday. ‘McShib’ is a group that has come together to allow people with an interest in the adoption of Shibboleth to have a local (and nothern) focus. The first great thing about this event is that it was brought together because of community demand and through the hard work of Andy Swiffin and the RSC for Scotland North and East, rather than something driven by JISC itself. The second great thing was the enthusiasm at the event and the really practical focus of the presentations on adopting Shibboleth on a very practical basis. The event was initially scoped out for about 15 people and registration closed with over 50 attendees!

One of the key messages from the day was the importance of kicking off the legal part of joining the Federation. To quote Andy Swiffin:

There is no cost involved in doing this and even if you subsequently decide to outsource your identity provision your institution will still need to join. The great benefit in doing this as soon as possible is that when you do want to actively participate all of the paperwork is in place. In addition, if as many institutions as possible join now it sends a very clear message to Service Providers that this is something that the UK academic community is serious about and that its worth their while to put some effort in making their application Shibboleth aware. This in turn benefits us all!

I couldn’t agree more! Thanks to Andy, the RSC and all who took part in a very interesting event!

As institutions are beginning to implement federated access management software, questions have been raised about who users should contact for support and how they should contact these people. The following suggestions have been collated through the jisc-shibboleth@jiscmail.ac.uk discussion list.

Institutions should nominate dedicated support contact(s) for users with queries about access to online resources. In smaller institutions, this may be the same person as the technical and/or administrative contact. The main contacts for these roles need to also be registered with the UK Access Management Federation, see www.ukfederation.org.uk/content/Documents/RegisterIdP.  The support contact can also be a generic contact eg. access-enquiry@institution.ac.uk to allow for better support coverage.

A web form for access enquiries could be set up where users need only to enter their login username and details of the enquiry. The user’s department and other details can be looked up in the LDAP directory and an email is routed to a “queue” for the relevant subject team. They can then route the enquiry to other queues if they can’t answer the query themselves. The response and further correspondence is by email.
A generic email could also be set up for access support enquiries eg. access-enquiry@institution.ac.uk.

One of the unique issues facing the UK adoption of the SAML standard through the UK Access Management Federation is to ensure that the UK education community continues to be able to access Athens resources. To support this requirement, JISC has funded Eduserv to develop and maintain two gateways to the UK federation. These gateways are known as the Federation Gateway Services.

These Gateways are currently funded until July 2008, in line with the funding for the UK federation. Funding profiles have been agreed until July 2011 for both services and contracts will be put in place following the May round of JISC Committee meetings. It is worth highlighting that no JISC core funding has currently been contractually agreed post July 2008. This is typical practice as we have to wait for our grants from the funding councils to be confirmed.

We will continue to monitor future funding requirements beyond July 2011 in line with the JISC Services Strategy. JISC will continue to work with Eduserv on developing and enhancing the Gateway services and to ensuring that institutions adopting alternative SAML-compliant technologies such as Shibboleth will continue to be able to access Athens-protected resources at no extra cost to the institution.

The gateways allow:

• An institution using a SAML compliant technology such as Shibboleth to access Athens protected resources.
• An institution using Athens to access federated resources through the UK federation. To enable this functionality, an institution must join the UK federation and declare that they wish to use Eduserv as their ‘outsourced identity provider’.

More information can be found on the Athens website and the UK federation website.  Please note that institutions wishing to use the Athens – Shibboleth gateway will still be required to pay a subscription charge to Eduserv for direct Athens functionality – that is Athens acting on the behalf of the institution as an Identity Provider.  Charging models can be viewed here.  

There are no subscription costs for institutions adopting Shibboleth and using the Shibboleth-Athens Gateway.

If anyone has any concerns about use of these gateways please contact Nicole.

There has been some confusion over the use of the word ‘Shibboleth’ in relation to federated access management within the UK, so I thought I would spend a Friday afternoon looking at some of the complexities and also providing some lighter anecodotes around the S word.

There are many factual and not-so-factual explanations of the origins of Shibboleth. In my collection:

• President Bartlet explains Shibboleth to his staff in an episode of the West Wing.
• Wikipedia interprets Shibboleth.
• Shibboleth explained in lego.

There has been concern in the UK about the implications of the biblical implications of the name…and I think it is fair to say that the definition of Shibboleth as ‘a password’ is more commonly accepted in the US and that defining the origin of the word is sometimes not very helpful! It is more important to explain that Shibboleth software is an implementation of the SAML standard and was created by Internet2.

There has also been some confusion over the fact that JISC has appeared to move away from talking about Shibboleth — so have we changed our position?

Since 2002, JISC has been looking at improving the functionality of access management solutions for the UK. The primary drivers were to find a solution that was a) based on open standards and b) met the requirements for single sign-on to internal, external and collaborative resources. After extensive testing through the AAA Programme, Shibboleth emerged as an appropriate technology because it is based on SAML and met all other requirements. At the time, Shibboleth was the only SAML based solution to fill this gap…so inevitably got a lot of attention during the Core Middleware Programmes, which put in place the foundations for the UK Access Management Federation.
As we have moved on to 2007, I am now happy to say that there are lots of solutions that are based on SAML. One of the great things about open standards is that they open the market and give consumers more choices and greater freedom to move between choices. So, we now prefer to refer to federated access management and SAML-based technologies. These include Shibboleth, AthensIM, and Guanxi, and other commercial solutions such as Novell i-Chain have the potential to interact with SAML systems. So please feel free to explore the rich potential of Shibboleth – but remember there are other options out there!

A few confusion busters:

• The UK Access Management Federation is physically built on Shibboleth technology as the WAYF and metadata infrastructures use Shibboleth. This does not mean you must have Shibboleth to interact.
• JISC is not replacing Athens with Shibboleth. JISC is moving from funding a single technology to promoting the use of open standards to achieve federated access management.
• The Athens technology is still available to purchase according to the cost model published by Eduserv.
• JISC is committed to funding interoperability between Athens and the UK federation until July 2008, and has projected costs for support for this requirement until July 2010.

If all of that is too much there is always Shibboleth Art and of course Shibboleth Music.

We have received a lot of interest about animation from other European countries, particularly the Google version which has subtitles attached. Obviously subtitling improves accessibility – but another benefit is quick and easy repurposing of the content in other languages.

To add subtitles no coding is required – just:

1.Upload a video to Google Video

2. Choose the “add caption” option

3. Paste in the subtitle text into the caption window – with time code markers (see picture).

It works best if you keep the amount of words between consecutive time codes short, and plan on 5 seconds or more for each subtitle.

An example of the animation with Italian subtitles.

One of the issues that institutions face when joining the UK Access Management Federation is whether to sign up to ‘accountability’. This is a complex area, and has raised many questions, so I am hoping to address some of these issues here.

The Rules of the UK Federation (section 6.4.2) state that:

“where unique persistent Attributes (e.g. eduPersonTargetedID or eduPersonPrincipalName) are associated with an End User, the End User Organisation must ensure that these Attribute values are not re-issued to another End User for at least 24 months;”

Simply put, this means that you must not re-issue a targetedID or PrincipleName to another member of staff or student within 24 months and you must be able to declare that you will not do this. This is not a requirement for institutions; you can choose not to support this function. However choosing not to support this attributes means that an institution would not be able to use persistent attributes. For many resources this will be fine – but there are significant resources that require the release of at least an opaque persistent identifier for users, such as when using census data. It also means that personalisation is not possible for end-users, and will affect many of the emerging use-cases for federated access management.

At the moment, only about 33% of the Identity Providers within the Federation are asserting user accountability. We are sure that some of the institutions that are not declaring user accountability will wish to make use of resources that require this function. From this, I can make two assumptions:

• the people responsible for signing the Federation documents are not aware that this function will be required and are choosing the path of least resistance. This is understandable and very reversible once the requirement is known. To tackle this, the UK Federation has recently changed its joining processes to query accountability choices more closely and we have seen an increase in institutions declaring accountability since this process has been introduced. We strongly encourage institutions to involve library staff, IT staff and senior management in the process of joining the UK Federation to make sure that all requirements are fully understood before a decision is made

• Identity management within institutions is not mature enough to cope with the requirement. Federated access management does require effective identity management, and this will be a big leap for many institutions. There are many ways to get help in this area from case studies and advice from the JISC ‘early adopter’ projects to third-party support from commercial vendors. For more information, see the JISC Federation website.

Although declaring accountability is only a recommendation within the Federation, we would like to see all institutions getting the most out of the new system and would certainly encourage everyone to ‘aspire’ to meeting all of the recommendations made. If you would like further advice in this area, please do not hesitate to contact the JISC Access Management Team.

A new JISC animation explains the concepts behind the UK Access Management Federation, presenting the advantages of identity management and outlining the key steps for institutions.

The five-minute animation assumes no prior technical knowledge and provides a clear overview for those making strategic decisions concerning access management within their institutions. ‘Feedback has already been very positive, especially from those IT managers who need to explain to their staff why important and far-reaching changes need to be made.’

The UK Access Management Federation provides UK educational institutions and service providers with the opportunity to take advantage of the new possibilities offered by sophisticated identity management solutions such as Shibboleth.

Federated, single, institutionally-controlled identity, which removes the need for multiple passwords and the associated risk, provides users with access to their host institutions’ resources – and any that they subscribe to – from home, work, or any other location.

Institution librarians will have reduced password administration while gaining new opportunities for managing licenses and subscriptions while service providers such as publishers will gain increased confidence in the security of their resources protected by technologies such as shibboleth.

With the ending of JISC subscription to Athens on behalf of UK FE / HE in July 2008, membership of the Federation provides UK universities, schools and colleges with the next step in educational access to resources.

Mark Williams, Access Management Outreach Coordinator, helped develop the animation. He says that the new animation ‘brings to life what can otherwise be dry and difficult concepts to convey.’

‘The establishment of the UK Access Management Federation and JISC’s plans for access management in general,’ he continues, ‘require a number of important decisions on the part of institutions, and this animation sets out some of these in an accessible and non-technical way. Feedback has already been very positive, especially from those IT managers who need to explain to their staff why important and far-reaching changes need to be made.’

You can find out more and download or view the animation in a variety of formats on the JISC website..