Uncategorized

Martin Fenner is also from ORCID but is going to talk about ORCID. He starts off with some assumptions – we are all agreed that authors need identifiers, he doesn’t want to talk about technology and he doesn’t want to talk about the business model. His talk will focus on how to make this stuff work, and why we are getting it wrong so far.

Fenner lists the following issues:

• A succesful identifer has to be used across many many different systems under different jurisdictions.
• A successful identifer needs to be used. A perfect identifer cannot be launched as a ‘big bang’ where everyone changes.
• A succesful identifer needs to be built up within the community.

The proposed approach from ORCID?

• ORCID is discipline neutral and is being used in multiple countries.
• More importantly ORCID interacts with other author identifier systems but does not try to replace them…a lot of these are owned by a specific publisher.
• ORCID wants to be open – in the following contexts: anyone should be able to apply for an ORCID identifier, all ORCID data is openly available, the ORCID sofware is open source.

Fenner ends up by talking about consent – which sends ripples through the REFEDS folks in the room. Does ORCID empower people to say I permit that you can use my dataset in association with this publication? I’m not so sure about the level of choice involved in this process. Publish or die does not really create a consent based policy approach – some more food for thought.

Excellent chairing by the beepy bot and a creative commons slideset bring us to the end of this session with happy smiles. ORCID registrations will start in the next 12 months or so.

First up at #IRISC2011 is Geoffrey Bilder from CrossRef and ORCID. Apparently Identity and Identifiers is second only to tax in terms of boring subjects – Geoffrey has obviously never hungout with the REFEDS folks before, we can talk about this stuff for *days*.

The Scholarly Record focuses on the longterm with the need to focus on trust, verification and provenance. This might be obvious, but Bilder then goes on to relate this to Brand, and the importance of trust, verification and provenance associated with the brand of a publisher. It’s an interesting perspective, given that I typically consider the verification of the author via identifier, not trust through brand. This idea of stewardship or a trust framework in which identifers are used echoes the trust framework built up by federations.

Bilder focuses on another element of trust – given a blanked out research paper we can easily identify all the parts as the format is known. We trust an article because of its shape and structure.

So what challenges do we have? Bilder describes this one of the primary problems as:

Language – identity means something different when we talk about access control as to when we talk about the knowledge discovery problem. Important aspects of this from the discovery space are the problems of name duplication, variation, changes and transcription. Interestingly, Bilder only focuses on real name examples here. I will get back to this later.

Bilder rattled of a lot of debate points, and I only had time to capture some of them. These were:

• Persistence of identity is a social issue, not a technological one.
• Persist-able does not equal persistence.
• Persistent does not equal stable.
• Distributed begets centralised.

Questions:

Central authorities are evil and unreponsive so we distribute to make ourselves feel better. However technology rarely works in a non-central way, there tends to be a central piece built in somewhere. Bilder interestingly uses software forking as an example of how the community can work to make sure that centralised model do not become complacent or evil. I wonder if CrossRef works to such a model where it is *possible* to fork….

Another question was around the need for human readable identifers. Human readable nearly always means that the identifier system will break. Semantics and ontology and persistence creates problems.

You *may* have heard me mention, once or twice, that we really want to use your logos as part of the new discovery process for the UK federation. On the face of it, this seems like a really simple request…send us a link to a logo on an https page, send us the preferred name of your service / institution and send us a short description if you are a service provider (100 character – that’s around 25 words max). Simples, right?

Believe me I get how difficult this seemingly benign request is. Suddenly you are probably negotiated with your marketing department, library, IT and goodness knows what else to try and get agreement for this, and because it is not the clearest of areas people will be reluctant to say yes.

One of the main bits of feedback we get is that giving us a logo is easy enough, but the https hosted bit is more difficult. We are reluctant to store them centrally as it creates another single point of failure and, if your logo needs updating, you are going to have to keep sending us this information. A link to something on your site is more likely to be updated automagically.

A quick way around this is to look on your login page. If you are following good design guidelines, you probably have a logo on there. So for example, the LSE login page has this logo on it, and an easy link to send us: https://gate.library.lse.ac.uk/idp/images/LSElogo.jpg. Tell us the words you want to appear below that logo and Bob’s your Uncle.

Also, if you can’t manage a logo and an icon just now please just send us the link to the logo – it’s a great start for us! I appreciate that the icons are difficult for people.

It’s good for Service Providers too – for example JSTOR have this logo on their site: https://www.jstor.org/templates/jsp/_jstor/images/jstor_logo.jpg. Again – just fine on the requirements for us in terms of hosting (although perhaps not the best on size in this example).

For Service Providers that don’t use the WAYF, you might not think this is important to you. However, with the new embedded approach to discovery, IdPs can bring your branding on to their login pages if you provide us with this information so it is very useful. Here’s an example of this in action at Dundee College:

I hope that is helpful.

Personally I’d really love to just go and hoover these all up for y’all and then just use them but we really do need persmission. I’m happy to suggest something for you to use though if you need help! Just let me know.

A couple of people have asked me what consitutes a well designed login page. I’m really not an expert in this area, all I can tell you is what we have learnt from the UK federation WAYF redesign, the work Rod Widdowson has done for the Shibboleth Embedded Discovery Service and general good advice on usability of interfaces. You might also be interested in looking at the Kantara ULX work and the Google work on usability for login screens.

My first piece of advice is, well, make it someone else’s problem! If you are the hardworking developer who has spent a lot of time and effort getting the system to work securely, I think it is only fair that someone else takes on the design work….and it is probably not your forte anyway. All institutions have departments responsible for visual identity guidelines and they really should be taking on the problem of getting the user experience right.

Secondly, there are probably already a whole range of login screens being used within your institution and they should all have the same look and feel wherever possible. Many of them have probably already gone through some user testing as well, so that’s an easy win in terms of getting the design right.

I hate to pick on KCL as my own organisation, but the difference between the design for the student record portal and the experience of a shibbolised login really is quite extreme! It’s fairly easy to copy a bit of html to make the experience better – the phishers do it all the time!

I’m going to use a non-british example of what I think a good login should look like so it is less personal for those interested in the UK. Below is an example from Penn State University, who put a lot of time and money in to identity management so they will have thought about this!

Here are a few things I’ve picked out based on conversations with usability people:

1. Keep it as clean and simple as you possibly can. The framed box in the centre of the screen is favoured by most designers at the moment, as seen on sites like WordPress.

2. Obviously brand with the institutional brand following standard institutional visual identity guidelines.

3. Have a help button, and make sure it goes through to something that is helpful!

4. Include wording that clearly and precisely explains what login you want the user to enter. Provide an example, but not one that works (I’ve seen this many many times, you’d be surprised). Make sure the wording you choose here matches the wording generally used across the institution to describe these credentials – for example KCL refers to our institutional credentials as ‘OneSpace username and password’. Place this above the login box.

5. Provide helpful links for people who may have forgotten their username or password, typically placed immediately below the login boxes. I’d probably change the wording in this example to something more direct like ‘Forgotten Password?’, linked to the process for changing.

6. Think about whether you want to provide links to data protection policies or any other information relating directly to the way your institution handles identity and privacy…but avoid putting on the screen itself as it clutters the login experience.

Other things to think about – please avoid all technical language like ‘LDAP’ or ‘directory’ – users won’t know what you are talking about.

Do think about accessibility, TechDis can help you out with advice if you need it but hopefully your institutional design people are already on top of this very important factor.

Finally, think about the language used when the login fails, and be as helpful as you can with the wording for errors. REFEDS is looking in to crafting some standard language for login failures, which may be worth keeping an eye out for.

The concept of federated access management introduces the need for a user to be ‘returned’ to their institutional login page in order to be authenticated. The new Shibboleth releases have introduced some nice new ideas to help make this experience better for users, such as introducing co-branding with the SP. Unfortunately, quite a lot of institutions are not doing much to help themselves! There are some truly horrible approaches to identity provider login pages out there, and I’ve decided to start naming and shaming As there are very many entities within the UK federation I’m chunking this up and probably won’t get to the end of the alphabet, but hopefully everyone will have been shamed in to better behaviour by then. I’d did think about putting up screenshots for the sheer funniness, but didn’t want to make the work of phishing sites any easier so decided not to. It’s quite easy to find the login pages I mention though if you want to.

To start of, I have to talk about KCL. Oh dear KCL, my own organisation. The evil blue back screen, the use of the Shibboleth logo against all advice, the poor KCL branding….what were you thinking?? *shakes head in shame and despair*

Lets move on and look at our ‘A’s’:

• Aberdeen College are first up and what a delight! Clear branding, an attempt to inform the user what they are logging in to (this might be improved with the introduction of MDUI information in the UK federation metadata), clear instructions what to do. Bravo Aberdeen College!
• Aberystwyth University are next up and oh dear. Basic web auth, with the following instructions: “A user name and password are being requested by https://shibboleth.aber.ac.uk. The site says: “Prifysgol Aberystwyth University”. Yes? And? Which username and password? What am I logging in to? What is this weird floaty box thing? Heeeeelp! Fail for Aber I’m afraid
• Abingdon and Witney College have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.
• Accrington & Rossendale College and another basic web auth. Oh dear Accrington, please join the Aber fail club.
• Adam Smith College has a very basic login screen. There are clear instructions for the user, but no institutional branding which is a strange missed opportunity. C- Adam Smith, try a bit harder please
• Anglia Ruskin University. Good, clear, branded. Well done.
• Angus College again very clear. I would get rid of the words ‘uk federation login’ however small, and provide a link to the help point but definitely one of the better ones.
• Anniesland College have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.
• Aquinas College and another basic web auth fail. What a pity.
• Arts University College at Bournemouth have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.
• Ashton Sixth Form College also join the basic web auth fail club.
• Askham Bryan College and more basic web auth. The list gets longer for fails.
• Aston University. Good and clear and well branded but we don’t suggest you use the language ‘uk federation’ – your users don’t need to know about the federation. Just say university or institutional login.
• Ayr College have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.

Well there we are. Only 2 approaches I wouldn’t make changes to.

I hope you all take this in the spirit it is meant – as an effort to improve the user experience across the board – and not as an insult. In the difficult process of getting all the tech working the issue of ‘what a user sees’ can often be forgotten. Those of us that stare at login pages for most of everyday have become quite sensitive to these issues and would like to help you make them better.

If there is anything that the UK Access Management Focus can do to help you with the access management user experience, please just let us know.

Dear Friends

I am doing some work for a future presentation / paper and really need your help! Would you be willing to spend 15 minutes or so being creative for me? All you need is a pen and an A4 piece of paper, or DoodlePad on a tablet, or any other quick drawing application you so like

Without thinking too hard, or googling for inspiration, or asking your mum, could you create an artwork for me entitled ‘How I See the Internet’?

I didn’t really want to influence anyone but thought it would be unfair to ask you all to do something if I wouldn’t do it myself. So here is mine…I bet many of you can do much much much better

Thank you

Nicole

Several people on Twitter pointed to the new and shiny BBC Social Media Guidelines this week. It is something we have all seen grow up as social media sites have exploded in recent years and general the policies are well written and sensible, formulated around the key message – don’t do anything dumb. I agree with that completely. As with many of the guidelines produced by companies the BBC guidance seems purpose written for Twitter – showing its increasing power and place as the foremost way of sharing in the ‘crossover’ space of social / professional.

Reading through the guidelines though I was amazed to find this:

f. Make a note of any login names and passwords, and also any other service that you set up to automate the activity (eg: forwards it from Twitter to Facebook). Share those details with members of your team, making sure they are stored safely: if you move to do a different job or are off sick, someone else will have to take over.

Excuse me BBC? In the very mist of the #hackgate issues are you making it a policy for BBC staff to share their usernames and passwords with other people? Are you actually mad??

There is obviously a reason behind this, and it is a reason that can be uniquely assigned to Twitter. Facebook does not allow non-sentient beings to have a Facebook identity and tries hard to police this (to differing levels of success). Non-sentient things are generally pushed on to pages, which us humanoids can then follow and comment on…i.e. they don’t have to log-in.

Twitter is different. My coffee cup can have a twitter account and tweet to the world if it so choses. However, although this is allowed, Twitter makes it incredibly difficult for non-sentient things to tweet by confusing identity, persona, authentication and authorisation in to one process – which is why the BBC choses to make a policy of password sharing. Interestingly, although it allows non-sentient things to tweet, essentially that non-sentient thing has to be able to enter in to a binding contract with Twitter – so it does always assume 1 real person behind each object.

Twitter forces us to authentication with authorisation information. It confuses the persona I have, @nicoleharris, with my identity as a user logging in and with the permissions associated with that – i.e. the right to tweet. Obviously that makes perfect sense for me and @nicoleharris – but what about @JISCAdvance – a clear company account? It would be so much better if I could log in to twitter as a platform and then be associated with multiple twitter accounts and also have the rights to tweet as @JISCAdvance….but I can’t. It’s made even more confusing by Twitter’s policy that only one twitter account can be associated with one e-mail address…so I have three Twitter accounts linked to three different e-mails. Administration of these is insane, I have to remember three different sets of passwords and I can’t let anyone else tweet to them unless I share my password which is always a uniquely silly thing to do So uniquely silly that Twitter’s terms remind you of the importance of safeguarding your password.

Obviously tools like TweetDeck have tried to get around this by providing a more coherent way of managing mutliple accounts but it still does not take away the need to have these accounts or the need to share privacy information around them. Does it matter? Well, yes it does as it creates confusion of ownership where in reality personnel do not ‘handover’ their twitter account as per the BBC recommendations but change it to a different personally controlled account – like this story about Laura Kuenssberg’s move from the BBC to ITV.

So why doesn’t Twitter do it differently? After all, it is hardly difficult to associate one set of credentials with multiple authorisation events in different places. Well I’ve already mentioned 1 reason – they want to have a binding contract that puts the responsibility for each tweet on an inidividual – makes life so much easier than getting in to an argument about ‘who sent that tweet?’. Of course with the number of hacks and shared passwords the waters are already muddy but essentially, whoever registered the account is responsible. I’m not sure if this explains the weird 1 email – 1 twitter account policy, but there you are.

Secondly, it’s an OAuth thing. Whilst OAuth offers some really great ways of allowing applications to do fun and interesting things by granting them limited access to an account, it is a binding between the authentication process and an authorisation permission (I won’t get in to the fact that this is often badly implemented so inapproprite read and write authorisations are forced on the user when not necessary, that’s another story). Having multiple accounts assigned to one authentication process would make it difficult to differentiate OAuth authorisation permissions with 1 of these accounts but not the other. So whilst OAuth allows us a good and secure way authorising Apps access to write to our account in the current model, it means we don’t have a useful and secure way to allow other people simple and secure authorisation access to our accounts.

Oh well, can someone pass me some post-it notes?

It’s not been very big or very splashy as far as announcements go, but Google has announced its latest attack on the social networking space in the form of Google+. I’m assuming this is to be pronounced Google-Plus, but I rather like the idea of calling it Google-And

I’ve oft been known to talk about identity and when I do I am oft known to quote Mark Zuckerberg:

“Having two identities for yourself is an example of a lack of integrity.”

A statement that often attracts a bad reaction, but actually a statement that I agree with. What I don’t agree with is Zuckerberg’s further statement:

“The days of you having a different image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly.”

As Michael Zimmer explains in detail (saving me the effort), this simply isn’t true. There is no need for Jung to start turning in his grave, we all like to present ourselves in different ways to different people. This seems to be the market that Google are very sensibly chasing down – the market that Mark does not want!

I’ve tended to refer to this as managing ‘personas’ but Google has got me thinking. Do we really actively manage our personas, or do we do something that is actually more passive – joining selective groups?

Having a ‘persona’ suggests that I actively think about how I want to present myself to people and what I want to release to people and put steps in place to structure and manage this. I’m not sure how much we do this. I think it is a more passive thing, and a more immediate thing – a simple ‘I don’t want x or group y to see z’ made as we go along.

The Google Circles concept is more akin to that passive approach. Rather than managing a persona I self-select and define by joining a group or even by being added to a group by someone else.

This difference in approach is akin to the endless discussion in FAM circles about group management, attribute release and user consent. The REFEDs list has been busy recently with people discussing the user consent model (persona management by the individual) vs group attribute management for ’sets’ of service provider types (the more passive group model). Given our experience of the reluctance of users to manage their identities – I can help but think the group management process will win out. The mistake on Google’s part? The limited release. If you want to start building ‘circles’ you need the people you want to join up with in their with you from day one, or you will quickly become disenfranchised. This limited release will lead to ineffective group management from the outset – and disenfranchisement will follow hot on the heels. The interface for Google+ looks interesting and pleasing, I hope it doesn’t become another Wave.

As part of my work for the Shibboleth Consortium, I have spent a long time over the last couple of months immersed in the world of foundations managing open-source software looking for lessons learnt and possible patterns / home for a future Shibboleth organization. It’s been an interesting experience, predominantly from the point of view of openness.

Going in to this, I would have thought that any organization supporting open-source software would have had a fairly open approach to all of its dealings. I was very wrong! Very few of the foundations examined release anything other than the software under an open license such as Creative Commons and the sign ‘all rights reserved’ was all too prominent – an approach I find hard to understand.

Openness of information was also in short supply. Many of the foundations don’t advertise their fee schedules and don’t publicise their member agreements. Should I have even been slightly interested in funding any of these federations I would have been put off straight away from lack of transparency – are other organizations paying less than me, have a different agreement from me? Why the need to be closed?

Which leads on to another point. Many of the foundations have a very clear air of a ‘closed club’ about them, which again seems astounding for organizations that have been set up predominantly to ensure the sustainability of applications. These range from the unabashed elitists to groups that only seem to target existing members in terms of promotion and outreach.

Two other takeaways were the importance of a simple fee structure (I’d say if you have more than 3 fee categories you are already doing yourself a disservice) and the importance foundation-led communications, particularly for events, recognising developers in the community and recognising best-practise. The last may seem obvious, but the communications side of open-source can often be consumed by the need to focus on quality of product.

When working on the programme plan for the Shibboleth Consortium, I asked the developers to spend quite a bit of time working with me on the vision statement for Shibboleth. They were very indulgent of my project manager excesses and this is what we came up with:

The Shibboleth Consortium will deliver the open-source product of choice for organizations wishing to deploy federated identity. The consortium will be recognized for its quality of software offering and its engagement with the user, standards and development communities.

I think if we want to achieve this vision, a model of openness across all elements of the future organization will be essential. So when we are building up what ever the new Shibboleth will be, I want this to remain at the heart of our decision making.

In case your interested the best foundation model I examined in my humblest of opinions? Sakai (but don’t tell @iandolphin24 i said that!)
———–
Some notes:

The Shibboleth Consortium is an interim arrangement between JISC, I2, and SWITCH to look at a possible future organizational structure for Shibboleth – the Consortium is not the permanent home and will disband when a future model has been established.

We hope to introduce the New Model Shibboleth in January 2012 with an effective ‘go live’ date of 1 August 2012 to allow for transition arrangements.

Build Me Up, Buttercup was sung by The Foundations. A tenuous title for my blog I know

*Warning, this post has little to do with access management*

We all know that getting feedback on anything you do can be very difficult. Despite how interested people are, finding the time to constantly feed in to work plans, questionnaires, surveys etc. can be taxing. When working with the REFEDS group I often experience these problems. Typically, REFEDS is a very dynamic and engaged group offering their own time up to meet the objectives set by the group. Because of its nature, we are very keen that all activities that REFEDS engages in are approved by the majority of members.

REFEDS is probably fairly typical that about 80% of the talking is done by about 20% of the people. As organisers, we get a fair amount of feedback offline, but it is quite often difficult to tell – is this really supported by the group, or have the supporters just shouted the loudest?

I wanted to try something different at the recent REFEDS meeting to get a broader amount of input. This meant that I wanted something where people could submit comments anonymously and with very little effort. I decided to give Poll Everywhere a go, and the results are here.

I have to admit I was nervous. It is perhaps a little gimmicky. It was straight after Eurovision, and I was asking people to submit votes. In Europe It’s also a room full of quite techie people who often hate these kind of interfaces. I was worried I would fall flat on my face and not carry the audience with me.

However – it was a success! It went down really well, I got the results I wanted and the session was very interactive and made people smile. A couple of things I would note:

• Do a test question that doesn’t matter as people will try voting several ways to see what happens to the ‘live’ screen.
• Build in time for practising – it takes a while. Remember you are going to have to leave each slide up for a reasonable amount of time
• Ask very direct, very specific questions.
• Comprehending the code numbers for Poll Everywhere can take sometime. You can get rid of this by using a paid-for package, but clear explanation helped.

So overall a pleasing experience and it did help me make the final recommendations around ‘Barriers to Service Providers’ joining current federations. I’m not sure that if we make use of it very often in the REFEDS meeting if people will get sick of the novelty and opt out, but I was pleased with what we achieved on the day.

BTW – the only reason it was embedded in prezi was simply because the embed to powerpoint option just wouldn’t work for me and my mangled old work computer. It was however nice to have a fallback when I simply couldn’t get something to work