Uncategorized

The concept of federated access management introduces the need for a user to be ‘returned’ to their institutional login page in order to be authenticated. The new Shibboleth releases have introduced some nice new ideas to help make this experience better for users, such as introducing co-branding with the SP. Unfortunately, quite a lot of institutions are not doing much to help themselves! There are some truly horrible approaches to identity provider login pages out there, and I’ve decided to start naming and shaming As there are very many entities within the UK federation I’m chunking this up and probably won’t get to the end of the alphabet, but hopefully everyone will have been shamed in to better behaviour by then. I’d did think about putting up screenshots for the sheer funniness, but didn’t want to make the work of phishing sites any easier so decided not to. It’s quite easy to find the login pages I mention though if you want to.

To start of, I have to talk about KCL. Oh dear KCL, my own organisation. The evil blue back screen, the use of the Shibboleth logo against all advice, the poor KCL branding….what were you thinking?? *shakes head in shame and despair*

Lets move on and look at our ‘A’s':

• Aberdeen College are first up and what a delight! Clear branding, an attempt to inform the user what they are logging in to (this might be improved with the introduction of MDUI information in the UK federation metadata), clear instructions what to do. Bravo Aberdeen College!
• Aberystwyth University are next up and oh dear. Basic web auth, with the following instructions: “A user name and password are being requested by https://shibboleth.aber.ac.uk. The site says: “Prifysgol Aberystwyth University”. Yes? And? Which username and password? What am I logging in to? What is this weird floaty box thing? Heeeeelp! Fail for Aber I’m afraid
• Abingdon and Witney College have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.
• Accrington & Rossendale College and another basic web auth. Oh dear Accrington, please join the Aber fail club.
• Adam Smith College has a very basic login screen. There are clear instructions for the user, but no institutional branding which is a strange missed opportunity. C- Adam Smith, try a bit harder please
• Anglia Ruskin University. Good, clear, branded. Well done.
• Angus College again very clear. I would get rid of the words ‘uk federation login’ however small, and provide a link to the help point but definitely one of the better ones.
• Anniesland College have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.
• Aquinas College and another basic web auth fail. What a pity.
• Arts University College at Bournemouth have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.
• Ashton Sixth Form College also join the basic web auth fail club.
• Askham Bryan College and more basic web auth. The list gets longer for fails.
• Aston University. Good and clear and well branded but we don’t suggest you use the language ‘uk federation’ – your users don’t need to know about the federation. Just say university or institutional login.
• Ayr College have the generic Athens authentication point, and might want to be aware of the current advisory to promote the Athens brand to administrators within their organisation.

Well there we are. Only 2 approaches I wouldn’t make changes to.

I hope you all take this in the spirit it is meant – as an effort to improve the user experience across the board – and not as an insult. In the difficult process of getting all the tech working the issue of ‘what a user sees’ can often be forgotten. Those of us that stare at login pages for most of everyday have become quite sensitive to these issues and would like to help you make them better.

If there is anything that the UK Access Management Focus can do to help you with the access management user experience, please just let us know.

Dear Friends

I am doing some work for a future presentation / paper and really need your help! Would you be willing to spend 15 minutes or so being creative for me? All you need is a pen and an A4 piece of paper, or DoodlePad on a tablet, or any other quick drawing application you so like

Without thinking too hard, or googling for inspiration, or asking your mum, could you create an artwork for me entitled ‘How I See the Internet’?

I didn’t really want to influence anyone but thought it would be unfair to ask you all to do something if I wouldn’t do it myself. So here is mine…I bet many of you can do much much much better

Thank you

Nicole

Several people on Twitter pointed to the new and shiny BBC Social Media Guidelines this week. It is something we have all seen grow up as social media sites have exploded in recent years and general the policies are well written and sensible, formulated around the key message – don’t do anything dumb. I agree with that completely. As with many of the guidelines produced by companies the BBC guidance seems purpose written for Twitter – showing its increasing power and place as the foremost way of sharing in the ‘crossover’ space of social / professional.

Reading through the guidelines though I was amazed to find this:

f. Make a note of any login names and passwords, and also any other service that you set up to automate the activity (eg: forwards it from Twitter to Facebook). Share those details with members of your team, making sure they are stored safely: if you move to do a different job or are off sick, someone else will have to take over.

Excuse me BBC? In the very mist of the #hackgate issues are you making it a policy for BBC staff to share their usernames and passwords with other people? Are you actually mad??

There is obviously a reason behind this, and it is a reason that can be uniquely assigned to Twitter. Facebook does not allow non-sentient beings to have a Facebook identity and tries hard to police this (to differing levels of success). Non-sentient things are generally pushed on to pages, which us humanoids can then follow and comment on…i.e. they don’t have to log-in.

Twitter is different. My coffee cup can have a twitter account and tweet to the world if it so choses. However, although this is allowed, Twitter makes it incredibly difficult for non-sentient things to tweet by confusing identity, persona, authentication and authorisation in to one process – which is why the BBC choses to make a policy of password sharing. Interestingly, although it allows non-sentient things to tweet, essentially that non-sentient thing has to be able to enter in to a binding contract with Twitter – so it does always assume 1 real person behind each object.

Twitter forces us to authentication with authorisation information. It confuses the persona I have, @nicoleharris, with my identity as a user logging in and with the permissions associated with that – i.e. the right to tweet. Obviously that makes perfect sense for me and @nicoleharris – but what about @JISCAdvance – a clear company account? It would be so much better if I could log in to twitter as a platform and then be associated with multiple twitter accounts and also have the rights to tweet as @JISCAdvance….but I can’t. It’s made even more confusing by Twitter’s policy that only one twitter account can be associated with one e-mail address…so I have three Twitter accounts linked to three different e-mails. Administration of these is insane, I have to remember three different sets of passwords and I can’t let anyone else tweet to them unless I share my password which is always a uniquely silly thing to do So uniquely silly that Twitter’s terms remind you of the importance of safeguarding your password.

Obviously tools like TweetDeck have tried to get around this by providing a more coherent way of managing mutliple accounts but it still does not take away the need to have these accounts or the need to share privacy information around them. Does it matter? Well, yes it does as it creates confusion of ownership where in reality personnel do not ‘handover’ their twitter account as per the BBC recommendations but change it to a different personally controlled account – like this story about Laura Kuenssberg’s move from the BBC to ITV.

So why doesn’t Twitter do it differently? After all, it is hardly difficult to associate one set of credentials with multiple authorisation events in different places. Well I’ve already mentioned 1 reason – they want to have a binding contract that puts the responsibility for each tweet on an inidividual – makes life so much easier than getting in to an argument about ‘who sent that tweet?’. Of course with the number of hacks and shared passwords the waters are already muddy but essentially, whoever registered the account is responsible. I’m not sure if this explains the weird 1 email – 1 twitter account policy, but there you are.

Secondly, it’s an OAuth thing. Whilst OAuth offers some really great ways of allowing applications to do fun and interesting things by granting them limited access to an account, it is a binding between the authentication process and an authorisation permission (I won’t get in to the fact that this is often badly implemented so inapproprite read and write authorisations are forced on the user when not necessary, that’s another story). Having multiple accounts assigned to one authentication process would make it difficult to differentiate OAuth authorisation permissions with 1 of these accounts but not the other. So whilst OAuth allows us a good and secure way authorising Apps access to write to our account in the current model, it means we don’t have a useful and secure way to allow other people simple and secure authorisation access to our accounts.

Oh well, can someone pass me some post-it notes?

It’s not been very big or very splashy as far as announcements go, but Google has announced its latest attack on the social networking space in the form of Google+. I’m assuming this is to be pronounced Google-Plus, but I rather like the idea of calling it Google-And

I’ve oft been known to talk about identity and when I do I am oft known to quote Mark Zuckerberg:

“Having two identities for yourself is an example of a lack of integrity.”

A statement that often attracts a bad reaction, but actually a statement that I agree with. What I don’t agree with is Zuckerberg’s further statement:

“The days of you having a different image for your work friends or co-workers and for the other people you know are probably coming to an end pretty quickly.”

As Michael Zimmer explains in detail (saving me the effort), this simply isn’t true. There is no need for Jung to start turning in his grave, we all like to present ourselves in different ways to different people. This seems to be the market that Google are very sensibly chasing down – the market that Mark does not want!

I’ve tended to refer to this as managing ‘personas’ but Google has got me thinking. Do we really actively manage our personas, or do we do something that is actually more passive – joining selective groups?

Having a ‘persona’ suggests that I actively think about how I want to present myself to people and what I want to release to people and put steps in place to structure and manage this. I’m not sure how much we do this. I think it is a more passive thing, and a more immediate thing – a simple ‘I don’t want x or group y to see z’ made as we go along.

The Google Circles concept is more akin to that passive approach. Rather than managing a persona I self-select and define by joining a group or even by being added to a group by someone else.

This difference in approach is akin to the endless discussion in FAM circles about group management, attribute release and user consent. The REFEDs list has been busy recently with people discussing the user consent model (persona management by the individual) vs group attribute management for ‘sets’ of service provider types (the more passive group model). Given our experience of the reluctance of users to manage their identities – I can help but think the group management process will win out. The mistake on Google’s part? The limited release. If you want to start building ‘circles’ you need the people you want to join up with in their with you from day one, or you will quickly become disenfranchised. This limited release will lead to ineffective group management from the outset – and disenfranchisement will follow hot on the heels. The interface for Google+ looks interesting and pleasing, I hope it doesn’t become another Wave.

As part of my work for the Shibboleth Consortium, I have spent a long time over the last couple of months immersed in the world of foundations managing open-source software looking for lessons learnt and possible patterns / home for a future Shibboleth organization. It’s been an interesting experience, predominantly from the point of view of openness.

Going in to this, I would have thought that any organization supporting open-source software would have had a fairly open approach to all of its dealings. I was very wrong! Very few of the foundations examined release anything other than the software under an open license such as Creative Commons and the sign ‘all rights reserved’ was all too prominent – an approach I find hard to understand.

Openness of information was also in short supply. Many of the foundations don’t advertise their fee schedules and don’t publicise their member agreements. Should I have even been slightly interested in funding any of these federations I would have been put off straight away from lack of transparency – are other organizations paying less than me, have a different agreement from me? Why the need to be closed?

Which leads on to another point. Many of the foundations have a very clear air of a ‘closed club’ about them, which again seems astounding for organizations that have been set up predominantly to ensure the sustainability of applications. These range from the unabashed elitists to groups that only seem to target existing members in terms of promotion and outreach.

Two other takeaways were the importance of a simple fee structure (I’d say if you have more than 3 fee categories you are already doing yourself a disservice) and the importance foundation-led communications, particularly for events, recognising developers in the community and recognising best-practise. The last may seem obvious, but the communications side of open-source can often be consumed by the need to focus on quality of product.

When working on the programme plan for the Shibboleth Consortium, I asked the developers to spend quite a bit of time working with me on the vision statement for Shibboleth. They were very indulgent of my project manager excesses and this is what we came up with:

The Shibboleth Consortium will deliver the open-source product of choice for organizations wishing to deploy federated identity. The consortium will be recognized for its quality of software offering and its engagement with the user, standards and development communities.

I think if we want to achieve this vision, a model of openness across all elements of the future organization will be essential. So when we are building up what ever the new Shibboleth will be, I want this to remain at the heart of our decision making.

In case your interested the best foundation model I examined in my humblest of opinions? Sakai (but don’t tell @iandolphin24 i said that!)
———–
Some notes:

The Shibboleth Consortium is an interim arrangement between JISC, I2, and SWITCH to look at a possible future organizational structure for Shibboleth – the Consortium is not the permanent home and will disband when a future model has been established.

We hope to introduce the New Model Shibboleth in January 2012 with an effective ‘go live’ date of 1 August 2012 to allow for transition arrangements.

Build Me Up, Buttercup was sung by The Foundations. A tenuous title for my blog I know

*Warning, this post has little to do with access management*

We all know that getting feedback on anything you do can be very difficult. Despite how interested people are, finding the time to constantly feed in to work plans, questionnaires, surveys etc. can be taxing. When working with the REFEDS group I often experience these problems. Typically, REFEDS is a very dynamic and engaged group offering their own time up to meet the objectives set by the group. Because of its nature, we are very keen that all activities that REFEDS engages in are approved by the majority of members.

REFEDS is probably fairly typical that about 80% of the talking is done by about 20% of the people. As organisers, we get a fair amount of feedback offline, but it is quite often difficult to tell – is this really supported by the group, or have the supporters just shouted the loudest?

I wanted to try something different at the recent REFEDS meeting to get a broader amount of input. This meant that I wanted something where people could submit comments anonymously and with very little effort. I decided to give Poll Everywhere a go, and the results are here.

I have to admit I was nervous. It is perhaps a little gimmicky. It was straight after Eurovision, and I was asking people to submit votes. In Europe It’s also a room full of quite techie people who often hate these kind of interfaces. I was worried I would fall flat on my face and not carry the audience with me.

However – it was a success! It went down really well, I got the results I wanted and the session was very interactive and made people smile. A couple of things I would note:

• Do a test question that doesn’t matter as people will try voting several ways to see what happens to the ‘live’ screen.
• Build in time for practising – it takes a while. Remember you are going to have to leave each slide up for a reasonable amount of time
• Ask very direct, very specific questions.
• Comprehending the code numbers for Poll Everywhere can take sometime. You can get rid of this by using a paid-for package, but clear explanation helped.

So overall a pleasing experience and it did help me make the final recommendations around ‘Barriers to Service Providers’ joining current federations. I’m not sure that if we make use of it very often in the REFEDS meeting if people will get sick of the novelty and opt out, but I was pleased with what we achieved on the day.

BTW – the only reason it was embedded in prezi was simply because the embed to powerpoint option just wouldn’t work for me and my mangled old work computer. It was however nice to have a fallback when I simply couldn’t get something to work

We’ve been spending quite a bit of time recently talking about the non-library usecase for the UK federation. After all, dealing with publishers all the time gets a bit wearisome for all of us An established model in the US for sometime has been using the concept of federated login not to facilitate login, but to prove that someone is a student or staff member at a university. This is often used to give you free stuff – that can’t be bad! We saw the beginnings of this approach with the Microsoft DreamSpark implementation. A company called Unidays is looking at the same concept.

As you can see from the screenshot below, Unidays uses the UK federation not to manage your login, but to associate you with an institution and verify your ‘studentyness’. The verification screen (with a well designed embedded WAYF – brownie points) points you to your local Shibboleth or OpenAthens identity provider where you login once and create the association. I know they have been having some inital problems with some institutions but I’ve seen it work for students registering at King’s College London (Shibboleth) and Swansea University (OpenAthens). As I mentioned at recent OpenAthens Seminars, I think the importance of being able to declare your studentyness with this verification process may become more important than the use of institutional credentials as we move forward with identity management in educational settings.

Some challenges remain here – revocation is an interesting point. I wonder if Unidays are going to force a reverification at certain points? Also attribute management – we often see this approach ‘forgetting’ to distinguish between student@uni.ac.uk and member@uni.ac.uk – meaning that staff can get a sneaky discount too

At the TNC2011 meeting, we held a small reception to talk about the creation of the Shibboleth Consortium and to present some early findings from the Shibboleth Futures Survey. My slides are available below, and might be of interest or the originals can be found on SlideShare.

So I’ve been having an interesting conversation with that Dave Pattern about authentication this morning and why librarians like EZProxy so much. I’m not going to get in to the whole discussion about the problems of proxies, the issues with faking an IP authentication and the lack of personalisation. I want to talk about why we don’t just do EZProxy. It’s about user behaviour.

I’m going to make a probably quite unfair statement, that is highly generalised, but might help explain the problem.

Librarians think that user behaviour can be taught and controlled until the users learn to do things ‘correctly’. Developers realise you cannot control user behaviour and try to design for that.

What do I mean by that? Well the main problem with EZProxy is that using it is counter-intuitive to general discovery. In order to use a resource, I don’t need to know where that resource is, I need to know where my institutional EZProxy login is. So I have to search for something other than I want. It isn’t that easy to find. A Google search for ‘EZProxy Huddersfield University’ brings up this result.

Not useful. So OK, a student might not actually type EZProxy. They might just go to the library. So I try this. After 4 clicks, I can type ‘ScienceDirect’ in to a thing called Summon and it comes up with this. Hmmm, but I just wanted to search ScienceDirect. However if I click on one of those results, I then get pushed out to another strange URL (http://rc4ht3qs8p.search.serialssolutions.com) – oh god, where am I going, I don’t know….and then there is another screen – do I hit login? Do I hit article? What do I do?

Or we could just use Google. Just put ScienceDirect in to Google. In one click, I’m searching ScienceDirect. Yes at some point I am going to have to log in and that has to be as easy as possible (it certainly isn’t right now) – but don’t be so sure that your portal approach is any easier. There are just as many clicks, just as many breaks in user experiences, just as many things to learn. That’s the important thing – being forced through the library is an entirely LEARNED behaviour.

So these are some of the arguments Dave put to me.

• EZProxy is seamless when used with a discovery service. Well I think I have just shown it isn’t that simple.
• We tell our users to configure their google scholar with our link resolver. Well again that’s something you have to learn, and think to do. That takes a fairly sophisticated user. I’m sorry, I’m not a sophisticated user. I just type ‘ScienceDirect’ in to Google.

So give us a break please librarians. There is a reason why we are doing what we are doing and I think it makes good sense.

So yes we know the authentication discovery area is horrible at the moment. It’s terrible! It’s horrible! We are working hard on it. I’d urge you to look at Rod Widdowson’s presentation from the REFEDS meeting (coming soon) and the work Andreas Solberg has done on DiscoJuice. It can look so much better.

We also need your help. We can’t design the publisher’s interfaces for them. Us techie people have a horrible time trying to explain to publishers that we want their interfaces to be better. Only their customers can do that, and guess what – that’s you! So don’t complain to us that the ‘authentication’ system is broken. It isn’t. Get out there and tell the publishers their interfaces are broken and there is something they can do about it. There is something YOU can do about it. Anyone willing to take up that challenge?

How proud are you? How interested in your online reputation?

When was the last time you googled yourself? Probably more recently that you’d like to admit, but we all do it! I am regretfully a poorly known Nicole Harris. My light is often eclipsed by an American gymnast (she must retire soon!) and an American Beauty Queen (she must get ugly soon!). It’s a morbid fascination to look at the trail we have left of ourselves online. Its also true that anything you can do someone else can do better – for example online searches are becoming increasingly common as part of investigating potential job applicants.

It is very easy to ruin someone’s reputation online. There are currently several high profile cases in which individuals are trying to force Google to change search results that appear when their names are entered due to unfortunate connotations, inferences or connections. In some cases this is simply due to the algorithm and unpredictable connections, in others its a case of shared names and in others it is due to past misdemeanors that the individual would rather have forgotten. The web is very unforgiving when it comes to forgetting! I’m not even going to go through the many many cases of ‘that embarrassing photo on Facebook’, only to remind people that it is more likely that someone else will upload it and tag it as you than you are. Your reputation is in their hands, so make sure you are comfortable with the they you spend your time with!

The most important thing to remember is that the web is not a closed book, and that community you are in may not be as private as you think it is. Just because you have logged in to something, it doesn’t mean it cannot leak out of the walls you think your authentication may have built for you. There are so many loop-holes around what parts of what sites search engines can index and promote that it is nearly impossible to manage yourself sensibly without just being, well, sensible.

The concept of community also blurs the lines. However high you have set your privacy settings, you are really only as private as the settings of the weakest member of your community – and we all know someone who posts everything to the world, including you asleep and dribbling in a crooked cracker hat after a turkey and sherry binge.

There are two types of services that will manage your identity online for you – one that actively sets out to create a positive reputation and account for you (as used by Charlie Sheen to amass large numbers of followers quickly) and those that help you fix things you don’t like about the way we are presented online. There are also simple tools that you can use yourself – like Monitor This, Google Alerts or more sophisticated tools like Trackur.

So how do you know I’m *that* Nicole Harris? Well it is still quite difficult. In the world of academic publishing, where reputation is everything, we are only just beginning to see the emergence of standard identifiers for individuals through initiatives such as Orcid, the Names project and NISO work. Out there on the open web world, it’s a bit more difficult. What can we do to help people know they have the right me?

• Being First helps. The vanity url grab when Facebook first allowed people to associate themselves with a name and not just a number was interesting. However the usefulness of it has become hidden in the success of Facebook – has anyone else found it increasingly difficult to find people through searching on Facebook without knowing their email first?
• Being Consistent helps. It’s useful to chose a name pattern and stick to it, which probably means not going for the typical firstname-lastname combo unless you have quite an unusual name. I suffer from a bit of vanity here as i really like having @nicoleharris on Twitter, but to be consistent I probably should have gone for @nicolevharris.
• Making your mark helps. If information is going out there about you on the web – whether it is under your control or not – try to consistently ‘mark’ it with an identifier that you are comfortable with. This might be a twitter name, a linked-in account, an email address or something more basic like use of the same photo, but try to make sure that mark is there. Give it to conference organisers, ask people to add it if you notice something about yourself but make the effort to say, yup, that’s me.

OpenID aspires to occupy this space and have us all identify ourselves by our super groovy and unique OpenID, but this has failed to really provide a service that users believe they want. Andy Powell wrote an interesting piece on active management of accounts online and it is still pretty relevant today. I’m curious what will win out – maybe something like this?