Category Archives: events

The Open Agenda – where’s the source?

Just back from the very hectic FAM10 conference and the RAPTOR project board meeting in Cardiff. RAPTOR is looking great by the way – have I mentioned that before? 🙂

It’s now time for me to start putting some serious head time in to the future of Shibboleth and where the Shibboleth Consortium takes the software and what form the Shibboleth “Foundation” in whatever form may take.

I was thinking about this last night, and it was particularly relevant that @iandolphin24 chose to tweet at that very moment that JASIG and Sakai are planning a merger. JASIG and Sakai are perhaps THE most successful open source organisations operating in higher education today (although I would have to give a nod to Moodle as well and of course we have to be looking towards Apache in more general terms) and are the models that I would immediately go to when thinking about where next for Shibboleth. There is some great stuff for me to think about here, and some very good people to talk to.


‘Open’ is the word of the moment. Open data, open science, open access, open educational resources – you cannot move without being ‘opened’ in education at the moment. The OER movement is proving to be particularly persuasive for organisations such as HEFCE, with open access still high on many people’s agendas despite its more controversial status. However, when that list is ticked off, open standards and open source are often ignored despite the diligent work that goes on in these areas, such as the good people at OSSWatch and CETIS in the UK. It is still incredibly difficult for an educational institution to include an open source platform or software implementation as a serious contender in a procurement process.

So where am I going to with all of this? Well for me the last couple of years working with JISC and the UK federation, my tagline has been “standards compliant, technology neutral” and I absolutely believe that this should continue to be the ongoing mantra of the UK federation. I also think we have done some good work on persuading people that open standards make good business sense in terms of avoiding the lock-in of the proprietary system. However, if we are really going to position Shibboleth well, it is time for me to think hard about the importance and the business proposition of open-source once again, having left OSS Watch in the hands of better people than me many years ago. I think it is time to get open source back on that ‘open’ list, which is why the JASIG / Sakai news is very very interesting.

Interestingly, life is all about the positioning at the moment. I’m thinking in similar terms for REFEDs, and the place REFEDs has in the world of Kantara, OIX and Identity Commons. More on this very soon I would imagine.

As I mentioned in my talk at FAM10 (when I wasn’t talking about Penguins), I believe that it is important that education has a strong voice in these areas, I believe we have specialist requirements and I believe it is important that we make sure that educational institutions help shape the access and identity management space and don’t just leave it in the hands of the commercial world to tell us what we can have.

So that’s all going to be easy to sort out….right? 🙂 Better stop messing around with blogs and get to it!

Middleware Coordination, Coperation and Copenhagen

I will be spending today at the tf-emc2 meeting in Copenhagen. For those of you not familiar with tf-emc2, safe to say it is the home of the uber-techies involved in middleware stuff in Europe (and indeed beyond, with Ken Klingenstein in the room). I’m in a mellow mood after being charmed with great food and free wine at my hotel last night so will probably be very enthusiastic about everything that comes out of the meeting. Forgive me.

Moving Metadata Around

We start with great promise with a report from Ken on the rather tongue in cheek ‘BEER’ (Bucket of End Entity Registrations). I think the name may change at some point 🙂 The idea here is that a place is created where people can ‘dump’ entity metadata for general use. The metadata would carry with it the name of the depositor and have some general technical standard requirements, but other than that would not carry with it a strong policy trust framework. It would have a ‘terms of use’ that puts the risk on the consumer in terms of use. This will be a very interesting experiment in pushing the boundaries of trust and trust requirements. Something to keep an eye on, and something I will be looking for volunteers in the UK to play with. Literally, I will be encouraging you to consume BEER!

How Many IdPs?

We moved on to a conversation about why would an institution want to have multiple IdPs? The purists in the room pointed out that it was technically easy to have one IdP and it provided a strong trust argument if there was one authoritative point of access for an institution. The more practical amongst pointed out that many institutions have medical schools, library directories for external users, alumni directories and start-up companies / BCE style organisations that really want to maintain a separate directory and IdP. I think this again reflects the very different political landscapes in the smaller European countries to places like the UK, the US and Australia.

Monitoring, Testing, Proving, Baking

One of the areas that people have been interested in for a long time is the monitoring and diagnostics space. On a practical level in the UK we are making some progress here in terms of baseline statistics through RAPTOR and the JISC Usage Statistics Portal. The more basic line of monitoring problems (downtime) and diagnosing problems still has some way to go, but the librarians who spend a vast amount of time reporting downtime from publishers will appreciate the absolute need in this area.

This is a nut tf-emc2 is very keen to crack. There is some work within the GEANT framework to do this (GN3-JRA3-T2: Federation Lab for those of you who understand the strangeness of GEANT) and there has been some basic work using NAGIOs as a framework but there is no tabled solution at the moment. This is something the UK federation Board discussed at a recent meeting so we are fully aware of the UK need for this.

Definition Requirements

Something we haven’t discussed much in the UK is SCHAC. The reason for this is simple – the UK federation has taken the stance that it will only make recommendations around a small set of attributes using the eduPerson specification. SCHAC takes things a bit further for those interested in a full scope…perhaps people looking at the Identity Management Toolkit and the upcoming call on Identity Management from JISC. This really follows on from previous posts about the problems we are facing we encouraging institutions to populate more attributes. This basically comes down to a disconnect between where the requirement comes from (library, virtual organisation) and the owner of the directory (IT department). This is definitely a problem we need to crack if we want to exploit the potential of federated access and the potential of virtual organisations- but how do we manage this?

The Proxy Question

A bit of a blast from the past when the idea of a centralised proxy service came up today. We looked at this issue at JISC back in March 2008. In some ways, this does make sense for IP only resources, but I have lots of reservations. The more opportunities we give to for people to use ‘the easy way out’ of IP access, the less opportunities we will have for decent access and identity management in the future. We also run the risk of annoying people like EXProxy by destroying their business models. I also think the complexities of trying to manage a central service with up-to-date information is not scalable – certainly in the UK. A couple of NRENs are looking at taking this forward however, so we will keep an eye on this.

Collaborating on Collaborations

I’ve mentioned COManage a couple of times, and it is starting to show some maturity as a platform for managing virtual organisations. There are some great mock-ups on the site and will be of interest to the VRE people I would have thought. A very similar project is COIN from SURFnet.

In Perfect Harmony…

Well the saml2int profile just has to be important in terms of getting us all in line. I hope that we will all be able to move towards this regardless of software (Shibboleth, OpenAthens, Guanxi) but I would encourage you to be asking for it!

Other important work in this area is the Kantara Full Matrix test – as this becomes embedded it should be an excellent way for you to tell if something is *really* SAML compliant as it will come complete with test results and the rubber stamp of approval that we have been reluctant to take on as federations testing software.

For more lightweight testing and as I mentioned earlier, Feide are working on an Automated Testing Tool – essentially a test IdP that emulates http to create real test environments for people installing SAML products. This is still work in progress, but there is a great video available.

Other Stuff

For those of you interested in OAuth, Diego gave an overview of OAuth2lib – a project they are working on to integrate OAuth at PAPI. I won’t say much more as I really am not qualified to talk about OAuth, but will link to the slides when they are made available.

Our very own Logins4Life project had a quick demo – see more on the Logins4Life website.

Last Christmas…

Have decided to create a record of the JISC London office Christmas parties for prosperity. This only goes back to 2003, so if you have any further information, please do let me know.

2003 – Boulevard Brasserie. Highlight was Leona and Liam dancing on tables in the Corner Store and the infamous baby photos quiz.

2004 – Now closed Italian restaurant in Soho. Highlight for me was being rung repeatedly between 11 – 1 am with people wishing me merry Christmas. I was a very nine months pregnant and curled up at home!

2005 – Tas and the White Hart. A very tame year, although Paul Gambercini put in an appearance to help us with the Christmas Music Quiz 🙂

2006 – Bond Themed Party at the City Inn in Westminster. Warning, the bar is very expensive. Freddie’s wig and Sarah’s Bond villainess hat were to be appreciated. Much memory loss all round.

2007 – Selfridges Hotel, Oxford Street. There were other people there so we had to behave ourselves. Highlights were my hair looking decent for once thanks to hours in the hairdressers and Mel and Al dancing to Valerie. First introduction of the fiendishly difficult Whetstone Quiz.

2008 – La Clique, London. A suitable camp venue for jiscites! Keith wins the Whetstone Quiz. Again.

2009 – 1940’s, Flim Noir and The Queens Arms. ????

The Great Google Experiment

Well, OK, not that great but I like alliteration 🙂

For #FAM09, we decided to make use of the Google Sites facility to manage all of our information flow around the event. We did mount information formally on the JISC website, but there is much richer information on the JISC FAM09 Google Site. This was really part of an experiment on my part as I wanted to know how efficiently Google could support our information requirements, as information is their business!

We were already using Google Docs to manage most of our information. Normally, I would then use the JISC website for the programme+BOS Surveys for the registration+slideshare for slides (copied to the JISC website)+a.n.other for audio / video+this blog+possibly something like Ning for delegates to talk about the event. Given that the JAM team is not overly resourced, I wanted to make life a lot easier for myself, so decided to see if Google could duplicate most of this functionality with a reasonable amount of ease.

My observations?

  • Ease of Use: Google Sites is pretty easy to use, and has some nice built in tools like the ability to create different types of pages such as html pages, announcement pages, document pages, and widgit pages. None of the team had used Google Sites before and we all picked it up pretty quickly.
  • Look and feel: Google Sites has a number of templates that you can chose from, and there are a variety of tools available for editing the templates. I managed to get ours looking a bit JISC-y. It would be nice to be able to create a formal JISC template, but I couldn’t see a way of uploading your own template. The urls for pages are fairly sensible, and you can chose to have word or number strings for pages.
  • Forms: the forms function was very helpful and the outputs automagically created an Excel spreadsheet in our Google Docs. This was so much better and easier to manage than out normal form system so was a really big win.
  • Upload: it is fairly easy to embed a document from your Google Docs into a Google Site. Making sure that all of the permissions are set so that people can download or embed in other sites (particularly presentations) was more complex and I had to revisit permission in both Google Docs and Google Sites several times before I got this right – leading to some requests for documents to be shared with delegates (sorry all). It was better than previously as Google does now let you set share permission across a whole folder of documents, but still annoying. The biggest grumble was the document page template on the Google Site. This doesn’t link to Google Docs at all and you have to physically upload files on to the Sites area. an unnecessary and annoying duplication. The presentation facilities aren’t as advanced or pretty as slide share, but the convenience of not having to upload on yet another site was helpful.
  • Access Management: this was one of the most disappointing features of the site. To even be able to leave a comment, you needed to be logged in, and the only way to log in was with a Google ID. This was despite the fact that the site was fully open. Given this was a federated access event, this was a big fail for me.
  • User Profiles: this really links in to the point above, but it was not possible to create a proper user profile on the site. This really cut down on some of the interaction features that I would expect from a site like Ning. However, at events I have attended in the past where Ning has been used, actual meaningful use of the functions have been low. Is this really in demand as a facility?

So overall, it was a helpful, if not completely professional approach to managing all the information for the event. I still have to finalise some details – I want to pull in some RSS feeds and look at embedding some other tools but it worked pretty well. I will really need to consider the access management, document management and template issues before using again. I’m also slightly worried now the Developer Happiness Days have gone all website posh on me…must keep up with the Jones’!

I2MMFall09: Shibboleth Working Group Meeting

Hitting the ground running at Internet2 by diving straight in to the technical with the Shibboleth Working Group Meeting. So far San Antonio has been a surprise – certainly nothing like the other venues used by Internet2 over the years.

Shib 2.2 as a release on the SP side primarily provided a response to security incidents that happened over the summer. Otherwise, the main features are delegation, support for xml-valued attribute data, metadata tagging (something the UK federation has been doing for some time), simple attribute aggregation (which will be important as we move forward with the ‘interfederation’ process, and advanced metadata signature processes (good for the signer, good for security).

The meeting moved on to a discussion on user consent, and the importance of consent being built in to the shib codebase. Consent is still a topic that is wide open for discussion within federated access, but tools are emerging such as the Swiss UApprove and to some extent use of OAuth. A per-transaction consent module within shib could be taken forward, but is it the best place for it??

Hand in hand with this comes the idea of handing the same TargetedID across a group of services, as opposed to a particular service. The current IdP implementation does not do this, but the next release is likely to do exactly this. This is interesting for the UK, as I have had several SPs ask me for this functionality as a preference to using PrincipleName. It will be interesting to see what the people concerned with Personally Identifiable Information (PII) will say about this change!

Discussions moved on to ‘interfederation’. One of the important places to start when thinking about interfederation is that federations do not ‘own’ entities and the entities themselves have no real concept of the construct that is a federation. This, and the standards basis of SAML2, makes entities highly mobile. One of the ways of dealing with the interfederation question is to look at metadata aggregation. In this module:

  • Metadata registrars take on the technical trust (e.g. registering an entity).
  • ‘Federations’ then deal with behavioural trust (e.g. policies for a specific community).
  • Registrars and federations MAY be colocated.
  • Federations can use multiple registrars to create a metadata aggregation with specific processes wrapped around it for the community requirements.

Metadata ‘richness’ was then discussed. Metadata aggregation should be able to cope with this, but it is important that policy is not implemented at this level – for example metadata extensions could point to policies, but should never direct them.

A Different Perspective on Identity

Last week, I spoke at the eema European e-Identity Management Conference. Although intended for “those in business, public sector and government who are involved in the policy, security, systems and processes surrounding identity management”, the high price tag of the conference meant it was very business oriented. This lead to an interesting focus on mobile identity – an area that we haven’t touched on in much detail within JISC – but also to many concepts that we have been exploring in the JISC arena for some years such as federated identity, identity in the cloud etc. etc.

It was of course very satisfying for me to hear Kim Cameron of Microsoft talking about identity federation, interoperability with SAML, and the Cloud Identity Federation Gateway which is part of recent work at Microsoft, including the Identity Software and Services Roadmap. Cameron described identity in terms of claims based access, with a claim as an assertion that is in doubt. He sees it as the business of identity management to validate that claim. The importance of this in the changing environment is that enterprise systems used to be closed, but are now permeable with many interactions outside of the traditional firewall. These are exactly the issues which the education community has been grappling with through its adoption of SAML.

Kim finished by warning people ‘not to be the only person out there with a fax machine’. Given the focus on SAML at the conference, the adoption of the standard seems a sensible way of not being that person.

Overall, it seems as if the commercial world is in agreement with the education sector on its approaches to access and identity management, and in fact the education sector seems to be ahead in many respects in the route it has chosen. The hot topic of the conference was ‘identity in the cloud’ – my immediate reaction to this is that a fully distributed federated identity system does much of this already. We are in the right place.

(Oh, and in case your interesting, my slides on the Tao of Attributes are here, with much thanks to Ken Klingenstein for all the input!).

TNC2009: Opening Plenary

Plenary session starts at TNC2009 with a focus on the importance of communities of practise within science infrastructures. This echoes back to the discussions we had in the REFEDS meeting yesterday on the importance of allowing communities to define their identity assurance profiles – I’ve been arguing for sometime that this is not something that federations should be in the business of creating as they do not represent a community of practise.

After the usual dry Geant3 stuff, we get on the session that might explain why I am currently holding 3D glasses in my hands. Jorge Cortell from Kanteron Sytems is here to talk about augmented reality – specifically in healthcare. Augumented Reality is being used in the operating room to project very specific scans on to the patients body. This means that a doctor knows exactly where they need to operate – saving important time when, for example, removing a difficult to locate tumor. Anchoring points are used to ensure the image is located in the correct location on the patients body. This is patient specific – we all have specific anatomical abnormalities. The benefits are less pain, less medication, lower risk, and lower costs.

TNC2009: Buses a-Roaming

The day seemed to start well, when we discovered that all the local bus stops in Malaga were advertising the TERENA conference – a marvellous piece of comms work!


Things started to go less well when we realised there was a local bicycle race on that meant our bus was redirected – and we didn’t know where! In the end, flagging down a local taxi was the only option.

The return back to the hotel was slightly more successful, particularly when it was revealed that eduroam was available on the bus!


A lesson for us in the UK – we are struggling to get eduroam live in the JISC London Office…maybe was can hire Malaga Bus Authorities to do the job for us?

Internet2 Spring 2009: Shibboleth Working Group

Sessions at the Internet2 Shibboleth Working Group are now underway in Arlington.

First up is Russell Beall, presenting on the use of Terracotta for clustering IdPs for high availability. I won’t say much about this now as it is well described here. The presentation is also available online and describes the process well. Given that I have heard quite a few comments on IdPs in the UK falling over lately, it may be of interest!

Major changes and features in Shib2.2 are next, and these are described on the Spaces wiki. Scott Cantor believes that this will be the last major release of the SP for quite some time, and is working towards a June release date.

Two developments within the IdP that may be of interest:

  • “uPortal” n-tier delegation support. More on this tomorrow!
  • The uApprove work will be of interest to those looking at user consent. This shows users to see the information that is being sent to the Service Provider and allows them to make decisions on whether that information should be released. Users can also be prompted to accept a ‘terms of use’ statement. This is available as an IdP plugin. There are some further developments to be done – such a providing user-friendly Service Provider names, rather than EntityIDs. There is also the ability to allow IdPs to create blanket rules around attributes that should never be released to external SPs. The uApprove log maintains an audit trail to prove that users approved the release or non-release of information.

The 2.3 of Shibboleth ‘may’ include back-channel single logout, more intelligent installation and configuration tools, real-time metadata generation, clustering solution based on HA-Shib, SPNEGO Authentication.