Category Archives: Access Management

As You Like It Identity at JISC Conference 09

So, we had a great session at the JISC Conference 2009 on identity and both Lawrie and I were exteremely pleased with the audience feedback and involvement we had.  I won’t repeat the notes of what was discussed as the very diligent and accurate roving JISC blogger assigned to our session got those and they are here (many thanks for that).

What I will do is to go through what I got out of the session, a few more resources on identity and some of the material we didn’t get to cover.

So, starting on what I got out of the session:

– People are thinking a lot more about identity issues in academia; when we first started talking about identity in groups  (a good example being in the first blog post I ever did for JISC) , we had a large number of listeners and fewer particpants.  Great to see that more people have gone to find out more and are looking at how they need to deal with identity in their area;

– Universities such as Cardiff (thanks to David Harrison for mentioning this at the session) are starting to educate their students on how they need to deal with identity.  It would be useful to have more examples as one of the points raised in the session is that students are a key group to engage with;

– There are many people out in institutions who have a good grasp on the issues that need to be dealt with and an appreciation of what it means for their areas;

– Working with an audience rather than presenting to them can get the most out of a session for both the people leading the session and those attending.  I must admit I was a bit fearful of how this would work given we had a small room that was packed full (Lawrie even gave up his chair!) and it was quite a large group (70+);

– Identity is a complex subject yet it is one that can be approached simply by working with our peers to understand how it will affect how we work in academia;

– We can control our identity and reputation online, which benefits not only us but also our teams our departments and our institutions.  We need to think at a variety of scales;

In terms of resources, we had a jargon segment to try to explain key terms that are used within identity management.  I’ll stick my hand up to a few admissions:

– These weren’t intended to be ‘absolute’ definitions;

– They aren’t intended to be a comprehensive glossary – there are no doubt omissions but I feel it is best to start small and these are the most common (and often for a new user most confusing) terms that are heard;

– When I wrote them I was writing them for the average learner, teacher or student in an institution – yes they are simplified and lose some of the technical detail;

So, after all the excuses, here are the terms:

Identity credentials – generally a username and password but anything that identifies you as a user.  Also known more commonly as an ‘identity’.

Registration – ensuring that the person who you are issuing a set of identity credentials to is who they say they are.  When we talked about the birth of an identity in the session, registration is when this happens.

Authn – Authentication – re-verifying that the user is who they say they are before they are allowed to carry out an action.

Auths or authz – Authorisation – the process of verifying that someone who is trying to access a resource (be that a paper, journal article, some data or something else) is entitled to do so.

PII – Personally Identifiable Information – anything that can personally identify you or another person. This could be your name or a piece of information about you that could only apply to you.  This is what we most need to protect and ensure is up to date as it can affect our academic reputation.

User-centric identity – the concept of the user being able to control what information (PII or otherwise) they release about themselves and thus control their identity.

OpenID – a technology that came out of the social software world (think blogs and wikis) that allows you to control what information you release about yourself. One of the most popular user-centric identity systems.

OAuth – a new technology that allows applications or sites to carry out an action for a user without handing over user names and password details to another site. The best example is the recent talk over software like Tweetdeck being able to post comments to Twitter on behalf of users.

Federated identity – is where a series of bodies that provide identity credentials and a series of bodies that control access to resources get together to agree a common set of rules so someone who has identity credentials from any of the bodies that issue them can access resources from any of the bodies that control access to them.

UK federation – the body in the UK that provides federated identity for UK further and higher education.

Finally, here are a few further resources:

– The presentation and notes can be found here;

– allows you to see what information is held about you.  You can equally use Google to do a similar search for yourself;

– tells you more aboutOpenID and how to get one;

– more information on OAuth and how it works;

– Andy Powell is running a symposium on access and identity management in e-research; more details can be found here;

– JISC’s latest project is producing an identity management toolkit for institutions.  More details on what it is doing can be found here;

I’d welcome comments on this blog, the events blog or tweets tagged with either #jisc09 or #jisc09_id.  We need to keep this discussion going and build on the good work done in the session.  If you have any direct questions on what JISC is doing in access and identity management going forward then please talk with Chris Brown, who is taking over this area from me.

JISC OpenID Report

This morning I got the final copy of this report so I popped it straight up onto the JISC site, which means you can see it around lunchtime if you click here.

We feel this is an important report for the sector as it reviews a technology that we constantly get asked questions about and up to now we haven’t had authoritative answers for.  OpenID is, without a doubt, an important technology but up until now there hasn’t been a comprehensive review of how it could be used in the higher and further education sectors.  This has led to a lot of speculation and rhetoric with very strong advocates for the technology but, equally, very strong critics.  We’re hoping this report will inform the debate, particularly given the project has also developed a gateway between OpenID and the UK federation so those with OpenID credentials can access Shibbolised resources (subject to the resource provider being happy with providing access).

Overall, the conclusions were:
i) there is considerable interest in OpenID in the commercial market place, with players such as Google and Microsoft taking an active interest. However,
ii) all commercial players want to be OpenID providers, since this gives them some control over the users, but fewer want to be service providers since this increases their risks without any balancing rewards
iii) until we can get some level of assurance about the registration of users and their attributes with the OpenID providers, it won’t be possible to use OpenID for granting access to resources of any real value. In other words, without a trust infrastructure OpenID will remain only of limited use for public access type resources such as blogs, personal repositories, and wikis
iv) imposing such a trust infrastructure with barriers to the acquisition and use of OpenIDs may be seen to negate its open-access, user-centric advantages
v) OpenID has a number of security vulnerabilities that currently have not been addressed, but at least one of these is also present in the current UK federation.

The implications from this are:
i) Whilst OpenID does have its security vulnerabilities and weaknesses, some of these are also shared by Shibboleth as it is currently designed. Other technologies may subsequently solve these and therefore this could have implications for the UK federation.
ii) The UK federation as currently deployed has a significant shortcoming which is the readiness of IdPs to disclose the real-world identity of users to SPs (as distinct from providing opaque persistent identifiers to support simple customisation). This is not a technical shortcoming but an operational one. Whilst it is relatively easy to solve, until it is, it limits the applicability of Shibboleth to personalised and other services which need to know who the users are. OpenID does not suffer from this limitation and therefore there might be use for it in some scenarios where trust issues can be resolved.

And, finally, the recommendations are:
i) The UK academic community should keep track of both OpenID and CardSpace identity management systems as they evolve. There is clearly a great demand for a ubiquitous secure identity management system, but no consensus yet as to what this should be.
ii) Now that a publicly available OpenID gateway has been built, publicise its availability to the community and monitor its applications and usage. If usage becomes substantial, consider productising the service.
iii) Consider offering a more secure and more trustworthy gateway registration service for SPs that do not use, or use more than, the eduPersonPrincipalName attribute. This will allow them to use OpenIDs for authentication and a wider selection of eduPerson attributes for authorisation. (The current self-registration service is clearly open to abuse).

I’d welcome any comments on the report and/or gateway.  I think what we need to do is to keep the debate going and share experience to ensure that researchers and learners can get the most of OpenID.

Grant 10/08: Project to Develop an Identity Toolkit

This all sounds a little complex from the title above but I’m really looking forward to some good responses on this grant (started off as a call but has now moved into our new money issuing process so has a different name).  More details can be found here.

For those with quite long memories the background to this was to take up a recommendation from the Identity Project  and provide funding for the development of an identity toolkit that would help universities and colleges with putting in an identity infrastructure. It’s work that has been done at some institutions already so people like Cardiff, for example, have done a good deal of work in this area.  However, what this grant aims to do is to bring together that good experience and provide it all in one place so that everyone can use it either a little or a lot, dependent on where they are in the cycle of managing identity.

We’re hoping this is going to be a very useful piece of work as more and more institutions are joining the federation and having to address the subject of identity management as part of moving to using the federation to control access to resources.  Whilst it is not going to be a panacea it should form an important part of the future work on identity and access management that is going to go ahead over the next few years.


There’s quite a lot of buzz around Ubiquity at the moment, which is probably most simply described as an attempt by Mozilla to take the mashup out of the domain of the web developer and into the hands of the user.  The product allows a user to create their own mashups without having to be fluent in web scripting and coding; all they need to do is install the appropriate client on their browser (currently Firefox only) and then type in what they want to do.

The applications demonstrated in the demo are fairly simple at this stage but it’s easy to see how they could have quite a lot of use in education to help take the drudge out of some common tasks and to open up what we’re doing about combining services.  So, as an ex social scientist I seemed to spend quite a lot of time combining stats together and then displaying them on a map; it would be great if a I had a ‘widget’ that would do that for me and take some of the spadework out.  That then frees me up to do a bit more of the interesting research that I really want to do.

Add a little more and it’s a tool that could become extremely useful.  It’s all built on an open source license so there is potential for Grease Monkey type extensions that allow further extensions.  We are slowly and painfully seeing the freeing up of data under Open Access and a revival in the citizen scientist as a result (see here) .   Then we have tools and standards such as OAuth and OpenSocial that are allowing us to selectively release data about us and permissions to help these services do something for us.

Ultimately, I think it’s worth watching what Ubiquity is doing over at Mozilla Labs because it could start opening up some mainstream avenues for really useful mashup tools that save the researcher and educationalist a lot of time and let them get on with what they’d like to do.

Verisign PIP

Saw this on TechCrunch today and was intrigued.  OK, you are effectively maintaining an identity vault but it further proves yesterday’s post that the bigger vendors are starting to get into identity metasystems, often in a variety of ways.  Given they want to see these succeed commercially then maybe this will be the year when identity starts to get a little easier rather than more complex.

The down sides for Verisign’s PIP(Personal Identity Portal) is  that it still seems quite US focused, you have to have an active browser session with PIP for it to work and there is a limit to which sites it will manage details for.

The up sides are that it works for most of the main commercial sites (such as Amazon, Facebook, LinkedIn), you can have two factor authentication if you so wish and it’s Verisign so they’ve got a good background in dealing with security and trust.

In sum, another useful tool in the armoury of identity for the educationalist and researcher, even if it’s not going to be somewhere to store your federation credentials or that digital certificate to get at Grid resources.

Call for Participation: OASIS OASIS Identity Metasystem Interoperability (IMI) TC

One of the latest calls for participation that came my way was this one for Identity Metasystem Interoperability.  I’ll fess up now and say this has been sitting in my inbox for a while waiting for me to have a look through it hence this entry not being quite as current as it could be.

Firstly, what is an identity metasystem?  A good definition can be found (as always) at Wikipedia.  In brief, an identity metasystem provides for a user to be able to manage their identity credentials all in one place.  So, if I’m a researcher and I have a digital certificate, a federation login and access to a wiki or blog through a user name and password, I can manage them off one interface instead of having to remember each set of details.

So what does this mean?  Well, we at JISC put out an ITT for some work looking at exactly the same area and its applicability to higher and further education last year.  We felt at the time that there was a great deal that could be got out of finding appropriate identity metasystems to manage identity for those in education and research as we’re all conscious of the ever-increasing number of identity credentials we get given.  We didn’t get any responses we could fund so it was put on hold until there was more capacity in the sector to respond.

OASIS’s move to form the group is worth a look because it’s showing a wider interest in getting this working after quite a lot of effort from Microsoft to promote CardSpace and infocards.   There is also the work of the Higgins project and Bandit’s DigitalMe and previous efforts such as at a Burton identity event to show interoperability between all these systems.  Is now the time when identity metasystems will start being used rather than just being shipped with one of the most-used operating systems?  I think time will tell and that users are taking quite a while to get used to this new thing called identity.  In the mean time, I hope that the TC on identity metasystems is a diverse one that reflects the needs not only of Microsoft but also of a wide range of users, including those in education and research.

It’s all about the Process and Training

If you haven’t read the recent reports on the root causes of government data loss and you deal with personal data at your institution then you really should.  They highlight that whilst the technology was adequate for the job both the training, culture and process were far from adequate.  If you only read one report, though, then this should be it.  The data handling review gives some good pointers on how process, training and cultural adptation are vital to ensure that personal data is handled sensitively and appropriately.  It’s a message we relayed through the Identity Project and as we store more and more personal data about staff and students then we need to have measures in place to ensure that everyone who deals with it knows how they should be handling the data so that the end user gets the experience they deserve and can be secure in the knowledge that their identity is safe.

RSC Eastern Technical Managers Forum Meeting

I was fortunate enough to be invited to the above by Thomas Rochford and it was great to see how much interest there is amongst FE colleges on the subject of identity management.  We had a lively debate on the findings of the Identity Project and specific identity challenges within FE.  There were certainly intakes of breath over some of the findings and particularly those that related to how much money and how many staff there were estimated to be to deal with identity in HE institutions.  All in all, I think we have a good deal more work to do in FE on identity but it’s also potentially an area where we could quickly learn lessons that have more general applicability to other areas.  As I said at the event I would welcome comments on this blog about topics that would be of interest to explore and my colleague Nicole Harris’s blog entry on the future of access and identity management is also now open ahead of the event on 30th June that will look at future development areas.

Key topics from the conversations were:

– Outsourced identity management and how that could work with existing institutional processes and systems;

– OpenID – what could it be used for?

– Guidance on best practice;

– How you determine and prove that a member of an institution is that member;

– The balance of risk and reward in identity management – how do I determine whether the risk I take on releasing additional functionality is worth the reward that my users get?

Slides from the event are due to be published soon so I’ll link through to those or pop them up on Slideshare.