Category Archives: Identity Management

As You Like It Identity at JISC Conference 09

So, we had a great session at the JISC Conference 2009 on identity and both Lawrie and I were exteremely pleased with the audience feedback and involvement we had.  I won’t repeat the notes of what was discussed as the very diligent and accurate roving JISC blogger assigned to our session got those and they are here (many thanks for that).

What I will do is to go through what I got out of the session, a few more resources on identity and some of the material we didn’t get to cover.

So, starting on what I got out of the session:

– People are thinking a lot more about identity issues in academia; when we first started talking about identity in groups  (a good example being in the first blog post I ever did for JISC) , we had a large number of listeners and fewer particpants.  Great to see that more people have gone to find out more and are looking at how they need to deal with identity in their area;

– Universities such as Cardiff (thanks to David Harrison for mentioning this at the session) are starting to educate their students on how they need to deal with identity.  It would be useful to have more examples as one of the points raised in the session is that students are a key group to engage with;

– There are many people out in institutions who have a good grasp on the issues that need to be dealt with and an appreciation of what it means for their areas;

– Working with an audience rather than presenting to them can get the most out of a session for both the people leading the session and those attending.  I must admit I was a bit fearful of how this would work given we had a small room that was packed full (Lawrie even gave up his chair!) and it was quite a large group (70+);

– Identity is a complex subject yet it is one that can be approached simply by working with our peers to understand how it will affect how we work in academia;

– We can control our identity and reputation online, which benefits not only us but also our teams our departments and our institutions.  We need to think at a variety of scales;

In terms of resources, we had a jargon segment to try to explain key terms that are used within identity management.  I’ll stick my hand up to a few admissions:

– These weren’t intended to be ‘absolute’ definitions;

– They aren’t intended to be a comprehensive glossary – there are no doubt omissions but I feel it is best to start small and these are the most common (and often for a new user most confusing) terms that are heard;

– When I wrote them I was writing them for the average learner, teacher or student in an institution – yes they are simplified and lose some of the technical detail;

So, after all the excuses, here are the terms:

Identity credentials – generally a username and password but anything that identifies you as a user.  Also known more commonly as an ‘identity’.

Registration – ensuring that the person who you are issuing a set of identity credentials to is who they say they are.  When we talked about the birth of an identity in the session, registration is when this happens.

Authn – Authentication – re-verifying that the user is who they say they are before they are allowed to carry out an action.

Auths or authz – Authorisation – the process of verifying that someone who is trying to access a resource (be that a paper, journal article, some data or something else) is entitled to do so.

PII – Personally Identifiable Information – anything that can personally identify you or another person. This could be your name or a piece of information about you that could only apply to you.  This is what we most need to protect and ensure is up to date as it can affect our academic reputation.

User-centric identity – the concept of the user being able to control what information (PII or otherwise) they release about themselves and thus control their identity.

OpenID – a technology that came out of the social software world (think blogs and wikis) that allows you to control what information you release about yourself. One of the most popular user-centric identity systems.

OAuth – a new technology that allows applications or sites to carry out an action for a user without handing over user names and password details to another site. The best example is the recent talk over software like Tweetdeck being able to post comments to Twitter on behalf of users.

Federated identity – is where a series of bodies that provide identity credentials and a series of bodies that control access to resources get together to agree a common set of rules so someone who has identity credentials from any of the bodies that issue them can access resources from any of the bodies that control access to them.

UK federation – the body in the UK that provides federated identity for UK further and higher education.

Finally, here are a few further resources:

– The presentation and notes can be found here;

– allows you to see what information is held about you.  You can equally use Google to do a similar search for yourself;

– tells you more aboutOpenID and how to get one;

– more information on OAuth and how it works;

– Andy Powell is running a symposium on access and identity management in e-research; more details can be found here;

– JISC’s latest project is producing an identity management toolkit for institutions.  More details on what it is doing can be found here;

I’d welcome comments on this blog, the events blog or tweets tagged with either #jisc09 or #jisc09_id.  We need to keep this discussion going and build on the good work done in the session.  If you have any direct questions on what JISC is doing in access and identity management going forward then please talk with Chris Brown, who is taking over this area from me.

JISC OpenID Report

This morning I got the final copy of this report so I popped it straight up onto the JISC site, which means you can see it around lunchtime if you click here.

We feel this is an important report for the sector as it reviews a technology that we constantly get asked questions about and up to now we haven’t had authoritative answers for.  OpenID is, without a doubt, an important technology but up until now there hasn’t been a comprehensive review of how it could be used in the higher and further education sectors.  This has led to a lot of speculation and rhetoric with very strong advocates for the technology but, equally, very strong critics.  We’re hoping this report will inform the debate, particularly given the project has also developed a gateway between OpenID and the UK federation so those with OpenID credentials can access Shibbolised resources (subject to the resource provider being happy with providing access).

Overall, the conclusions were:
i) there is considerable interest in OpenID in the commercial market place, with players such as Google and Microsoft taking an active interest. However,
ii) all commercial players want to be OpenID providers, since this gives them some control over the users, but fewer want to be service providers since this increases their risks without any balancing rewards
iii) until we can get some level of assurance about the registration of users and their attributes with the OpenID providers, it won’t be possible to use OpenID for granting access to resources of any real value. In other words, without a trust infrastructure OpenID will remain only of limited use for public access type resources such as blogs, personal repositories, and wikis
iv) imposing such a trust infrastructure with barriers to the acquisition and use of OpenIDs may be seen to negate its open-access, user-centric advantages
v) OpenID has a number of security vulnerabilities that currently have not been addressed, but at least one of these is also present in the current UK federation.

The implications from this are:
i) Whilst OpenID does have its security vulnerabilities and weaknesses, some of these are also shared by Shibboleth as it is currently designed. Other technologies may subsequently solve these and therefore this could have implications for the UK federation.
ii) The UK federation as currently deployed has a significant shortcoming which is the readiness of IdPs to disclose the real-world identity of users to SPs (as distinct from providing opaque persistent identifiers to support simple customisation). This is not a technical shortcoming but an operational one. Whilst it is relatively easy to solve, until it is, it limits the applicability of Shibboleth to personalised and other services which need to know who the users are. OpenID does not suffer from this limitation and therefore there might be use for it in some scenarios where trust issues can be resolved.

And, finally, the recommendations are:
i) The UK academic community should keep track of both OpenID and CardSpace identity management systems as they evolve. There is clearly a great demand for a ubiquitous secure identity management system, but no consensus yet as to what this should be.
ii) Now that a publicly available OpenID gateway has been built, publicise its availability to the community and monitor its applications and usage. If usage becomes substantial, consider productising the service.
iii) Consider offering a more secure and more trustworthy gateway registration service for SPs that do not use, or use more than, the eduPersonPrincipalName attribute. This will allow them to use OpenIDs for authentication and a wider selection of eduPerson attributes for authorisation. (The current self-registration service is clearly open to abuse).

I’d welcome any comments on the report and/or gateway.  I think what we need to do is to keep the debate going and share experience to ensure that researchers and learners can get the most of OpenID.


Given this is my second blog entry in as many days you’re either in for a treat or the tedium continues; I leave  you to decide.  I’d also add that due to train issues, this and the above entry WERE written separately but offline as there doesn’t yet appear to be a 3G service that provides continuous coverage on the journeys I make; if anyone can suggest one then please comment below.

So,  today was IDM2008, billed as an opportunity for those from business and government to get together and share their experiences on identity management.  I was the representative from higher and further education and giving a presentation on Innovation, which outlined what we had done on the Access Management Federation and subsequent developments.

The day featured the following presentations;

·         Graham Morrison on getting Kerberos to solve the Home Office’s issues of ‘seamless authentication’ across a range of different systems.  I liked this one for a number of reasons.  The first was that it was using what was already there and proven to work, which I think is important in identity and access management (IAM).  Next, it has been kept simple – you can’t get much more simple than using Kerberos to issue a ticket to authenticate the user (the Ticket Granting Ticket) and a ticket to authorise them to do ‘stuff’ (the Session Ticket or TGS).  Finally, it deals with levels of assurance but only gets into heavyweight biometrics and role-based access control, etc when it needs to;

·         David McIntosh (hope I spelt that right) presenting on biometric technologies and SITC.  The former taught me that your ear echoes back any sound that is played into it in a unique way to you; interesting but not particularly useful unless you want to biometrically identify someone in a quiet environment.  The latter could be more widely useful to JISC as it is a body consisting of SMEs that would like to engage with universities;

·         Jim Slevin on Manchester Airports IDM systems.  A very topical presentation as the authentication of a user can now be carried out by National Identity Card, which has caused quite a stir in the papers this morning.  More interestingly, their focus was on delivering a capability, not a solution, which I think we should focus more on.  You can actually do something with a  capability;

·         Joe Baguely presented on AD as an identity store.  The sub-title was ‘are you mad?’ and I think this summed up many people’s impression of doing this but Joe presented a very convincing argument to re-use what is already in place with Active Directory (AD) and carried out a rather unsubtle plug for his organisation, which does this and I am not going to repeat here.  I also quite liked the idea of Segregation of Duties or SOD – I’ve known it as a concept but having an acronym somehow makes me feel so much better;

·         Fraud and IDM by Logica.  I quite liked the abstract for this so attended.  I didn’t entirely regret it but found out more interesting facts about fraud than necessarily the business case for IDM, which is why I’d originally gone;

·         Dave Nesbitt on how to avoid an identity trainwreck.  Whilst this was saying what we all know such as getting senior level sponsorship, having clear priorities on what is going to be done agreed with key users, iteratively deploying rather than going for big bang and technology is difficult, it’s the human stuff that is difficult, it’s all worth repeating.  Even the take home message was worthwhile: ‘IDM is many small projects to constantly improve your infrastructure that never end’;

·         David Bowen looked at how identity management worked at Great Ormond Street Hospital.  I didn’t learn much from this but had a sharp intake of breath on the mention that single sign-out is more difficult but more valuable than single sign-in.  On the Shib front I don’t think we are ever going to get there and we shouldn’t be trying given the issues, IMHO;

·         Yours truly was next up and if you read this blog and the stuff on what I do on the JISC site then you’re going to know what was presented;

·         Conn Crawford went through how local authorities approach identity management but specifically what Sunderland have been doing.  It was great to see Conn again.  He has a knack of connecting up a range of identity management ‘stuff’ to do really valuable things in the community.  What he has done ranges from federated solutions right the way through to user-centric identity management and he was presenting on the Let’s Go Sunderland portal he has put together that allows kids from a disadvantaged background to load up a smart card with activities they can attend.  They have an allowance every month and sign up for activities but the smart thing is that they also tell the portal what they are interested in, which gives the resource providers some anonymised marketing info back and hence an incentive to offer their resources to the scheme.  This is a great example of making personalisation work whilst protecting the individual;

·         Alan Coburn presented on Glow, a teaching and learning portal for Scottish schools.  I think the most interesting thing out of this was that schools wanted to sign up for it, hence there were a great number of users, and that they had used Shib but not the federation.  It turns out the latter was due to specifying it before the federation existed;

·         Hellmuth Broda had the rather unenviable task of being last up and went through Liberty Alliance.  All very good stuff but nothing new for me.  What was of more interest was his company’s creation of batches of unique codes that could be attached to 2D bar codes, RFID tags and text messages; basically, name a media and it could be attached.  The potential was huge as these codes linked to specific actions such as vouchers, one time visits to web sites, etc.  More info on this is at;


Thanks also go to Professor Gloria Laycock, who did a great job chairing the meeting to the extent that we even finished early!  All in all, a useful day and there were quite a few contact I met during the day that I’ll follow up further.  Well worth a look next year if you are interested in identity management outside the education sector.

New Research Project: Privacy Value Networks

I spotted this on the Oxford Internet Institute Newsletter, which may be of interest to those looking at privacy and identity.

3. New Research Project: Privacy Value Networks

The OII is to lead the £2m Privacy Value Networks project: one of three awarded funding under the Technology Strategy Board’s ‘Ensuring Privacy and Consent’ research programme. It will investigate the way the public thinks about privacy and how organisations can model the costs and benefits of processing personal information.

Project website:

Project PI Dr Ian Brown, said: “Privacy has become a major issue in the UK, with worries about the development of a surveillance society. We are delighted to have this opportunity to carry out research that will ensure businesses and government agencies fully understand privacy concerns, and can provide effective and efficient services that properly deal with them.”

The project will look at privacy in a range of contexts. These include creating a sensor-enhanced Facebook to help understand how students might share or restrict automatically gathered information such as their location, current companions and activity. Researchers will also investigate how families share this type of information using a new mobile phone application, and how it might be used to improve the lives of children and the elderly while protecting their privacy and autonomy.

The project will look at the government’s own use of sensitive personal information in the Identity and Passport Service, and how it is interpreted by staff and passport applicants. It will also work with financial institutions to design privacy-friendly services that reduce the financial exclusion of those with limited or damaged credit histories.

Given it is sponsored by the TSB, who are doing quite significant projects in this area then I think it is is one to watch over the next few months.  I feel it has some interesting tie-ins with projects such as FLAME and is going to provide useful input into the future work that JISC are  looking to do on identity.

Grant 10/08: Project to Develop an Identity Toolkit

This all sounds a little complex from the title above but I’m really looking forward to some good responses on this grant (started off as a call but has now moved into our new money issuing process so has a different name).  More details can be found here.

For those with quite long memories the background to this was to take up a recommendation from the Identity Project  and provide funding for the development of an identity toolkit that would help universities and colleges with putting in an identity infrastructure. It’s work that has been done at some institutions already so people like Cardiff, for example, have done a good deal of work in this area.  However, what this grant aims to do is to bring together that good experience and provide it all in one place so that everyone can use it either a little or a lot, dependent on where they are in the cycle of managing identity.

We’re hoping this is going to be a very useful piece of work as more and more institutions are joining the federation and having to address the subject of identity management as part of moving to using the federation to control access to resources.  Whilst it is not going to be a panacea it should form an important part of the future work on identity and access management that is going to go ahead over the next few years.


There’s quite a lot of buzz around Ubiquity at the moment, which is probably most simply described as an attempt by Mozilla to take the mashup out of the domain of the web developer and into the hands of the user.  The product allows a user to create their own mashups without having to be fluent in web scripting and coding; all they need to do is install the appropriate client on their browser (currently Firefox only) and then type in what they want to do.

The applications demonstrated in the demo are fairly simple at this stage but it’s easy to see how they could have quite a lot of use in education to help take the drudge out of some common tasks and to open up what we’re doing about combining services.  So, as an ex social scientist I seemed to spend quite a lot of time combining stats together and then displaying them on a map; it would be great if a I had a ‘widget’ that would do that for me and take some of the spadework out.  That then frees me up to do a bit more of the interesting research that I really want to do.

Add a little more and it’s a tool that could become extremely useful.  It’s all built on an open source license so there is potential for Grease Monkey type extensions that allow further extensions.  We are slowly and painfully seeing the freeing up of data under Open Access and a revival in the citizen scientist as a result (see here) .   Then we have tools and standards such as OAuth and OpenSocial that are allowing us to selectively release data about us and permissions to help these services do something for us.

Ultimately, I think it’s worth watching what Ubiquity is doing over at Mozilla Labs because it could start opening up some mainstream avenues for really useful mashup tools that save the researcher and educationalist a lot of time and let them get on with what they’d like to do.

Verisign PIP

Saw this on TechCrunch today and was intrigued.  OK, you are effectively maintaining an identity vault but it further proves yesterday’s post that the bigger vendors are starting to get into identity metasystems, often in a variety of ways.  Given they want to see these succeed commercially then maybe this will be the year when identity starts to get a little easier rather than more complex.

The down sides for Verisign’s PIP(Personal Identity Portal) is  that it still seems quite US focused, you have to have an active browser session with PIP for it to work and there is a limit to which sites it will manage details for.

The up sides are that it works for most of the main commercial sites (such as Amazon, Facebook, LinkedIn), you can have two factor authentication if you so wish and it’s Verisign so they’ve got a good background in dealing with security and trust.

In sum, another useful tool in the armoury of identity for the educationalist and researcher, even if it’s not going to be somewhere to store your federation credentials or that digital certificate to get at Grid resources.

Call for Participation: OASIS OASIS Identity Metasystem Interoperability (IMI) TC

One of the latest calls for participation that came my way was this one for Identity Metasystem Interoperability.  I’ll fess up now and say this has been sitting in my inbox for a while waiting for me to have a look through it hence this entry not being quite as current as it could be.

Firstly, what is an identity metasystem?  A good definition can be found (as always) at Wikipedia.  In brief, an identity metasystem provides for a user to be able to manage their identity credentials all in one place.  So, if I’m a researcher and I have a digital certificate, a federation login and access to a wiki or blog through a user name and password, I can manage them off one interface instead of having to remember each set of details.

So what does this mean?  Well, we at JISC put out an ITT for some work looking at exactly the same area and its applicability to higher and further education last year.  We felt at the time that there was a great deal that could be got out of finding appropriate identity metasystems to manage identity for those in education and research as we’re all conscious of the ever-increasing number of identity credentials we get given.  We didn’t get any responses we could fund so it was put on hold until there was more capacity in the sector to respond.

OASIS’s move to form the group is worth a look because it’s showing a wider interest in getting this working after quite a lot of effort from Microsoft to promote CardSpace and infocards.   There is also the work of the Higgins project and Bandit’s DigitalMe and previous efforts such as at a Burton identity event to show interoperability between all these systems.  Is now the time when identity metasystems will start being used rather than just being shipped with one of the most-used operating systems?  I think time will tell and that users are taking quite a while to get used to this new thing called identity.  In the mean time, I hope that the TC on identity metasystems is a diverse one that reflects the needs not only of Microsoft but also of a wide range of users, including those in education and research.

Yahoo Fire Eagle Launched

Given the amount of buzz over ‘the next big thing’ in Web 2.0 (or are we now moving to Web 3.0?), which appears to be geo-location, it was inevitable that soon one of the bigger established players would launch a platform.  Hence Yahoo’s Fire Eagle didn’t come as much of a surprise when it launched.  As with all apps that take personal identifiable information, it lets you control how you manage your data and what you share.  In this case you can update the service with where you are and that can then go to other services such as BrightKite that actually use the information.  BrightKite’s probably a good example as it allows users to interact based on where they are and what they are doing and it also pushes location data back to Fire Eagle.  Sites like Dopplr are also on board so you can share information about where you will be that can propogate across sites rather than being trapped in one site.

All this is great for the average busy researcher.  I can see where my colleagues are (providing they’re subscribing; big ‘if’) and arrange to meet up or they can contact me.  The mobile phone service is especially interesting as it simply pushes where I am to my services and there is no need for me to do anything.  Suddenly my social network becomes a hell of a lot more interesting and I’m meeting new colleagues who have similar interests and are in the same location.

The downsides are the usual ones for personally identifiable information (PII).  I’m now not just giving up information on what I am interested in but where I am and if that’s being pushed out to a variety of services they have that information too.  OK, they can promise that they will delete that information when I ask them to and Yahoo are very good at giving the option of switching the service off when the user asks for it but that information is still out there in the public domain.   As we’ve seen recently with the Google/YouTube and Viacom legal case, once a user gives out their attention data into the public domain, it can have unexpected consequences.  In that case, attention data had the potential to become PII just by the sheer volume of it and the open-ness to data mining to create a unique profile.  Imagine what could happen with geo-location data that has far more potential to uniquely identify an individual.

All in all, though, I think that geo-location services have a great deal of potential in  higher and further education.  JISC now have quite an extensive geo portfolio and some of those services, such as Digimap, are already helping researchers whereas some others that are embryonic such as GeoXWalk are very close to providing a service.   Match up, say, GeoXWalk with a geo-tagging app such as FireEagle and location aware instruments and you can then start creating intelligent meta-tags for where data is created as well as when and with what. That could create some pretty exciting new research with derived data, license agreements permitting ;-).

First Look at Facebook Connect App

Facebook have published their first site that uses Facebook Connect.  Called RunAround, it allows runners to track their runs and involve their friends without having to add them manually to the site or fill out registration details.  It’s great to see a practical application for Connect and to also see some good privacy principals operating there as well.  A user has the option to register for the site and go down the site’s registration process or use their Facebook details.  A user then actively consents to release information (in this case one line stories) and brings the friends that they have on Facebook who have already registered with Run Around with them.  It’s early days yet so I’m watching for other applications of Connect to see how it all pans out and see how sites such as RunAround fair but this all looks promising for limited disclosure of information to third parties to help the user but not then breach their privacy.

Another related development is Twitter definitely adopting OAuth and Firefox likely to do so too (but straight into the browser).  With Twitter it will mean a much better way of allowing third party apps based on Twitter to carry out action on the user’s behalf without them having to hand over their username and password.  With Firefox it will allow browser apps to carry out actions on a user’s behalf, which opens up what we’ve wanted to look at in JISC for a while, which is n-tier authentication and authorisation (even if at this stage it looks like being at one level).

A more interesting question is around how people deal with these new capabilities.  We’ve already seen through the Identity Project and FLAME how identity is dealt with in FE and HE and how users’ attitudes to releasing personal information differs as well as their awareness of what they’re doing.  DPIE 2 revealed that most users would like to have useful tasks done on their behalf with their personal information, such as registration details being filled in for them.  In a world with technologies such as Facebook Connect and OAuth, whilst we have the technology to alllow users to retain their own personal information, do they necessarily know how to control this?  I think we need apps such as RunAround so users can get to grips with the technology on a fairly simple level and then do more as they feel more comfortable.  Hopefully we’ll then be in a world where the user doesn’t have to give up the crown jewels of identity and cede their username and password details to be able to do simple tasks such as registration.