FAM09 – Closing session

This session by Nate Klingenstein.

Today’s Federated Identity Challenges:

  • Scaling – especially cross-sector and cross national boundaries
  • Getting the user experience right – not just in Higher Education – is going to be even harder than the challenges we face today.
  • Protocol wars – new, powerful players in the area
  • Levels of assurance and attribute support
  • Reconcilation between consumer and enterprise identity – possibly the biggest challenge

‘The Cardiff Giant’ – a statue discovered in Cardiff (New York). Copied  by P.T. Barnum (covertly) and toured. This all showed:

  • Even a fake can be very popular
  • Fake identites and indentity theft are widely recognized, growing problem

Identity is big business – e.g. Doubleclick (acquired by Google) – serving personalised advertising.

Universities house both applications and identities. They are the natural ‘home’ of much user data – e.g. Courses, titles, grades. Universities also host applications – but increasingly these may not be hosted locally. The important players in Academic Identity are:

  • Government
  • Faculty
  • Applications (Commercial and other)
  • Users

What do Governments want?

  • Privacy laws and their enforcement vary wildly from country to country
    • China and the EU offer useful (and possibly polar opposite) examples
    • A situation that needs careful balancing if there will be meaningful enforcement
  • We need recognition of the social importance of trust – some evidence that trust in financial markets drives economic properity?

What do Faculty want?

  • Good learning resources and tools
  • Students undivided attention (possible issue with using external tools e.g. social networks to deliver teaching material)
  • Freely circulated intellectual property?
  • Stronger intellectual property rights?

What do Commercial Applications want?

  • A userbase to monetize
    • page views, successful completion of login, high retention rates, lost of juicy personal details (hence reluctant to engage with federated access management)
    • licensing fees
    • Advertising is a nice plus

What do Other Applications want?

  • They’re often not sure, and would like you to help them
  • Happy to be out of the usr/pwd trap
  • Varying degrees of control over the GUI and authentication process
  • “Security” and “usability”, vaguely
  • Identity services are critical for “cloud” computing

What do Users want?

  • Studies by JISC, Yahoo!, Google and others show that to get users to use the services you offer:
    • You need consistency, consistency, consistency
    • Bifurcation is confusing, particularly if there’s an email address box or user/pass option (i.e. more than one option)
    • Users have no idea what a domain is
    • Even with coaching, outcomes from typing URL-based identity do not improve
    • Buttons are best, but alternatives are okay

Users understand the difference between a professional account and a personal account, work app and personal app – and can generally select between them. Privacy and security are consistently rated as very important – especially in coutnries with weak privacy laws. However LSE study demonstrated – convenience often wins in practice anyway.

Consumer Identity Today

  • Facebook Connect by far the most successful
    • proprietary protocol, single identityt providers
    • inducements for applications – lots of personal data for targeted ads
  • Twitter comes in second, followed by also-rans

Facebook Connect – on Huffington Post, http://money.cnn.com (the latter only supports Facebook connect for commenting). Some interesting stats on various mechanism for logging into the Typepad blogging platform at http://blog.leahculver.com/2009/11/log-in-or-sign-up-with-openid.html

Convergence between Educational Identity and Consumer Identity – It’s already happening! How soon will your students ask for a ‘Facebook Connect’ login to your VLE?

The level of assurance gravitates towards the lowest common denominator – often basically an email address that doesn’t ‘bounce’. Social Networks include a large level of assurance, as you have lots of people ‘vouching’ for you (although questions about how much this is worth, it definitely isn’t worthless). Maybe ‘strongly vetted’ ID is not what Universities should try to provide. Instead we may want to focus on the attributes:

  • Consumer identity world is rapidly realizing that attributes are key
  • Need to solve problems like attribute aggregation
  • Attribute plumbing from the campus to the consumer Identity Provider – Google is trying the business modle

If consumers opt for Facebook, perhaps this is an opportunity for Universities to stop worrying about the ‘discovery’ problem – even if we worry about the implications of Facebook managing this instead.

Preparing for those futures:

  • Be protocol-agnostic
    • OpenID support in the Shibboleth IdP is a good start
  • Expectations and functionality are driven today by commerce and consumer identity
    • Users unlikely to exert change
    • Faculty will use the best tools available
    • Commercial applications like money
  • Discovery is the real control point – if you present a ‘Facebook Connect’ button at this point, users will click it
    • No single right answer
    • eduID or similarly branded login – this is contentious issue
    • Some people want to stop buttons or dedicated discovery entirely
  • Proactively contemplate partnerships with the other identity sources

Current course excellent – we are doing most of the right things – even if for the attributes and policies alone which is 9/10 the effort and value

IceRocket Tags:

Group Management

This session from Caleb Racey and Richard James from Newcastle University.

  • FAM requires attributes. For example, if you want to offer resources to (for e.g.) a member of the medical faculty – you need to know which users these are.
  • At Newcastle the systems Grouper and Talend provide this
  • Federated identity is a subset of campus identity

Data management is the key to access control:

  • User identity
  • Unit (granularity) of access contorl
    • Department membership
    • Module enrolment

Identity data is aggregated from several different sources/systems across the University.

What is ‘Grouper’?

  • Toolkit to manage institutional and personal groups
  • Collaborative project from internet2
  • API for managing groups
  • UI + web services + shel interfaces to access API
  • http://www.internet2.edu/grouper/

Newcastle use Grouper to provide access control to different resources – wikis, lecture capture system, room book system. They populate Grouper with the institutional

Grouper has a user-facing interface – gives control to the user, enables local teams to manage memberships of groups etc. Grouper then releases it’s ‘”Groups” to Shibboleth as attributes.

Talend is used to structure the data before import into Grouper – there are more details at http://research.ncl.ac.uk/idmaps/videos.php

IceRocket Tags:

FAM09 – Day 2

Opening the second day is Mark Tysom talking about the UK federation.

There are now 765 members of the UK federation, which has now been operating for 3 years. They now have:

  • 74% of UK FE institutions
  • 100% of UK HE institutions
  • 57% of schools in England
  • 100% of schools in Northern Ireland and Scotland

In this context ‘signup’ just means that they have agreed to the Federation rules – it doesn’t mean they are actively participating in the Federation.

Service Enhancements coming:

Details at http://www.ukfederation.org.uk/content/Documents/DevelopmentRoadMap. Today Mark is going to look at the next 6 months or so:

WAYF Review

  • Provide and independent review of the current WAYF login processes
  • Improve the usability and accessibility for all users and enhance the user experience
  • Conduct user tests with a series of sites to assess the usability of the WAYF interface
  • Identify any other direct enhancements to be made
  • Provide prioritised recommendations for next steps and future development by end July 2010

They have engaged an external company to assess usability of the WAYF, getting evidence from talking to users, and observing how they interact with WAYFs/login. Clearly some crossover with studies such as Publisher Interface study – so they are sharing the outcomes of the study with these other projects.

Portal Best Practice

WAYF is a ‘backstop’ solution – i.e. not the preference. The UK Federation encourage the development of ‘portals’ – I’m not quite clear who they think will develop these ‘portals’ and why users will actually come to resources via portals – this just seems like a backward looking idea to me? Perhaps I’ve misunderstood?

Some clarfication on questioning – it seems that in this sense they mean the UK Federation WAYF as opposed to WAYF as a process generally. I think it is key we assume that users will hit resources from the open web rather than via a system controlled by the library or institution.

Statistics Gathering

  • Provide mechanisms to all the operatiors of IdPs and the federation to visualise how the service is being used
  • Provide mechanism to populat an anonymous central database that can store usage data for these services
  • Review existing mechanisms for gathering federation metrics
  • Incorporate solution into the JANET Netsight2 Service

Mark also mentioned they would be looking at Metadata scaling and running a Satisfaction Survey

Now Mark mentioning a couple of policy areas they are going to be looking at – Inter-federation agreements and Eligibility for membership – the latter looking at interest from other sectors such as NHS, Governments, Museums.

IceRocket Tags:

Shibboleth Developments

Chad La Joie – from SWITCH

Shibboleth 1.3 reaches end of life on June 30th 2010 – there will be absolutely no support after this time – so you should be planning to have upgraded to Shib 2.0 by this date!

Next release of Shibboleth IdP is 3.0 – this is not a major rewrite – do not wait to upgrade! Main goal – to clean up APIs hindering new work. Also includes n-tier delegation support and non-browser based authentication.

Discovery Service 2.0

  • incorporation of feedback from JANET funded usability study
  • support for centralised and page-embedded models
  • HTML/CSS/JavaScript that can be dropped into an SP to render a discovery interface

Chad claims that if you give SPs just a snippet of HTML or JavaScript, they are happy to embed it in their interface (not sure about this – what if they get competing demands from different federations)

N-tier delegation

What? – user logs into the portal, and the portal logs into back-end services as the user – this is delegation


  • allow service to log in to the back-end server as the user
  • control which services can impersonate the user
  • keep a complete audit trail of impersonation
  • and other stuff …(sorry, missed this)

Attribute Aggregation


  • aggregate user attribute from home organization and other sources such as professional organizations


  • Allow SP to pull in attribute from multiple attribute authorities (IdPs)
  • use existing attribute release/acceptance policy mechanisms


  • latest SP has support out of the box
  • 2.x IdP has support out of the box
  • currently only identifiers shared by AAs and SPs are supported

Future work

  • determine if non-shared identifiers are usable/supportable
  • determine if IdP aggregated attributes is useful and tenable

How does the SP know where to aggregate attributes from? At the moment can either be hardcoded in SP, or sent from the IdP.

OpenID Support


  • support XRD 1.0, Open ID 2.0, PAPE, Simpler Registration, Attribute Exchange
  • use existing trust layer to create trust between OpenID entities
  • use existing attribute release mechanism


  • XRD 1.0 now out of community review
  • basic support for OpenID 2.0 and PAPE support via proof-of-concept IdP plug-in
  • trust equal to standard deployment of Shibboleth
    • OpenID protocol dos not support certain advanced trust models
  • No SP support planned

Future Work

  • develop real IdP plugin based on IdP v3

Buzzwords: User-centric identity

  • Two views of user-centric identity
    • 1. Purist – all data about a person is property of, should be kept by, and should be released by the person – i.e. OpenID model
    • 2. Identity 2.0: User picks which account and associated data should be used with which service – i.e. Cardspace model
  • But – users aren’t authoritative – or trustable source of, for most of their data
  • most user’s can’t run their own identity provider
  • most user’s have a hard time understanding relationships between attributes and the service provider

The goal should probably be a release consent model added to the Identity 2.0 view – e.g. Shibboleth + uApprove  (http://www.switch.ch/aai/support/tools/uApprove.html)

Buzzwords: Cardspace

CardSpace generally refers to two things:

  • Microsoft’s evolution of Passport in to a decentralized service – know by MS as the ‘identity metasystem’
  • Microsoft’s client for the service is the the only thing that Microsoft calls CardSpace

Primary focus on avoiding phishing.

However – now Microsoft now doing server-side implementation called ‘Geneva’ – which is the non-interoperable, spiritual successor to ADFS. This does not currently interoperate with other products – including MS own Cardspace selector.

MS-hosted ‘cloud’ Exchange, SharePoint and storage service have Geneva support – and SharePoint 2010 will have support as well.

MS have asked Shibboleth team to add Geneva support – which they would do if MS would actually make the specification available!

Buzzwords: OAuth

OAuth is an access delegation protocol:

  • You login to Service B. Service B wants your information from Service A. You login to A, get a token, and give it to B. B uses  the token to get information from A.
  • OAuth is independent of the means by which a user is authenticated of the format of the token
    • so OAuth is orthogonal to federated identity management (although you could use things like n-tier delegation to achieve this)
  • OAuth is current under-specified
IceRocket Tags:

Federated Access: The Library Experience

A three part presentation – first up Sarah Pearson from the University of Birmingham on their experience:

Authentication overview:

  • Mixture of Shibboleth, IP and username/password authentication
  • EZProxy used for off-campus (recently implemented)
  • SSO to Metalib (federated search), Shibboleth and EZProxy
  • Extra sign-on needed between Portal, WebCT and Metalib

Authentication – setup, maintenance and troubleshooting – needs involvement from:

  • Serials Team (Library services)
  • Digital Library team (IT Services)
  • Networks team (IT Services)

Shibboleth implementation relatively straightforward as already had good quality data in directory

Implementation timescale at B’ham

  • Jan 08 – decided to implement Shibboleth for July 2008
  • Jan-Mar 08 – tested current authentication, set up IdP and shibbolized Metalib
  • Mar-Apr 08 – Prioritised ‘Athens only’ resources with Shibboleth
  • July 08 – changed all links in Metalib to Shibboleth
    • decided to retain Athens for 1 year as some resources not supporting Shib
    • Migration of remaining Athens resources to other methods
  • July 09 – ended Athens subscription but implemented EZProxy

Decisions made

  • Athens only and IP/Athens authenticated resources to be moved to Shibboleth
  • WAYFless URLs where possible
  • Shibboleth preferred over IP
  • Shibbolized metalib
  • Extended Athens subscription for 1 yr

Implementation process

  • Contacting service providers
  • Knowing which information to provide
  • Obtaining and testing WAYFless URLs was time consuming
  • Adding new URLs to Metalib (library portal/federated search)
  • Adding notes for specific resources

Issues and Challenges

  • SP discoverability / navigation issues – not everyone comes to the resource from the library website/portal
  • Dual authentication and personalisation
    • Although University of B’ham prefer Shibboleth to IP authentication – some resources us IP as a preference
  • WAYFless URLs
    • different suppliers use different constructions
    • Some support
  • SFX (OpenURL resolver) integration – providers don’t necessarily support deep linking in a consistent or good way
  • IdP downtime – have introduced a single point of failure

Secondly Francis Lowry from Nottingham Trent University

NTU approx 25,000 FTEs across 3 campuses

  • NTU was a early adopter of Shibboleth – in 2005
  • Shibboleth ‘just worked’ – it has been very stable
  • Currently on Shib 1.3, going to upgrade to 2.0 in Summer 2010
  • Shibboleth not a panacea – managing expectations was a big issue – e.g. Shib is not a SSO solution

Now Richard Cross takes up the story from the library side:

  • NTU Library do not talk about ‘Shibboleth’ – may describe the benefits of FAM, but talk about ‘NTU username and password’
  • Personalisation features – issue of migrating from personal settings on remote resources being linked to Athens PUIDs – and needed to migrate to linking to Shibboleth IDs
  • Some resources ended up losing personalisation features
  • Communication with colleagues etc. key
  • Switchover remarkably smooth
  • Customers appeared to find the process quite intuitive
  • No permanent loss of off-campus access to any significant resources

Richard mentions the JISC Publisher Interface Study – incredible inconsistency in how service providers implement and talk about authentication – this needs to change. WAYFLess URLs over engineered, inconsistent syntax – real problem. Particularly OpenURL resolvers need to work with WAYFless URLs

  • Lack of utilities toolkit – reduced usage data
  • No ‘admin interface’, no reporting functionality, no troubleshooting tools
  • Reduced statistics (even at basic level) to previously (when using traditional Athens authentication)

Customer experience?

  • May well remain unimpressed by the delivery of ‘mostly single’ sign-on (but terms and conditions apply)
  • Potential remains for customer confusion about how libraries manage the authentication exceptions
  • WAYFless URLs only work when the user accesses resources via the library – which is not how many people approach resources – coming in from Google and other resources

Don’t expect to be thanked for successful Shibboleth implementation – it is just seen as ‘business as usual’

Closing thoughts (from Francis):

  • Shibboleth is not just as a replacement for Athens Authentication – opportunity for closer more collaborative working across institutions
  • Vision for Shibboleth is more shared resources and services
    • Shared learning environments and resources
    • NTU CV Builder
    • Single framework for access to all university and externally provided services

NTU essentially embraced Shibboleth as a framework for authentication and authorisation across the board – all products they now tender for need to support SAML or similar…

IceRocket Tags:


For the next couple of days I’m at FAM09 – a JISC event about Federated Access Management.

First up Peter Tison (UCISA), and Sarah Marsh (SCONUL) on “Identity and Access as UK Priority”. Peter summarising the move towards federated access management in the UKHE sector over the last few years. JISC outlined a road map, acknowledged the need for institutional effort/resource.

There is still very little implementation of federated access (says Peter) – why?

  • Lack of external resources
  • Lack of internal resources
  • Athens is still there …

JISC review April 2009 – about half institutions using Shibboleth and half OpenAthens (small numbers other).

Within the library Federated Access opens possibility of:

  • Shared services
  • Saving money by targetting subscriptions on specific user groups
  • Integration with OpenID?

Across the institution Federated Access could:

  • Give access to internal systems and external resources
  • Access to 3rd party s/w
  • Access to internal resources from off site
  • Seamless access to external resources

So – Peter says what we need now is:

  • Clear strategic message
  • A benefits/impact analysis
  • A longer road map:
    • solid identity management platform
    • first step as an Athens replacement – but it is more than this
    • identify the internal benefits of single sign-on
    • linking to external resources

Some questions around granularity of access to resources – not necessarily good thing for library resources – however is essential for other types of resources – e.g. finance systems

Second up, International developments by Josh Howlett (Janet).

Now many different federations internationally. However, can have different policies for different data elements – e.g. fallow period for reuse of EduPerson principal name. There are now quite a few projects/intitiatives looking at how you can work across these different federations – e.g. Kantara Initiative – cross-sector identity initiatives

Geant – a consortium of all the European national networks. 37 participating countries. £200million euros over 4 years – big initiatives. Geant is concerned about connecting national networks – not at an institution level generally. eduGAIN is one part of Geant.

eduGAIN goals

  • enable interoperability between national federations by undertaking the necessary technical and policy coordination
  • To build on this interoperability

eduGAIN pilot service use cases:

What will it provide me with?

  • Identity providers: obtain access to services regiestered in other federations
  • Service provider: provide access to identities issued by providers registered in other federations
  • Eurpoe-scale reach at a zero to modest expenditure of effort

What should I do?

  • ensure national federation is aware of your interestedt
  • prepare for SAML 2.0
  • Be ready for October 2010

Finally before coffee Mark Cross about commercial developments

Mark is from OpenID UK.

The institution you are a member of today is only one part of your identity

Roadmap for OpenID:

  • OpenID v1
    • SSO & Delegation
  • OpenID v2
    • attribute exchange
    • PAPE – Provider Authentification Policy Extension
  • OpenID v3
    • Contract Exchange Extension Working Group
    • Increased Security


OpenID going forward. Recent meeting agreed to work on:

  • Integration of OAuth Hybrid into core specifications
  • Looking at supporting email as well as web address (Mark Cross felt this was a divergence from original vision of OpenID)

Big likely implementers of OpenID in the UK – the Telegraph and the BBC

Identity Management is important in its support of a Knowledge Society.

IceRocket Tags: