« XRI and OpenID | Main | eFoundations and comments »

January 25, 2008

Why federated access management?

In my bunfight post I re-iterated my belief that the move to Shibboleth is the right one for the UK education community.  In his follow-up comment, Owen Stephens questioned this view, suggesting instead that "implementing Shibboleth to allow access to 'library' type resources is putting in a technical solution to a problem that didn't seem to exist...".

I tend to disagree, though I can certainly understand where Owen is coming from.

In her blog, Nicole Harris puts forward the JISC's rationale for moving us down this road:

  • Improve the business decisions made by institutions in relation to identity, access and resource management
  • Increase the commercial choice to institutions in relation to identity and access management technologies.
  • Reduce the impact and cost of vendor lock-in within the JISC community.
  • Embed knowledge within the community, rather than within any one organisation.
  • Place the principles of the JISC Information Environment at the core of the implementation of access management within its community.
  • Move towards a single sign-on environment for UK Further and Higher Education institutions across internal, external, and collaborative resources.

I mainly agree, though I think it's worth looking at each of the points in more detail.

Improve the business decisions made by institutions in relation to identity, access and resource management

I suppose this is true, though I'm not overly clear why business decisions should necessarily get better as a result of the transition.  I suppose the overall thinking is that this move pushes responsibility for identity management back into the institutions, where they can choose whether they implement in-house or outsource to a third-party such as Eduserv.  While this move works against some of the benefit of a 'shared service' approach, it hopefully won't destroy it completely.

Furthermore, I think it is the case that the loss of some management information currently provided by a centralised Athens service but unavailable under a distributed federated model will actually make some business decisions harder?  However, I'm assuming that as a community we will find ways round such problems in due course.

Increase the commercial choice to institutions in relation to identity and access management technologies.

It seems to me that this is the killer reason.  Nobody likes a closed, proprietary solution and moving to an open playing field has got to be beneficial to the community in the long term.

Reduce the impact and cost of vendor lock-in within the JISC community.

I understand the point, though I think the use of 'vendor lock-in' is somewhat unfair, at least in its connotation (and kinda typical of the flack Eduserv seems to have to take).  I never heard anyone complain of being locked in to Oxfam (but, yes, before anyone shouts... I understand the situation is different :-) ). As to 'cost', I'm not in a position to judge.  Is anyone?  What are the costs of this transition, overall?  What will the ongoing costs be, overall?  I have no clue as to whether overall costs across the whole community will go up or down.  That doesn't make me think the transition is a bad idea because I think there will be other benefits - but I wouldn't claim it as a reason for doing it.  Overall, I think that saying "reduce the JISC community's dependency on a single supplier" would have been more honest (and a good reason for making the change).

Embed knowledge within the community, rather than within any one organisation.

I don't strongly disagree with this as an argument in favour of the transition, though I think it is an interesting one to make in the context of the government's 'shared service' agenda.

Place the principles of the JISC Information Environment at the core of the implementation of access management within its community.

Other than the argument about using open standards rather than proprietary ones I don't really get this.  As one-time architect of the JISC IE it doesn't strike me that 'architecturally' there is anything particularly more JISC IE-like about Shibboleth as opposed to Athens.  In fact, one could probably argue that Athens is one of the few things in the JISC IE's notion of 'shared infrastructure' that has delivered anything of lasting value!?

Move towards a single sign-on environment for UK Further and Higher Education institutions across internal, external, and collaborative resources.

Well yes, OK.  Fair point.  Though, as I've noted here before, if, by 'external', one means the full range of Web 2.0 and other services that learners and researchers make increasing use of, then Shibboleth doesn't help in the slightest with single sign-on since it has almost no currency outside the education sector.

Overall then, I disagree with the way much of the rationale is presented, but I concur with the resulting direction.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345203ba69e200e55086263b8834

Listed below are links to weblogs that reference Why federated access management?:

Comments

I probably ought to post this to Nicole's blog really (perhaps I will later), but I guess that really I'm expressing some frustration rather than expecting any change in direction.

I have to admit that initially I was in favour of the move to Shibboleth and have only in the last year or so come round to doubting the idea. There are perhaps a few issues that have changed my mind:

It's all taken too long - the world moves on, and Shibboleth no longer seems likely to be adopted outside HE in any major way.

The initial 'vision' that sold it to me was that there was increasing need to give access to resources at a more granular level in e-science and e-research - the types of examples given were grid computing resource. But this isn't how Shibboleth is being used at the moment - it is instead being used for resources that don't usually require granular authentication (and where some granular authentication was already possible). In practice e-science is using digital certificates, and see Look at http://www.jisc.ac.uk/media/documents/themes/accessmanagement/asmimaescience.pdf and the lessons learned for the problems in using Shib for an e-science service.

AthensDA and AthensSSO has given us 'single sign-on' to the same extent that Shib will.

I can't quite believe the arguments for decentralising what has to be one of the more successful shared services in UK HE. Should we scrap JANET as it causes lock-in, and prevents us developing expertise in our institutions? I suppose the question is whether authentication/authorisation is part of the national infrastructure or not, and to some extent federation argues that it isn't - but I'm not sure - didn't AthensDA give us a reasonable compromise between centralisation and federation?


Finally in Ariadne Iss. 44, there is a report on the 2005 JISC Conference which says of Shib "Its strengths are that it is a robust technology with international acceptance (US, Australia and some European countries). Its weaknesses are that it lacks user-friendly management tools and has relatively unsophisticated authorisation."

Well - the latter is still true as far as I can see, and the former looks relatively weak especially once you raise your eyes beyond the HE community.

Andy, I didn't say Shibboleth was more 'IE' like, I said federated access was. Again with the Shib verses Athens thing.

Federated Access perfectly fits the shared infrastructure services agenda within the IE. Where existing services exist (i.e. identity management within institutions) it doesn't replicate it. Not replicating existing stuff is very IE I thought.

Where services are distributed, it helps join them up by helping them find each other through the WAYF and other such services. A bit like the OpenURL Resolver also does within the IE.

Once they have found each other it helps them talk to each other by using common metadata as provided through the UK federation. A bit like the IESR??

All this is then under-pinned by a policy framework to help enable everyone to play together nicely.

That to me is what shared services are all about. Personally I think the UK government agenda makes the mistake of equating shared services with centralised services. I've always been in favour of keeping the centralised elements to a lightweight minimum.

@Nicole I think we largely agree so don't want to argue unnecessarily. Also didn't intend to put words into your mouth (infact, I assumed the bullet points were JISC policy statements rather than your words directly - I'm always happy to argue with JISC policy! :-) ).

Anyway, re: JISC IE-likeness or not your points makes sense - though as Owen points out, AthensDA had already removed much of the 'replication' for those institutions that chose to implement it. That leaves the 'open standards' argument which, as I keep saying, is very compelling.

While I'm not sure that I totally agree with your point about shared services, it was very clear from our OpenID event back in October that identity management is something that institutions feel very strong ownership of. I can understand that, and can therefore see that putting ownership of that space more firmly into their hands makes sense.

@Owen, I agree very much with your opening remark - "expressing some frustration rather than expecting any change in direction". In that sense, this discussion is somewhat moot. On the other hand, it helps to let off steam occasionally.

Hi Andy - yes I agree, AthensDA already does this and this is why I am so insistent on talking about federated access and not shibboleth. AthensDA is of course a federated approach and meets that requirement.

I thought I better take responsibility for the policy words seeing as though I wrote them :-)

The comments to this entry are closed.

About

Search

Loading
eFoundations is powered by TypePad