Why federated access management?
In my bunfight post I re-iterated my belief that the move to Shibboleth is the right one for the UK education community. In his follow-up comment, Owen Stephens questioned this view, suggesting instead that "implementing Shibboleth to allow access to 'library' type resources is putting in a technical solution to a problem that didn't seem to exist...".
I tend to disagree, though I can certainly understand where Owen is coming from.
In her blog, Nicole Harris puts forward the JISC's rationale for moving us down this road:
- Improve the business decisions made by institutions in relation to identity, access and resource management
- Increase the commercial choice to institutions in relation to identity and access management technologies.
- Reduce the impact and cost of vendor lock-in within the JISC community.
- Embed knowledge within the community, rather than within any one organisation.
- Place the principles of the JISC Information Environment at the core of the implementation of access management within its community.
- Move towards a single sign-on environment for UK Further and Higher Education institutions across internal, external, and collaborative resources.
I mainly agree, though I think it's worth looking at each of the points in more detail.
Improve the business decisions made by institutions in relation to identity, access and resource management
I suppose this is true, though I'm not overly clear why business decisions should necessarily get better as a result of the transition. I suppose the overall thinking is that this move pushes responsibility for identity management back into the institutions, where they can choose whether they implement in-house or outsource to a third-party such as Eduserv. While this move works against some of the benefit of a 'shared service' approach, it hopefully won't destroy it completely.
Furthermore, I think it is the case that the loss of some management information currently provided by a centralised Athens service but unavailable under a distributed federated model will actually make some business decisions harder? However, I'm assuming that as a community we will find ways round such problems in due course.
Increase the commercial choice to institutions in relation to identity and access management technologies.
It seems to me that this is the killer reason. Nobody likes a closed, proprietary solution and moving to an open playing field has got to be beneficial to the community in the long term.
Reduce the impact and cost of vendor lock-in within the JISC community.
I understand the point, though I think the use of 'vendor lock-in' is somewhat unfair, at least in its connotation (and kinda typical of the flack Eduserv seems to have to take). I never heard anyone complain of being locked in to Oxfam (but, yes, before anyone shouts... I understand the situation is different :-) ). As to 'cost', I'm not in a position to judge. Is anyone? What are the costs of this transition, overall? What will the ongoing costs be, overall? I have no clue as to whether overall costs across the whole community will go up or down. That doesn't make me think the transition is a bad idea because I think there will be other benefits - but I wouldn't claim it as a reason for doing it. Overall, I think that saying "reduce the JISC community's dependency on a single supplier" would have been more honest (and a good reason for making the change).
Embed knowledge within the community, rather than within any one organisation.
I don't strongly disagree with this as an argument in favour of the transition, though I think it is an interesting one to make in the context of the government's 'shared service' agenda.
Place the principles of the JISC Information Environment at the core of the implementation of access management within its community.
Other than the argument about using open standards rather than proprietary ones I don't really get this. As one-time architect of the JISC IE it doesn't strike me that 'architecturally' there is anything particularly more JISC IE-like about Shibboleth as opposed to Athens. In fact, one could probably argue that Athens is one of the few things in the JISC IE's notion of 'shared infrastructure' that has delivered anything of lasting value!?
Move towards a single sign-on environment for UK Further and Higher Education institutions across internal, external, and collaborative resources.
Well yes, OK. Fair point. Though, as I've noted here before, if, by 'external', one means the full range of Web 2.0 and other services that learners and researchers make increasing use of, then Shibboleth doesn't help in the slightest with single sign-on since it has almost no currency outside the education sector.
Overall then, I disagree with the way much of the rationale is presented, but I concur with the resulting direction.