« Twitter stats | Main | Inside Out - Eduserv Foundation Symposium 2008 »

February 27, 2008

UK Access Management Federation progress

A news item on the UK Access Management Federation Web site suggests that 210 institutions have now joined the federation and that (quoting Nicole Harris):

to date, 95 per cent of UK Federation members have chosen Shibbolethas [sic] their preferred platform. Shibboleth has proved popular because it is immediately available, easy to customise and well supported internationally. It builds on existing institutes’ structures, can be operated in-house and is subscription-free as it is based on open source software.

That'll be the perfect choice for everyone then!

95% of 210 is about 200... which seems like a very large number to me, though I must confess I don't have any detailed knowledge on institutional intentions in this space.

The list maintained by the federation suggests that there are currently 223 members of the federation (including both institutions and service providers), of which about 41 have implemented one or more Identity Providers (IdP), though the list doesn't make it clear whether each IdP has been implemented in-house using the Shibboleth platform, outsourced to an external service provider or something else.

It's not overly clear what the phrase "have chosen Shibboleth as their preferred platform" actually means in practice.  I appreciate that "chosen" does not mean "implemented", but even so, the numbers are, err..., impressively high.  Reporting numbers is fine, though given the potential confusion about what they mean it might be clearer for all concerned to stick to what has actually been implemented rather than talking about institutional intentions at this stage?  Part of the problem here is that "shibboleth" can be interpreted both as "shorthand for a general technological approach" and "a particular software platform".

As you might be able to tell from my tone here, I do find the messaging and discussions around the Athens to Shibboleth transition somewhat frustrating since they are very often tinged with ideology not just around standards (hey, I'm as ideological as the next person around standards) but also around implementation approaches.  As many readers will know, I've worked with JISC for a long time now and I don't recall any other scenario where a single implementation option has been pushed so heavily.  Having got the standards bit right (i.e. SAML and Shibboleth) it seems to me the time is right to step back and let the playing field level a bit, allowing institutions to make their own business choices between open source, non-profit and for-profit options as they see fit, based on a free flow of information from suppliers.  Why should the JISC care whether institutions join the federation using open source software or something else?  The important thing is to adopt the right standards is it not?

Now, you are no doubt thinking, "well, you would say that wouldn't you?", and perhaps you are right?  The world probably does look rather different from inside Eduserv than from outside... if nothing else, it is much more obvious how badly others mis-represent our offerings (either by accident or design).  As I say, I feel frustrated by the world as I see it currently.  You can try and cheer me up by telling me the JISC are adopting a completely neutral position in this area if you like, but the cynic in me may take some convincing.  Sorry.


TrackBack URL for this entry:

Listed below are links to weblogs that reference UK Access Management Federation progress:


Andy, it is just a fact - actually 94.6% today as the federation membership rises to 231. I can also tell you that 24 members (8.7%) are registered to use an OpenAthens IdP and 0.5% are using Guanxi. There is cross-over because some members (and that includes Service Providers) are using multiple approaches. We are honestly only interested in people using SAML compliant solutions and I think we have a right to proud of actually making a JISC development work after years of investment. We are also about to bring out a briefing paper on all of the commercial options available to people joining the UK federation...and our previous briefing papers have always made it clear that there are 3 options for institutions in terms of open source, commercial support and outsourcing. JISC itself has made use of a commercial support option to get our IdP in place...so we can hardly be against it as a viable option!

Hi Andy. I believe Nicole is just celebrating the fact that JISC has promoted an open standards-based solution for which open source software is available (and actually works) because that's what the community is breying for (the loudest voices, anyway.) When it was all being tested in the SDSS federation by the "early adopters" I guess Shibboleth was the only solution talked about. But as the deadline for the rest of us to join the UKAMF nears, I haven't felt that JISC has been pushing Shibboleth over the other options. SAAS and outsourcing are becoming increasingly attractive for all sorts of services, and I think many institutions, perhaps the majority of the "late adopters", will opt for OpenAthens.

Speaking only for myself, your last sentence interested me.

"if nothing else, it is much more obvious how badly others mis-represent our offerings"

Perhaps you have a point (if they have been mis-represented to me I wouldn't be aware I have a distorted view)!

For my sins I'm always attracted to IP authentication (with ezproxy). It may be simplistic and with its faults but is easy to support, if someone is off campus and can't access it it is either something missing in our exproxy cfg or they are not accessing using the correct link.

Athens DA has always been a little more challenging to support, through no fault of AthensDA (its a good design). The problem could be with the provider, user, our XAP script/authentication of the athends servers. This wasn't helped with our setup, to comply with licence agreements, only usernames linked with a real person on our personal system could use our e-resources (no exceptions), which meant supplying a test account to eduserv when there was a problem was impossible.

Why do i say all this? Shibboleth does make things a little simplar (ignoring the WAYF) the actors are the user, provider and us. The OpenAthens approach to access to the UK Fed seemed to imply to would still use the Athens servers and in a sense be an extra layer of technology.

I should add that this wasn't really the reason why we went the route we did, just my own thoughts.

We, like many Universities, are planning to be a Service provider too. your site doesn't make it super clear if those going down the openathens road can be a uk federation service provider without implementing Shib themselves (as surely not doing it yourself is one of the major points of openathens). It would be somewhat odd to outsource your Idp implementation only to do your Sp implementation yourself.

Incidently I went to the eduserv site just to make sure I wasn't talking 100% rubbish, I navigated through a link about open athens news, and once and click on the faq will lead to this question

Which seems quite positive on SAML/Shib.

Back to the point, I think there was confusion about the whole Shib->Athens gateway. I was expecting Eduserv to announce subscription to the gateway as a standalone (cheap) service, instead it seems to be bundled with OpenAthens (which from my ignorant and ill informed posistion seems odd as people using openAthens seem like the very people who will not need a gateway from Shib to athens!). I was also half hoping to see Eduserv announce using some of the Foundation money to provide the gateway for free for the first year once the JISC were unable to pay for it. It would have been a good gesture, seems to fit in with the Foundations aims, and would have got Eduserv seriously good brownie-points! (it's not too late to annouce it!)

Finally, in my opinion, the letter to VCs in Jan 2007 didn't help OpenAthens case. I was at a conference a couple of weeks later, mainly IT people and some Librarians. It seems there was a similar patteren across many (not all) universities. VC receives it and is asked for reponse. Passes it down until it reaches Library and/or Director of IT. They then pass it down to staff in IT/Library who had to drop everything to provide a response and pass it upwards. And it seems the message that went upwards is "this is basically a bit of marketing they want to know if you are likely to be a customer or not (and are subtly suggesting that we should be). Net result was It/Librarians unhappy at having to suddenly research/write up responses to senior management, Directors of IT/Library unhappy at their staff having to do this and Senior Uni Management unhappy at having to process what essentially was an advert for something they had no interest in. Some Universities were quite unhappy!

Having said ALLLLLLL this, I have to say, I wouldn't call Shib perfect my any means :) And not sure it is an improvement for the user experience.


thanks for the long and thoughtful response. Very interesting and you raise some good points, none of which I'm going to respond to directly, though I will try to ensure that people here see the comments.

I was going to add something along the following lines to the original post but decided it was too close to the bone (at this end):

--- cut ---

One of the frustrating aspects of other people mis-representing our offering to the community is that we are quite capable of doing so ourselves :-).

--- cut ---

Oh well, I've said it now (and I can probably cross both JISC and Eduserv off my future employers list!? :-) ) It's not intended to be quite as negative as it sounds. The problem is that several of the terms we need to use in our conversations in this area have multiple meanings... I'm thinking particularly of 'gateway' (athens->shib vs. shib->athens) and 'shibboleth' (technological approach vs. software package). We (Eduserv) compound this further by not having a clearly articulated set of names for the product components that we offer.

For example, what you would probably refer to as the 'Athens to Shibboleth gateway' I would now tend to call the 'OpenAthens Managed IdP' but that terminology isn't yet shared, even within the company. That particular gateway (athens->shib) doesn't really feature in our thinking, at least not as a separate entity on the network, post-July this year. Of course, the other gateway (shib->athens) certainly does feature and your suggestion that we should have used Foundation money to fund it is an interesting one.

We're doing our best... but it takes time to get things straight and I, for one, accept that we could do much better.

The comments to this entry are closed.



eFoundations is powered by TypePad