« Education panel at Virtual Policy '08 | Main | SEO and digital libraries »

August 01, 2008

Bye, bye Athens... hello UK Federation

Posted by AndyP at 11:24 01 August 2008 in Access and Identity Management | Permalink

It's a big day today for federated access management in UK academia with "nearly 500 institutions and organisations [completing] the transition to a new open standard SAML compliant access management system and the UK Access Management Federation", many of them using our own OpenAthens offering.

Out with the old (Athens), in with the new (UK Access Management Federation) and all that (at least within education).

The JISC press release on the subject is somewhat disingenuous in not acknowledging the significant role that Athens has played in the UK's academic information landscape over the last 10 years or so.  I don't have the figures to hand but in a way the figures don't matter - the reality is that a very significant proportion of the UK academic community have found Athens to be a fundamental, usable, reliable and robust part of their online experience for a very long time.  I can't take any credit for that because I haven't worked at Eduserv for long enough... but there are people here, a lot of people actually, who deserve significant kudos for what they have achieved in servicability terms since Athens was first funded way back when.

It seems incredible to me that the end of such a fundamental and successful service is not being more overtly and publicly celebrated in some way.  Perhaps it is and I just haven't been invited! :-)

Similarirly, the press release makes no mention of the role that individual members of staff at Eduserv have had in helping with the transition.  Yes, there have been corporate differences of opinion along the way but my impression is that people here have been working hard to make the transition as painless as possible for institutions within the constraints of what is being funded.  It seems to me that you can't transition a service as fundamental as access manangement from A to B without at least some help from those who helped to kept A running smoothly.

In the past three months, membership of the Access Management Federation has risen dramatically as educational institutions and service providers move to take advantage of the numerous benefits of joining.

Well, yes... erm... that's "numerous benefits" as in "shotgun wedding" I presume? :-)

These include improved services to users, easier compliance with regulatory requirements, reduced support requirements and improved data security.

Grand claims... for which I'd like to see the evidence.  I'm certainly not holding my breath!  As I've argued before, I see usability getting significantly worse within the Federation than it has been using Athens, so I'm not sure that I see short-term "improved services to users" - but in the longer term, yes hopefully.  I'm not anti the Federation but I think we have to be honest about where the benefits come from - for me, it's purely about the adoption of open standards, which ultimately will bring benefits for the community - but possibly (probably?) with some short term pain on the way.

Anyway, I'm being churlish again... tonight I will raise a glass (probably on my own!) to the successes of the past and the even bigger successes of the future.  Here's to both Athens and the Federation.

Tags: accessManagement, Athens, identityManagement, OpenAthens, UKAccessManagementFederation

TrackBack

TrackBack URL for this entry:
https://www.typepad.com/services/trackback/6a00d8345203ba69e200e553e42c0a8834

Listed below are links to weblogs that reference Bye, bye Athens... hello UK Federation:

Comments

Thanks for saying this Andy. And for drawing my attention to your post via the JISC-INNOVATION list. Suzanne at www.medev.ac.uk

Posted by: glittrgirl | August 01, 2008 at 01:50 PM

Andy, you are right that the hard work and professionalism of running a service like ATHENS deserves acknowledgement! I've just spent half an hour or so reviewing some of my earlier email conversations with Ed Zedlewski and others, starting in 1995 with general discussions, then in 1996 with the NISS ATHENA service, and then in 1997 its transformation into ATHENS (we thought ATHENA might be confusing because of the very difficult technologies deployed in MIT's Project Athena).

I was then Programme Director for the eLib Programme, and in parallel with those discussions with NISS (EDUSERV's predecessor), we were struggling to choose and specify a standards-based service. ATHENS was proprietary, but it worked, and it gradually won acceptance, particularly for the quality and robustness of its service. Personally I hated the way it was implemented at the user site end, and the horrible separate usernames and passwords, until I moved to Edinburgh where AthensDA is implemented. Since then it works fine; in fact from my point of view it works exactly as I would expect the new service to work.

It has taken the intervening 10 years to get the standard-based service going, and throughout that time ATHENS has grown and developed while maintaining its quality.

So yes: ATHENS, your architects, engineers and implementers, thank you for a great job. Ave et vale!

Posted by: Chris Rusbridge | August 01, 2008 at 03:17 PM

** big disclaimer - I talk only for myself ad not any universities that i have worked for!! **


I'd be interested in knowing more of the history of Athens. Was eduserv or Athens a spinoff from Bath (which you sort of imply from your post)?

Athens needs much praise, especially if it avoided the need of remembering lots of usernames and passwords.

I can't comment much on its history, I can comment on my personal experience.

I did my degree in Computer Science between 96-99. Being a true computer scientist I didn't touch a journal or online resource through-out my degree. I then worked as 'the computer guy' in the University library on finishing my degree. Two of my first jobs were sorting out cd-roms (the pain, the pain) and providing a web searching/browsable interface to online journals (which was quite cool, if you ignore my terrible asp and php skills).

This is when I came across Athens (1999). At the University, Athens accounts were created by hand, not automated (I don't know if it was possilble at the time or if this university just had not gone down the road of automating it), and only for law students. This was for the lexis-nexis software (wasn't web based then) and perhaps westlaw as well. Managing these accounts was a pain, involved support from both the library and the Computer Service.

We also used it for Web of Science (referred to as BIDS then, god bath got its name about!), we used group accounts for this. This worked well, users could access a restricted webpage which told them which group account and password to use for their department. Wasn't as good as other resources as it required telling users about the page they needed to access so that they could access the resource (not so easy when lots of people across campus were linking to the resource).

In late 2002 I moved to Sussex. They used Athens in a much bigger way, and automated username and password allocation as people joined. Annoyingly students would often start using e-resources in their 3rd year by which time they would have long forgotten and lost the email, though I had nothing to do with it.

In 2003 we had a project to implement an 'Electronic Library' with single sign on, using ezproxy and the very new Athens *DA*. I was involved (one of five working on it) but not in a very technical way, more setting up the ezproxy config and library webpages.

see
http://www.athensams.net/libraries/casestudies/casestudy_sussex.aspx

The idea was there would be one place of entry to electronic resources:

(http://www.sussex.ac.uk/library/electronic/)

Which users would authenicate to access (which, behind the scences would do Athens and ezproxy). They could also sign in to the University's home-broewed portal "Sussex Direct" which would also do the required authentication.

This all didn't just rely on LDAP authentication but also looking up the user's credentials in the central database, to ensure they were a full memember of staff or student or FORMAL visitor. This was a bit of a nightmare, the system used fields to determine who was what and doing what role. After the event it became clear that what admin and the schools considered was meant by each field was quite different, and the library wasn't really best placed to sort out the mess. But it certainly lead to a few upset customers.

Unfortunatley 'Home site discovery' did not seem mature enough at the time to be implemented (this was the advice from Eduserv if i recall though i wasn't directly in corrospondance). This was a shame. And for boring reasons never got to the stage where it was implemented here. (so if you go to an Athens protected resource and select Sussex you will just see some contact details).

Over time, we moved away from the original idea, the Electronic Library no longer requires authentication when you enter, but instead when you try to access a resource (only the first one you access), which for me makes more sense and allows others, including Mr Google, to access our pages.

Perhaps the other issue with Athens DA is the element of a 3rd party. Our problem throughout was that we would get a fair number of people having problems accessing resources, the resources were working and there was no pattern to those who could not access them, it just seemed to be a random problem happening to many people.

This lead to troubleshooting issues. Quite understandably Eduserv couldn't help without a login they could use, but the only way to do this would have been to create a dummy person on the personnel system (payroll and all), or someover hack, which others were not keen on. ITS services couldn't really help as they needed specific users/times/dates to trobleshoot, and getting these details from users was never easy. This meant the random trickle of people having problems (often with athens da based resources) were hard to reslolve and often was left to us (me) alone!

So here's the controversal bit, we prefered IP authentication and ezproxy. As a techy, I should prefer the more sophisticated solution, but IP access was easy to understand and troubleshoot, and often very flexible. Are users having problems? Are all users offsite? if so it's an ezproxy issue (use our laptop with modem to trobleshoot) if not it is a general issue with the resource. Troubleshooting could include asking for them to send the URL (to check if it had ezproxy on the front) and fixing was often the case of ensure we had the same cfg as other ezproxy users. For Athens DA the troubleshooting was never as easy (sorry), and involved getting users to send cookie information (not easy) and passing things on to other people (computing, eduserv). There were also issues with deep-linking (though in hindsight this perception may have been due to me being told bad info from others here and not looking/asking around enough)

One year at the beginning of the Autumn term we had massive problems with certain resources such as LexisNexis. lead to embarrassement and stress. We moved to IP authentication and the problems went away.
A year or so later we discovered a problem with our time keeping on the server which ran the Athens DA xap script (with thanks to eduserv for suggesting we check this). Of course, only our own fault, but shows how things can be more complicated with sophistication.

With SFX, which we implemented a couple of years a go, it was easy to add a proxy setup (tick a box and enter a URL), which lead to anyone using our (SFX based) online journals pages using ezproxy and not Athens DA.

So overtime Athens DA became less used here, we still saw its sophistication, but for basic pratical reasons moved towards exproxy.

Moving to Athens DA was interesting. Academics would remember the 'Athens thing' and would request an athens login, especially as they would end up at a resources homepage and see 'enter athens username' (remember we didn't do homesite discovery). trying to explain that they did have a athens login when using our electronic library was a confusing concept for some. Especially as many presumed an Athens login as a 'golden ticket' which would give them access to anything which mentioned athens on its website. In this sense they saw athens as something bigger than an authentication system, more a massive subscription which would give them what they need. And in this sense academics often had a very postive feel to the Athens brand! it gave them access to their precious things.

In summary, Athens was a UK success story, it was a shame it didn't go (fully) global. Global means better support (such as Z39.50 suppport for athens, especially within Endnote). But different Universities had different experiences.

I do agree with Andy that it many ways it is a step back in terms of user expeirence. Thoguh we can often create URLs which have our idp hardcoded in, there are often times that users will need to follow a set link on the resource's homepage to become authenticate via shib. This is confusing and non-obvious. The UK Fed default WAYF is ugly as well!

So well done Athens. I may have had issues, but appreciate its value. Here's hoping that Shibboleth will iron out its issues.

Regards
Chris Keene

University of Sussex
(all this from top of head, may be very very wrong, take with bucket of salt)
PS sorry for length and bad spelling throughout.

Posted by: Chris Keene | August 01, 2008 at 03:22 PM

Have a pint from me Andy - for all the support the eduserve devs gave us when switching to the shibboleth gateway. I'd send it but their site is broken! Perhaps I should offer to shibb it - then again, I don't fancy being attacked by a large, extinct bird screeching that I don't have permission to access my pint ;)

http://www.e-pint.com/sample.php

Posted by: Alistair Young | August 01, 2008 at 03:23 PM

The comments to this entry are closed.

About

Search

Loading

Archives

Categories

Recent Posts

Recent Comments

eFoundations is powered by TypePad