Posted 3 months, 2 weeks ago at 1:06 pm. 0 comments
Nate Klingenstein from Internet2 is going to bring us to a close with a ‘cynical’ keynote.
Today…
Concept has been proven
Many successful federations covering a variety of sectors and applications
Note the rise of consumer federated identity e.g. Google, Facebook
Scaling internationally and across sectors is a big challenge.
Getting the Discovery, Trust and User Experience problems right is only going to get harder as these federations scale.
Ongoing protocol wars – these will end … someday but not anytime soon… Goal of the Shibboleth project has been to insulate users from these protocols.
Levels of Assurance and Attribute support are another long running problem. Need to reconcile tension between enterprise and consumer identities.
The anecdote of the Cardiff Giant .. fakes can be popular and travel faster than the truth. Fake identities and identity theft is a growing problem.
The Consumer Factor
Why have consumer organisations jumped into federated identity … because it is lucrative. Double click and personalised advertising is still most of Google’s income. Second generation is email companies like Gmail and hotmail and now Facebbok and Twitter are becoming the largest repositories of personal information and have been very successful at monetising this. They have also done a great job of raising user expectations that everything should be free and easy and powered by ads.
Universities and Identities
Universities house both applications and identities and are the natural home for much user data. We may outsource the systems that run these but we are not going to outsource the business capability – it is too core. We also host a number of applications but increasingly not all of them will be locally hosted.
The Important Players in Academic Identity
- Government
- Faculty
- Applications
- Users
“These groups will collectively shape identity in learning over the next 10 years”.
Nate is now unpicking the different perspectives and goals these groups might have.
Governments want strong data protection, assertion and protection of digital identity.
Faculty want good learning resources by the easiest possible route, but they also want undivided attention – do they want social networking in the classroom? Tension between both stronger IPR and freely circulated intellectual property. Functional IPR is essential to the cretaion of knowledge – probably not in current form though. The incentives for creating knowledge are less than previously.
Commercial applications want a user base to make money from, licensing fees and advertising is a nice plus. Other applications aren’t really sure what they want but would be happy to be helped with the username/password problem. They talk vaguely about security and usability. However Identity Services are critical – indeed, foundational – for “cloud computing”. Whatever the cloud is one thing your organisation needs to do is have good identity management and federating of that identity.
Users want CONSISTENCY. There is agreement that users want consistency, but huge disagreement as to what that consistency should be. There more screaming there is hopefully the faster this will get resolved. Users get confused. They like buttons. They do get the concept of work and personal personas and are able to switch between them – they may not want these to be converged. Privacy and security are very important to users – particularly in countries where privacy laws are weaker.
Consumer Identity Today… Facebook Connect or Facebook/Twitter. Facebook Connect is the most successful consumer identity and is built on a proprietary protocol via a single identity provider. Their inducements for applications are sweet. The key component of both is the news stream. Type pad have been collecting stats on the consumer identities used to login to their service – and they offer a lot! 73% are still using their legacy Typepad ID. However in the last month over 62% of new signups have used one of the consumer federated identities on offer. MAny consumer applications seem to be promoting three 1. Their own profile 2. Facebook Connect 3. Twitter with other offerings shoved under more…
Convergence between Academic Identity and Consumer Identity?
Google Apps is an example of this. Every Google Apps domain is an OpenID provider. Shibboleth access into Google Apps. Users are being ‘trained’ in their consumer habits … to click on Facebook. Others will be pushing for their buttons to be more prominent. We don’t have a BUTTON we can put on this landscape (seems like this comes back to Rhy Smith’s work on the Publisher Interface Study and the need for an academic identity ‘brand’).
Assurance is gravitating to the lowest common denominator. Non-bouncing email address is the lowest consumer identity provider level of trust. We need to have modernisation of these systems and their Level of Assurances (LoA). We aren’t sure what peer validation of identity like in Facebook provides in terms of assurance.
Consumer world is rapidly realising that attributes are the key. We are going to have to solve the attribute aggregation problem.
There are multiple convergence options
- separate identities, applications, personas
- side by side with extended discovery
- attribute plumbing from campus to consumer providers (Google keen here)
- outsource entirely
Nate is whizzing through this now as he runs out of time. There is a lot of big ideas and jey concerns in here so this presentation is definitely worth revisiting and reflecting on.
How to prepare for the future?
- Be protocol agnostic.
- Expectations and functionality are driven by commercial and consumer identities.
- Users and Governments are unlikely to influence change
- Faculty will use best tools available
- Applications like money
If we want something more benign we have to consider the motivations of these key players and push them towards an outcome we think will be better. Nate is not sure what this better outcome is yet but does say that whatever happens DISCOVERY is the key control point. We need some sort of eduID although opinion divided here, but we must proactively consider partnerships with other identity sources.
Our current course is excellent. Our infrastrucutre will be key to most possible convergence routes and will be useful. Hence why this is a paranoid/cycnical presentation but not a downbeat one.
Phew interesting/exciting stuff but that was rapid and brain is definitely full now. Need a lie down/sleep on the train.
So question how does all this relate to Microsoft’s Forefront/Generva. Basically not sure lies behind the huge Forefront Marketing wall that Microsoft have built up. Internet2 is doing some interoperability testing with Microsoft’s stack. Microsoft wants to get into doing this attribute plumbing.
This was a really interesting event with some good keynotes and mix of parallel sessions, opportunities for discussion and a lot of fun. Thanks JISC … now to go back and wonder what to think and do about it all.
Posted 3 months, 2 weeks ago at 10:48 am. 0 comments
Federation enhancements and policy development first thing this morning for the survivors of games night last night.
Federation Membership
Federation has been in operation 3 years, is funded by JISC and Becta, has 765 members, 971 entities (596 IDPs, 378 SPs and 3 both) and serves schools, FE, HE and research. 100% of HE are members, 74% in FE, 57% of English schools, 0% of schools in Wales but 100% of schools in NI and Scotland. 20% of total federation members have signed up to the rules but haven’t registered an entity so are classed as inactive.
Service Enhancements
Roadmap is reviewed twice per yeara to give the community a heads up on what’s going on.
1. WAYF Review
- Independent review of the WAYF login process
- Conducting usability tests to assess usability in the context of the user journey
- Aim is to improve usability and accessibility for all users.
- Prioritised recommendations for next steps by July 2010
- Passed onto Rhys Smith to link into the JISC Publisher INterface Study and to Shib developers working on SP discovery.
2. Portal Best Practice
- WAYF is a backstop but encouraging IDPs to deploy a portal so that users have a consistent method to login and access resources.
- Expert team will consider technologies and definitions of portal to provide a best practice guide for the deployment of discovery services.
- Possibly also publish brandable codebase.
- Recommendations published by April 2010
(Do users even like the portal discovery route?? Am not convinced telling users to always start from a certain point is how they actually work).
3. Metadata Scaling
- Centralised metadata does not scale. The size of the UK Federation makes this a growing issue.
4. Statistics Gathering
- Federation needs to justify its existence! So…
- Allow IdPs to visualise how the service is used.
- Anonymous central database of usage statistics.
5. Satisfaction Survey
- Canvass opinion
- Create a benchmark of customer satisfaction
- Has the federation met its objectives?
- Highlight areas for improvements.
Inter-Federation
Draft clauses have been agreed for this. Looking for use cases to roadtest these policies. Paper going to
UK Policy Board.
Eligibility
Interest from
NHS, Government, Libraries, Museums etc in joining the Federation. Trial memberships are approved by
JISC and Becta on a case by case basis on the understanding that future charges will apply. Need to agree and establish policy and come up with a fair pricing model for these other sectors.
Owen is questioning the portal over
WAYF approach. The answer is there is no answer to the discovery problem. Ok that rather pessimistic sweeping statement has been qualified to say there is no
single answer to the discovery problem and this is being tackled on four fronts and that ideally discovery will be solved closer to the SP end than the
IDP end. Mark also points out that the portal study came from schools and for younger learners the portal approach is a good way to direct them to resources. Scope of federation users is incredibly broad from school children to professional researchers.
Changing my mind now and going to the Access and Identity Management Programme session. Thought this would be entirely the same as the Birmingham briefing day but Chris gave me heads up last night that there is a bit of new information on what they got for the 08/09 call and some information on a second call coming out in January 2010 which might be of interest. I gave Chris some feedback last night mainly about the timing of the last call. The second call might be better timing for us than the previous call.
The first part of this session covers the ground from the briefing event so isn’t much new. Interesting discussion on user-centric identity as a key theme of the previous call. Lack of evidence that users are bringing their own identity like OPenID and demanding to use it. Nate pointed out that in his keynote later he will point to evidence of use of Facebook and Twitter IDs but he questioned whether this was user-centric as per the original vision. It is an identity source that exists beyond the user’s relationship with the institution but is it genuinely user-centric? Nate asked if there was anything happening on consent – Chris said there were no bids for that.
So the themes of the original call were:
- user centricity
- granularity – fine grained access control
- delegation of authority
- n-tier – transferring attributes across systems
- accounting/auditing
The cross-themes were:
- Technology and Tools
- Interoperability
- Use Cases
- Policy
- Licencing
They got 20 bids for the Innovation strand and 1 bid in the Level of Assurance (LoA) strand. Looks like quite a lot on user centric tools and use cases. Most bids for tech and tools and then use cases. Policy surprisingly low given how many people said it was their big issue at the Briefing Day in Birmingham – and came out as a theme yesterday in the Identity Management Toolkit session. Nicole has suggested that maybe the big call doesn’t help and it needs to be more focused. Maybe but the big call allows flexibility and creativity – maybe we aren’t creative. I have to say we had ideas in this space and chatted to some at the briefing day about a collaborative bid but the timing of the call and the overhead a
JISC project adds to work in progress were the main off putting factors.
Is LoA an area that
JISC should be funding? Response to this was very low. HE has relatively few use cases that require a very high level of assurance. Grants, student loan information are examples from the US given by Nate. Nate points out that Facebook’s peer approval gives quite a high level of assurance for Facebook identities but validation by peers isn’t a traditional metric of LoA. Nate suggests that he’d like to see some work on how to define LoA differently – the more chaos the less useful this gets. It sounds like this is a massively intractable problem
Posted 3 months, 2 weeks ago at 4:46 pm. 0 comments
Into parallel sessions now. Firstly I’m with the self-described ‘Uncle Fester’ of the UK Federation (actually Ian Young) and looking at metadata aggregation. Specifically in a multi-federation, or post-federation world and technical approaches featuring various dramatis personae and NOT THAT SAML diagram.
“It is about two entities and a conversation”
Or more to the point two trusting entities … so we’re going to talk about Trust. Specifically Alice, Bob and trust … so couple counselling then.
Trust could mean: “this is Bob” (technical – mediated by metadata)
Trust could mean: “I like Bob” (behavioural – mediated by policy)
“You can only apply policy based on behavioural trust once you have established technical trust”.
Metadata: Publish, Exchange and Consume so there is a protocol for knowing how to send requests and responses. We’ve wrapped this up into a federation but this is only one possible implementation: “The software doesn’t know about federations” – Scott Cantor.
Rethinking federations… they are primarily social structures with technical artefacts, not technical structures. They do not have entities, they are made up of their member organisations and enable communications between entities within their member organisations.
Now our idea of a federation allows the metadata to come from elsewhere – a subset of metadata via another federation for example. If this exchange is direct it works but isn’t n-scaleable to keep adding bilateral relationships. So instead within our federation we add a Registrar function and a Publisher function. Alice registers her metadata via the Registrar function, is aggregated and then Published by the federation. The Registrar function may export the data it receives; the Publisher function may receive metadata registered elsewhere and include it in the metadata it aggregates and publishes. Again this doesn’t really help us scale unless you add in something like a regional aggregator that is not a federation in itself but acts as a kind of hub passing data between federations.
This is important not just internationally but for collaborations like SWan or even subject based aggregators.
Aggregation Engines:
“A configurable building block for metadata networks or metadata layer”
- Subscribe
- Publish
- Aggregate
- Transform
- Consume
Sounds exactly like what we needed for SWan. Transformation makes this quite powerful.
A metadata layer similar to the
DNS naming layer.
Scaling
The
UK Federation is likely to hit 1000 entities by the end of the year. Metadata file has risen to about 8Mb at the moment. As things get bigger … won’t everything become “too big”.
You don’t need every entity at runtime to know everything about every other possible entity it might want to interact with. Again comparing to
DNS and the function of the hosts file – no longer contains host metadata – pushed out to decentralised
DNS system. Long term way to go for the metadata layer too.
Haven’t talked about:
- Behavioural trust in large systems
- Trust relationships between aggregators
- The discovery problem
Interesting stuff… but will it work?? Or will it just make those problems above that Ian hasn’t discussed even more problematic to the point that the technical architecture is great but the system is unworkable and the experience unusable.
Now John Paschoud on the Identity Management Toolkit project…
“You can’t really do federated access properly unless you do identity management first”. You have to assert user accountability as part of the federation’s rules.
The Identity Management Toolkit is for people like us – and the people we have to sell it too … and may go to jail or face embarassing questions if we get it wrong.
Is IdM (still) a Key Issue??
Not sure what the answer is going to be … but still both. One of the things is: it’s unglamorous, it’s both ‘done’ and emerging because stable use cases may be well known and solved… but then new unstable use cases emerge and these too then need solving (of course this comes back to the need to first solve your Identity Management Architecture – the business, data, technical and governance architecture that surrounds your IdM).
The agreement in the room was that yes it’s bothsolved and unsolved … or always half solved.
Identity Management Toolkit helps you focus on the buesiness case – the drivers for IdM. These have to focus on costs, savings, efficiencies, student experience etc. I’m not convinced that national and international drivers are really a key driver for the business stakeholders.
It is hard to make the business case – the language of identity can get too abstract and philosophical (nooo surely not??). The solutions are mostly middleware and therefore so are the costs. So no-one notices when it’s working. (And you can’t really get business users to really love it like you can with web sites and
CRM systems).
The policy vacuum – policy about IdM is incomplete (or worse). Yes
Although people think it isn’t. People think the policy is known. Through process or practice or ad hoc things that people just know, but can you find a written policy hmmmm? Well can you?
Toolkit project came out of the Identity Project. Started in January 2009. Will launch in March 2010 at
JISC and
UCISA annual conferences. it is being produced by Bristol, Cardiff, Kidderminster and
LSE. Oversight from
UCISA, RUGIT,
ISAF, JISC, RSCs and an independent evaluator.
The tools in the Toolkit are:
- Definitions of IdM terminology and concepts (good. Does it cover different approaches to access e.g. discretionary, role based, claims based?)
- Service Usage Models and how they relate to the rest of the other e-Framework model (interesting and may be useful in providing examples of scenarios and business drivers – but not many of us in the room familiar with the e-Framework model).
- Governance and Policy guidance (good. This is a key area. Does it cover just writing formal policies or organising and tracing business rules and governance structures).
- Guidance and Templates for an IdM Audit of current practice (useful)
- IdM Requirement Specification Guide (ok)
- Gap Analysis guide (ok)
- Preparing an IdM Business Case (good)
- IdM Roadmap for universities and colleges (ok)
- IdM Procurement guide to systems solutions (ok)
Anything on data inventory?? Any workflow or business process models?? No – but they could go in.
Also from the bottom of the drawer:
- example policies
- network/wi-fi access for ‘walk-in’ users (third stream visitors etc).
- IdM related job descriptions
- How to run the ‘Passwords for Chocolate’ test. this was the test they did to see if you could get people to tell you their passwords in exchange for chocolate.
There was a first stab of the toolkit, then road tested on IdM improvement projects at Kidderminster and Bristol. It will be produced in traditional ‘glossy’ documents and interactive online version.
We’re having a vote on what are the most and least important aspects of the Toolkit.
Governance and Policy guide voted the most important (which fits with the outcomes of the
AIM funding call that this is the
BIG BIG issue institutions are dealing with. It is
NOT an IT problem but is a problem of the departments responsible for the source data and for the policy). I voted for concepts and terminology however because I don’t think you can start talking well about governance and policy and make it a business not an IT thing until you can agree on the semantics and have a common business vocabulary to work with and business users understand these concepts and how they relate to business events and processes. If these terms and concepts were defined more unambiguously across institutions too then this might help identity and access management become more joined up. The least important was voted as the Service Usage Models for the e-Framework. Not a very
JISC friendly asnwer. I can see why though. As a business analyst I think this will be useful and will really come into their own as IdM and e-Framework approaches become more mature and embedded but given the practical problems facing institutions you can understand why these seem too abstrat compared to the more pragmatic artefacts (and only 2 of us were familiar with the e-Framework).
Still a good session. No some open discussions, lightning talks about projects and hopefully the promised beer as I’m very thirsty!
