This website aims to provide initial points and facilities to stimulate discussion, not to carry out a complete survey of all related issues. It contains the following sections:
• A broad statement of the issues being addressed.
• An overview of the current approach to Federated Access Management (FAM) in the UK HE environment.
• A set of brief scenarios describing different aspects of FAM in digital repository environments. The list does not aim at completeness; it is an initial list to provoke discussion.
The scope of the consultation assumes that federated access management is a requirement for repositories; it does not infer this as a solution to previously-identified requirements. This assumption was made by JISC as a pragmatic approach to developing a tentative programme of work, which will be subject to further iterative development. The aim of the consultation is to identify scenarios related to teaching, research and administration, in which repositories are involved and where access management is an issue; and then to gain feedback from people experienced in FAM and repositories about the issues raised. Some of the scenarios relate to identity management rather than to access management per se; however, these scenarios arose naturally out of FAM considerations, and of repositories as service providers within the federation. A key question is how to prioritise the scenarios with a view to future funding programmes by JISC, taking into account criteria such as: importance and urgency, feasibility of implementation, and whether solutions are better implemented within or beyond the scope of the federation.
In addition, there are various projects looking at issues of federated access management, some developing software, others looking at procedures and policies. These projects do not all address repositories in the narrow sense; they do, however, address in various contexts issues that are also of relevance to repositories, and it is useful to consider how we can make best use of the results of this work, and determine which outputs are usable, sustainable, open, standards-conformant, of high quality, generalisable, and so forth. In particular, some projects produce a solution by getting round a restriction imposed by the federation, which leads to consider not only what can be achieved within the federation as it currently stands, but also how requirements arising from the demands of repositories may influence the direction of the federation of the future.
The results of this consultation will be collated into a fuller report on the issues surrounding FAM in digital repositories, which will inform JISC funding decisions.
2. Problem statement
Digital repositories are changing, both in the type of content that they hold and in the ways in which they are used. Earlier exemplars managed relatively simple objects, such as pre-prints and publications, but increasingly institutions are starting to use repositories to manage complex research data in a variety of disciplines, in part as a result of various programmes funded by the JISC . Whereas a major motivation in setting up and populating repositories has been (and is still) to make the results of research available to a wider audience, where possible following open access principles, this broadening of content raises important issues of access management.
In addition, repositories are moving beyond the stand-alone model, towards more sophisticated scenarios in which repositories are integrated components of wider research and teaching infrastructures that incorporate a variety of services, tools and workflows . Digital repositories, although often managed on an institutional basis, are no longer separate silos of data, but form part of a wider ecosystem of dispersed data, services and actors supporting collaborative research and education. New hybrid networks are emerging, where formal documents in institutional repositories stand alongside more informal documents such as blogs and wikis.
As repositories become integrated into such wider networks, we are faced with new access management challenges. Repository architectures have to control access not only to single, isolated systems, but to cross-institutional federations of data and services. Repositories have to be ‘sure’ of the users who access the services they provide, and also of the authenticity of the digital objects they contain. Authentication, authorisation and identity management require policies and mechanisms that work across institutions and jurisdictions. There is a need to examine these requirements, and uses made of repositories and repository services, in the context of the UK Access Management Federation.
3. FAM in the UK: the current situation
Federated access management in the UK higher education community is provided by the UK Access Management Federation for Education and Research , which is supported by JISC and Becta, and operated by JANET (UK), and is based on Shibboleth, a solution that has also been adopted by other national federations, e.g. in the USA, Australia, Germany and Switzerland. Developed by Internet2/MACE, Shibboleth is based to a great extent on the OASIS Security Assertion Markup Language (SAML). SAML 1.0 became an OASIS standard in November 2002, and a major revision (SAML 2.0) was released in March 2005. In essence, SAML is an XML-based language for defining the exchange of authentication and authorisation data, and it also defines functions to create and manage federated networks that combine and appropriately share pre-existing identity information.
Shibboleth supports cross-domain attribute-based authorisation while preserving user privacy. The UK federation allows a participant organisation to join as an Identity Provider (IdP), allowing its users to access resources throughout the federation while managing their identity locally, and/or as a Service Provider (SP), allowing resource managers to control access to restricted resources to users from both within and outside their home institutions.
At a technical level, the Shibboleth mechanism and information flow is essentially linked to the http protocol and to browser-based access. An IdP issues SAML assertions to SPs upon request, and an SP consumes SAML assertions obtained from IdPs for the purpose of making access control. A third component, a WAYF (“Where Are You From?”) service, is set up to broker trust between participating organisations with common needs . At a technical level, the WAYF defines the federation: the SPs that the WAYF will redirect, and the IdPs that the WAYF provides as options.
On a policy level, the federation is wedded to the concept of authorized but anonymous access to resources. The only attribute that an IdP in the UK Federation is obliged to release is eduPersonScopedAffiliation, which, for example, may indicate that a person is a staff member at King’s College London, although already some services require more information to be released from an IdP . There is some requirement on traceability from the SP to the IdP: it is possible for an SP manager to identify, from the Session Identifier associated with an access, the IdP with which the user is associated. The federation rules require the IdP to take action if the user misuses privileges, but still the user’s anonymity is maintained. Optionally, if the institution subscribes to Section 6 of the Federation rules , institutions can offer stronger identity assurance.
As well as being subject to release restrictions, with a view to preserving anonymity, personal identifiers used within the federation are also not persistent. There are two commonly used attributes that can identify an individual: eduPersonPrincipalName and eduPersonTargetedID. The former is commonly regarded as the federation equivalent of a username, and typically resembles an e-mail address, combining a locally unique identifier with a domain to indicate the scope of the identifier. For the privacy reasons mentioned above, this attribute is not in general released to SPs. The latter is an opaque identifier that provides an SP with a unique identifier for an individual while maintaining that individual’s privacy. The eduPersonTargetedID attribute is unique for each combination of person and SP, and will be the same each time that person returns to the same SP.
However, in neither case is the attribute persistent in the long term; the values can be re-assigned to other users after 24 months, or even earlier if the user’s organisation does not subscribe to Section 6 of the Federation rules. Moreover, they are local to the individual’s institution – if a user moves institutions their identifiers will change, and there is no way of linking them – and moreover there is no guarantee that a value will not be reassigned at some point in the future – thus at different times the same attribute value will correspond to different people. While this is not an issue when managing access to library-style resources, it is important in other scenarios. The federation is aware of the need for a rule preventing such attribute re-use, but currently many institutions would be unable to meet such a requirement.
The Federation encourages publication only of the four standard attributes that it defines as core: eduPersonTargetedID, eduPersonPrincipalName, eduPersonEntitlement, and eduPersonAffiliation . Note also that the values assigned to eduPersonAffiliation can have different levels of granularity, e.g. an institution can publish “staff” and “student” or just “member”. The values of eduPersonPrincipalName are to some extent standardised but require common interpretation within the Federation. The values of eduPersonEntitlement are more open-ended (but see (ii) in next section).
Initially, much of the use made of the UK federation was based around the model of managing web browser (read) access to online, library-type resources (often from publishers), as a federated successor to the Athens system. Shibboleth was, however, developed (in the US) with a view to using it in a variety of institutional applications, and there are now a number of other sorts of application using Shibboleth, for example blogs, wikis, video-conferencing and e-mail systems; although, at least in the UK, such applications are not made available via SPs within the federation, but are used purely within the institution . There is also increasing support for Shibboleth-managed access to other, non-publisher, resources, for example JISCmail, JORUM, Google Apps , iTunes U (supplying access to online course content), DreamSpark (supplying Microsoft development tools to students) .
However, digital repositories were possibly not high priority when the federation was set up, and people are increasingly struggling against the set-up of the federation to make it do what they want to do. In these circumstances, it seems to be an appropriate time to identify and spell out these use cases and requirements.