Print

Print
I've never be a banned author before!  I feel all rebellious :-)  I've copied the text of the blog below. 

Name, Rank and Number

July 17, 2012 in Uncategorized by | No comments (edit)

Last week, I chaired the consultation meeting for the EC AAA Study that is being lead by TERENA with a consortium of partner organisations across Europe. The focus of that report is access and identity management for researchers specifically, but a lot of the comments at the meeting are very applicable to federation as a whole. The report from TERENA is not too long and is currently open for consultation, please do feedback to the team if you can.

One of the things that struck me at the meeting was a comment from David Kelsey on the oxymoron of ‘Identity Provider’ as a name. David pointed out that one of the last things that Identity Providers in our community do is provide identity information, and I think this is a very fair point – we are currently sticking to the modern day equivalent of name,rank and number. I don’t have any detailed information on the attribute release policies of members of the UK federation, but I am fairly certain that most do not release much more that ScopedAffiliation (i.e. staff@…, student@…) and TargetedID (an opaque identifier). I think there are several reasons for this:

  • The UK federation rules only specifically mention 4 attributes. These are intended to be a minimum set of attributes to support, but have become by default a maximum.
  • Major concerns about the data protection act make most institutions very reluctant to release any data at all. It is better to do nothing than fall foul of the law.
  • Although there was a real buzz around getting federated access implemented in 2007 – 09, there has not been enough follow up to really exploit the uses that attribute management can be put to. IdM is not being prioritised in the current funding climate within institutions.
  • There are not sufficient tools in place to delegate attribute management and population well across the institution, which is desperately needed for the process to work effectively.
  • The UK has focused on the publisher use case, and publishers are not asking for more complex attributes. There is a catch-22 for other scenarios where researchers, for example, are not using federations because they don’t supply attributes and institutions aren’t providing attributes because they do not see the demand.

There are a couple of efforts under way to try and address this problem and encourage institutions to a) more effectively manage their attribute release policies and b) feel confident releasing attributes to certains groups. One is being lead by the edugain team and is called the ‘Code of Conduct‘. The idea is that Service Providers will be able to self declare that they will abide by a conduct statement when it comes to handling attributes. Compliance with the code will be registered in metadata and the intention is that the presence of this flag will give IdPs more confidence in passing information to the SP. There is a consultation open on this at the moment and edugain would really like to here from Identity Provider organisations in particular.

Another approach is more local to the federation. The idea of ‘SP cateogries’ is that when joining the federation, an SP can ask to be added to a certain type of category described by the federation. This might be, for example, ‘student services’ or ‘scholarly publishing’ or ‘research and scholarship’. The federation would provide some minimal vetting, and on completion would assign the SP to that group. IdPs would be asked to automatically release attributes of a certain type to all members of that group. InCommon are currently piloting this approach.

So will either of these processes work and help us to build a richer attribute economy? The Code of Conduct is a clean approach that has the backing of lawyers involved in the project, and is easily described and actioned in current metadata. However it still requires IdPs to have a separate interaction about the attribute requirements of each and every SP, and I am not sure if there is much incentive for SPs to volunteer to sign up to such an agreement.

Member categories are nice as they would allow a simple way for IdPs to manage attribute release for large groups of SPs, but it will have its limitations in attempts to make the groups manageable. It also introduces a new overhead for the federations and its member SPs at point of registration, and it could be difficult to retrospectively get existing members to sign-up to categories.

I’d be really interested to hear from Identity Providers in the UK as to whether either of these approaches would convince them to provide richer attribute release, what we could do to help faciliate this and any other ideas you might have in this space. I’d also encourage you to reply to both of the consultations I mention in the post as they would love your feedback.


On 17/07/2012 11:32, David Perry wrote:
[log in to unmask]" type="cite"> 
Hi Nicole

I would read this but work have banned the blog as 'social networking'. Websense has some strange ideas about what is 'acceptable'...

Dave

David Perry
eContent Developer, eLearning Team (L34 - Library)
Hull College
Wilberforce Drive
Queen's Gardens, Hull
HU1 3DG
Extension 2230 / Direct Dial: 01482 381930





* * * Think about the environment - Do you really need to print this email?>>> Nicole Harris <[log in to unmask]> 17/07/2012 11:30 >>>
Hi All

I don't normally push my blog pieces on to this list as I'm sure you all 
have better things to read, but I've just written a piece where we are 
specifically looking for feedback on ways to encourage richer attribute 
release: http://access.jiscinvolve.org/wp/name-rank-and-number/.

I think it is fair to say that we are not currently exploiting the full 
potential of federated access by mostly sticking to a very limited 
release of attributes to all Service Providers.  The blog post above 
talks about 2 ideas to improve this:

1.  Asking Service Providers to sign-up to a 'Code of Conduct' to give 
IdPs more assurance of the behaviour towards personal data, and;
2.  'SP Categories' to which a federation would assign SPs, with IdPs 
being given the option to release a standard set of attributes to the 
group.

We'd be very interested in feedback on these proposals and any other 
ideas you have on attribute release and management within the UK more 
generally.

With many thanks

Nicole




-- 
-------------
JISC Advance
Brettenham House
5 Lancaster Place
London WC2E 7EN

phone: 02030066040
skype: harrisnv
twitter: @nicoleharris