Guidance on access management
Managing access to resources is a complex issue and institutions have a number of factors to consider when deciding their short and long term strategies. The following is intended to provide independent advice to assist institutions to come to their own conclusions and develop their own plans. It is hoped that, in due course, the advice will be supplemented by case studies as the community gains more experience in access management. The following has been produced by UCISA with input from both Eduserv and JISC and is available for download as a PDF here.
Date of issue: 27 March 2008
Updated: 17 April 2008 to include an additional reference to the JISC briefing paper on available solutions.
Updated: 23 May 2008 to include links to the two JISC/SCONUL briefing days. The briefings include a number of case studies.
Update: 21 July 2008 Those institutions that are currently subscribed to Athens but have not committed to OpenAthens from 1 August should review the information on the Eduserv website.
Update: 5 August 2008 Results of the landscape survey carried out on access management solutions published.
Update: 11 August 2008 Latest statement from JISC on the future support arrangements.
Update: 7 January 2009 JISC issue a press release on the support arrangements
Guidance on Athens and Federated Access
UCISA notes, with regret, that JISC and Eduserv failed to reach agreement on the funding of the Athens gateways from 1 August this year. Since news of this first broke, UCISA has received a number of requests for independent advice to assist institutions to come to their own conclusions. The following is intended to lay out the options available; it has been compiled from UCISA’s initial draft and input from both Eduserv and JISC.
Although the variety in the sector means that it is not possible to offer generic advice applicable to all institutions, it is worth making the following general points:
- Responsibility for access management has in many institutions migrated from the Library to the IT or MIS function. A successful solution will require close collaboration between these departments.
- A full audit of the eResources an institution uses, the methods of access both available and currently used and the scale of access by different classes of user (eg walk-in users, “in house” access, distance users etc) is a prerequisite to establishing the best method or combination of methods that will be applicable to your institution in the long term.
- Institutions may implement short term solutions whilst they assess the options available to them.
- Both Eduserv and JISC are committed to open standards.
- OpenAthens is one of a number of SAML-compliant solutions that will allow operation with federated resources. A JISC briefing paper providing a summary of third party solutions is available.
- It will be necessary for all institutions to join the UK Access Management Federation (UKAMF) even if the long term solution is to outsource the technical component of identity management to a third party provider. The reason for this is that the Federation is based on trust; institutions will be the root providers of identity of its users and as such will need to provide guarantees that they will provide accurate data, and observe best practice in relation to the exchange and processing of data. Although it is necessary to join the Federation as a legal organisation, it is not necessary to join as an entity (ie an identity or service provider) if you are intending to subscribe to an outsourced identity provider. You will however need to nominate your provider (see http://www.ukfederation.org.uk/content/Documents/JoinFederation ).
- The adoption of SAML-compliant technology such as Shibboleth can provide significant internal as well as external benefits including opening up the possibility for institutions to use the same technology to control access to internal resources (e.g. a VLE or student portal) or to make internal resources available to others (e.g. a subject portal).
- Access management is not just a technical problem; there are significant organisational, information management and governance issues that will need to be addressed in order for institutions to be able to accurately assert who its members are.
- There are many factors that will affect your institution’s long term decision. These may include the cost of implementation and maintenance and the cost and take up of resources.
As Athens is not going to be funded by JISC beyond 31 July 2008, institutions will need to take some action in order to guarantee access to eResources beyond that date. However, it is not essential to carry out a significant amount of work in the coming months. The simplest solution currently available is to sign up to OpenAthens for the year. This should allow you to continue to access the resources you currently use. Note that other solutions may emerge over the next few months. One alternative is to use a web-proxy referral service such as EZproxy. If you have already made a significant investment in such a service, you may find that your best option is to seek to ensure that all your resources can be accessed via such a service.
However, over the course of time (immediately if you are looking to make changes in the summer), the first step that must be taken is to carry out a rigorous and in-depth analysis of the eResources that you use and record the method of access available to them and which you currently use. Note that the JISC Access Management Team have offered to assess the eResources you use and give you a clear picture of access management solutions available for your particular institution. However, it should be noted that some resources may be accessed in different ways for valid business reasons (such as provision for walk-in access) which the JISC Access Management Team may not be aware of and which may influence your business decision.
If all your eResources are federated and you are not a member of the Federation, then your best route is probably to join the Federation and implement a SAML compliant technology (Shibboleth is one such technology and probably the most widely known) to access your eResources as soon as possible. [This is not as difficult as some might tell you and help is at hand within the community from institutions and the JISC.]
If you have a large number of eResources (mixed methods of access) and you have NOT implemented a SAML compliant technology and joined the Federation you are probably best advised to chose OpenAthens as your immediate solution. You should also start to implement a SAML compliant technology to gain experience of that method of access and to help inform your long term decision.
Alternatively, if you have a large number of eResources (mixed methods of access) and you are already using a SAML compliant technology your choices are more open, but should be guided by the result of your audit:
i) If you also have implemented a web-proxy referral service (WPRS, eg EzProxy, for off-campus access) then the decision will depend upon the balance of federated to IP-authenticated resources. If it’s heavily in balance to the latter then implementing OpenAthens would seem the best short to medium option. If it’s the former then configuring the WPRS to handle a small number of eResources would be best. [NB a significant amount of staff-time in testing and some additional resourcing requirement is needed to do this transfer and make the infrastructure robust and resilient and dependable]. It is also worth noting that some resources for which access is restricted (eg “for use by medical students only”) may require the institution to provide authenticated accounts and to log usage.
ii) If you have NOT implemented a WPRS, you could rely on a national WPRS service (other than the Athens Gateways) but you should consider whether any other service provider (ie JISC) is able to provide as robust and resilient infrastructure as that provided by Eduserv. If you have any doubts, it might be better to opt for OpenAthens.
If you have a small number of eResources and you have already implemented a SAML compliant technology your choices are these. If they are all federated then joining the Federation offers the best route forward. If not and the number of eResources that are IP-authenticated is small you might be best advised to implement a local WPRS; if the number is large then using a national WPRS (if provided) might be worth considering. If in doubt, OpenAthens should be considered as a stop-gap until clarity is apparent or you have had time to consider your options.
If you have a small number of eResources and you have not yet implemented a SAML compliant technology, and are not using a WPRS, then the best option might be to plan a measured move to the Federation using OpenAthens as your “liferaft”, but start this move now. JISC will provide support for small institutions; such institutions may also want to consider the use of a third party identity provider.
Some resources are ONLY provided using Athens authentication. Each site will therefore need to do direct negotiation with the publisher to change this – the existence of such eResources on site may force you to use OpenAthens. Clearly some resources will be used by multiple institutions and in these instances collective bargaining offers some advantage. JISC are lobbying on the community’s behalf and are providing a webpage which details those publishers that have committed to moving to federated access. This is available at http://access.jiscinvolve.org/federated-access-and-publishers.
Similarly some resources (notably JISC provided resources) will only be available through a SAML compliant technology from 1 August 2008.
Both the above points may influence your decision.
Eduserv Athens: Access and Identity management: http://www.athensams.net/
JISC briefing paper providing a summary of third party solutions available and more information about the organisations that provide them. http://www.jisc.ac.uk/publications/publications/identityprovidersbpv1.aspx
JISC Federated access management: institutional business case http://www.jisc.ac.uk/media/documents/themes/accessmanagement/cc297d001-1.0%20business%20case%20toolkit.pdf
JISC Federated access management: international aspects http://www.jisc.ac.uk/media/documents/themes/accessmanagement/cc253d018-1.0%20international%20aspects.pdf
List of publishers publicly committed to federated access: http://access.jiscinvolve.org/federated-access-and-publishers
UK Access Management Federation – applying for membership
Presentations from the JISC SCONUL briefing held on 13 May 2008
Presentations from the JISC SCONUL briefing held on 7 March 2008