Federated Access Management in the UK
Harris described how federated access management is a key part of the JISC overall strategy and is currently a high priority. The session therefore served to raise awareness of the project outlining some of the benefits; the current state of play; and some of the options available to both institutions and service providers.
In a federated system authentication is devolved to the institution who is responsible for identifying all users entitled to access their resources. Access control is then negotiated by sharing metadata about the user between the authenticating institution and the service provider.
The architecture (Shibboleth) that the JISC have adopted was described as "technology neutral" but must be SAML compliant. Harris explained that there was "international convergence" on Shibboleth and SAML for federated authentication and that this wide support would not only secure the future development of the system, but would also create a wider market for suppliers.
At present institutions can choose to deploy open source software to implement federated authentication, or instead license commercial software. Institutions may also outsource the authentication to an "identity provider" much as most institutions already do with the Athens service.
Athens itself is not going away. Institutions will be able to continue to use Athens but will ultimately be charged a fee in order to do so; JISC funding for the Athens service will shortly cease. "Gateways" that bridge between the older Athens service and the newer federated authentication options provide an upgrade path for institutions as well as interoperability between the different services.
Harris stressed that there will be considerable institutional investment (in both time and resources) in order to implement federated authentication and suggested that institutions begin including this in their IT strategy.
The return on this investment will be reaped in several ways. Users will be able to benefit from "single sign-on" across multiple services, not only from external providers but also internal to the institutions. This should address repeated problems with users gaining access to resources as well as the need to manage many different accounts. Ultimately a federated system may also allow institutions to provide collaborative resource sharing, licensing users from other institutions to access internal systems.
The expectation is that by November 2008 around one third of UK institutions will have implemented federated access management, with the majority completed by November 2009. It seems likely that the Athens service will continue to run, as a paid for service, until at least 2011.
Readers interested to learn more about federated access management should visit ukfederation.org.uk.