EDINA newsline
March 2008: Volume 13 Issue 1
by Peter Burnhill, Director of EDINA
The world of identity management affects us all. At EDINA we are busy making sure that all of our JISC services are accessible via the UK federation as we approach 1 August 2008. It is important that all parties take steps to ensure that there is continuity of access for users – researchers, students, teachers and support staff in UK universities, colleges and the like.
To risk over-simplifying: users from institutions that have a Shibboleth identity provider or that use the Athens-to-Shibboleth gateway should be able to access EDINA services, but those from institutions which cannot (or choose not to) assert user accountability will not be able to access services such as Digimap. The situation is fluid – please check both the EDINA and UK federation websites for updates.
As many of you will know, there is now a new national infrastructure, sponsored by JISC and Becta, known as the 'UK Access Management Federation for Education and Research' (the UK federation). The JISC middleware team and those engaged in making the UK federation a reality have been hard at work recruiting educational institutions to federation membership, as well as providers of online services to UK education and research.
JISC has determined that the UK federation is to be the principal means of authentication and authorisation for the services that they support. As a JISC national data centre, EDINA is following this policy. The JISC contract with Eduserv for the provision of the Athens service to all JISC organisations ceases on 31 July. At that point the arrangements by which Eduserv makes the Athens Service Provider software available to JISC services will lapse. JISC have written to say that 'JISC service providers should not have any reason to continue to operate Athens interfaces beyond that time'.
Accordingly, EDINA is planning that its services will accept user credentials only from institutions ('identity providers' in this context) within the UK federation.
The majority of services are already available via the UK federation: Digimap is now also included. (See back page for details.) We expect Jorum, agcensus, and the Depot to be accessible via the federation by 1 August. There are separate arrangements for UKBORDERS as determined by the Census Registration Service, run by the UK Data Archive.
A key point for institutions to note is that some services need an additional level of assurance, as required by the licences granted by data rights holders. Known as 'user accountability', this is where the identity of a given end-user could, in extreme circumstances (usually following suspected wrong-doing), be ascertained by an identity provider and disclosed to a service provider.
The UK federation supports this additional level of assurance through declaration by identity providers. It will be necessary for an identity provider, typically an institution (or their out-sourced identity provider on their behalf), to assert 'user accountability' before their users can gain access to a number of existing services, such as Digimap.
At present this may also apply to Jorum, run jointly by EDINA and Mimas.
A fuller description of user accountability is given in Section 6 of the 'Rules of membership for the federation'.
The termination of the contract between JISC and Eduserv to maintain the gateway services has implications. The development of two gateways had been funded:
The loss of general access to the gateways from 1 August means that Shibboleth-protected services will only be available to institutions who join the UK federation, using SAML-based identity management, or who adopt an outsourced identity provider (such as Eduserv, who have made a commitment to provide the Athens-to-Shibboleth gateway as part of their Open Athens product).