Access and Identity Management (AIM)

Last updated: 
2 months 4 weeks ago
Group Manager
Members of the research and education community within the United Kingdom regularly make use of various types of online services, including web-based e-resources, wireless network access, and cloud-based applications. Many of these services require authentication of a user's identity, and many additionally require the release of attributes relating to that identity for authorisation purposes. Access and Identity management technologies and services aim to fulfil this need for robust authentication and authorisation technologies. Jisc either runs or is heavily involved with many major services offered to the UK R&E community in this space such as eduroam, the UK federation, Moonshot, and the Janet Certificate Service. This group exists for those interested in AIM and trust and identity services to discuss the latest developments, keep track of goings-on, and participate in discussions about what the community needs in this area and what Jisc should be offering. (Note that for eduroam, Moonshot, and the Janet Certificate Service specific discussions, these technologies have their own groups on this site). To learn more about Jisc's AIM services, you can see the slides and video of an overview given at Networkshop42.
Log in to request membershipHide group description

Group administrators:

Recent members:

Happy CAMPers

21 November 2013 at 5:07pm

The third and final of the identity week meetings (Campus Architecture & Middleware Planning - CAMP) started with an amusing keynote from Patrick Perry, Vice Chancellor of Technology, Research and Information Systems California Community Colleges. The 112 California Community Colleges are highly independent.  In pursuit of academic goals, and over the course of their lives, California Community College students may attend several colleges (sometimes attending 2-3 colleges at the same time to get enough classes).  This “swirling” and “come-and-go” behavior creates significant student identity challenges.

Apparently the CCC comprises the US' biggest HE system. Patrick’s tale started off with the familiar story of funding cuts, increasing data demands, fluid student numbers etc. He then progressed through how better use of data can help make funding decisions including an analysis of graduate average salaries depending on courses taken. Eventually we got to the stage where the Governor of California accepted the need to better fund HE and rather bizarrely started using his pet dog to promote a Bill – ‘Prop 30’ – to raise taxes to increase the higher education budget. So HE in California was saved by a dog!

We then step forward to CCC Chancellor Jack getting a call from Governor Jerry to talk Moocs. This developed into him doubling the tech budget just for Distance Education (CC Online Education Initiative) with www.cvc.edu developed as a catalogue, supply/demand aggregator and portal for courses. They also centrally selected and operate an enterprise CMS for all education in California.

So the good news is there is lots of new money for central systems, but individual sites have lots of legacy and siloed apps and systems and non-standardised campus infrastructure. With 3 new massive funded systems this could be a problem, but with federation "it is a wonderful life".

The funding paid centrally for a new Open CCCApply system, built by Unicon and taken in-house, allowing everyone to federate, and creating a single account for each student. Each student now has a single, unique CCCID identifier, now being adopted as a campus identifier.

Unicon’s system uses uPortal for high scalability. Some colleges are doing their own IdP, some are going with Aegis and Unicon to do it for them. IdPs need to be in place for the roll out of the new application for admissions.

We then heard about how “I” and “T” are both separated and working together at Penn State, with a description of their IT (or should that be I and T) governance and systems. It is important to reflect on the role of the CIO in governance and how you talk about the importance of identity and access management when understanding policies, practices and funding.

The session on Outsourcing IAM in North Carolina was interesting in that it focussed on K-12 (i.e. school sector) identity management and looked at the touch-points between schools and HE.

North Carolina has 250,000 staff and 1.5m students in 115 LEAs, 2,500 schools and 111+ charter schools. In the future they also want to include c.3m parents in their system, which has the core components of a person registry and central directory. It is cloud hosted on AWS and they are targeting Google Apps for education.

Future opportunities will see the North Carolina IdP federating with the NCDEdCloud (K-12) regional federation and InCommon membership to allow pupils to access local HE resources.

Whereas North Carolina’s IdM system was built on mainly open source code (by www.identityautomation.com), Capella University’s Identity Management in the Cloud solution is an IBM stack, the choice of which was probably influenced by the fact that their other systems are very ‘enterprise-y’ - PeopleSoft HR and CS and Salesforce. You can find out more at http://www.discoverlighthousegateway.com/

Groups was the next subject covered by speakers from the University of Tulsa, followed later by Newcastle University:

  • Box supports federated Id and provisioning of groups automatically from the IdP via atrributes.
  • The user interface isn't really there for groups, and there may be problems with large groups.
  • Newcastle has 10,000 groups on Grouper.
  • One example of Grouper’s benefits is in accessing Dreamspark:
    • Any student can access Dreamspark, but STEM students have premium access.
    • The Institutional Data Feeds Service extracts STEM data, Grouper maps users to STEM and non-STEM and pushed into AD.
    • Shibooleth queries AD and sets an attribute based on group membership - urn:mace:dir@attribute-def:ou
    • Dreamspark then allows access.

Collaboration was also a popular topic. Niels van Dijk from SURFnet explained how  distributed and cloud services were used to facilitate collaborations between institutions. Scenarios Niels discussed included private cloud document sharing between University Medical Centres. The main driver for this was that Medical Centres were using DropBox and WhatsApp to share data as it was “easy and convenient”, so doctors were sending medical images via WhatsApp! Another scenario was Virtual campus hub (www.virtualcampushub.eu) – a collaboration between 4 institutions in Italy, Sweden, Netherlands and Denmark, using eduGAIN.

A different approach to enabling collaboration was presented by Scott Koranda from LIGO (Laser Interferometer Gravitational-wave Observatory). LIGO uses COmanage to manage the collaboration between itself and its sister project KAGRA in Japan. Scott did a live demo of how a member of the KAGRA-LIGO working group enrolls, is approved, and then gains access to LIGO web services using their federated identity. It was a really slick demo showing an easy to follow workflow. Scott’s slides can be found here – it’s a 5MB PDF as it contains screenshots of the demo.

The Closing Keynote was from Tom Black, Associate Vice Provost for Student Affairs and University Registrar Stanford University. Unfortunately this wasn’t as entertaining as the Opening Keynote, however he obviously likes federated identity management and called for a global education id!

  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo