Access and Identity Management (AIM)

Last updated:

2 months 4 weeks ago

Group Manager

Members of the research and education community within the United Kingdom regularly make use of various types of online services, including web-based e-resources, wireless network access, and cloud-based applications. Many of these services require authentication of a user's identity, and many additionally require the release of attributes relating to that identity for authorisation purposes. Access and Identity management technologies and services aim to fulfil this need for robust authentication and authorisation technologies. Jisc either runs or is heavily involved with many major services offered to the UK R&E community in this space such as eduroam, the UK federation, Moonshot, and the Janet Certificate Service. This group exists for those interested in AIM and trust and identity services to discuss the latest developments, keep track of goings-on, and participate in discussions about what the community needs in this area and what Jisc should be offering. (Note that for eduroam, Moonshot, and the Janet Certificate Service specific discussions, these technologies have their own groups on this site). To learn more about Jisc's AIM services, you can see the slides and video of an overview given at Networkshop42.

Group administrators:

Rhys Smith

John Chapman

Simon Cooper

Recent members:

Social identities vs. Michael's fantastic IdP - who do you trust more?

John Chapman

21 November 2013 at 2:54pm

A recurrent theme of Identity Week (#I2identity13) was the use of social identities: their use as an ‘IdP of last resort’; their trustworthiness ("A Google Id is no better or worse than a Guest account at an institution" vs. “researchers have a problem with social identities as a cultural statement - they don't 'trust' [insert name of Social Network Provider]”); “Social logins should be thought of as external account management”.

Social2SAML - https://portal.nordu.net/display/SWAMID/Social2SAML was mentioned as a solution, but it was also argued that this could prevent institutions doing a 'proper' IdP. However, research groups are calling out for this sort of thing to help with industry liaison as industry organisations are not typically allowed to have their own IdP in an R&E federation so need an IdP of Last Resort.

As part of the ‘trust’ discussion it was also noted that among students brand familiarity is a key driver in the adoption of social identities as new students would be more willing to trust ‘Google’ than ‘Michael's fantastic IdP’. Also, the point was made that "You are doomed if you go down the road of authorising based on IdP - you need to authorise based on attributes."

If not using social identities, should there be a global IdP of Last Resort or should each federation have one? Whoever builds one should make it available via interfederation so federations can decide. But how do we find out about IdPs of Last Resort? Norway has one (Feide OpenIdP), Sweden will have eduID that could be made available. RENATER has a guest IdP. CANARIE has a guest IdP etc. Does the UK Access Management Federation need one? [answers below, please...]

The University of Texas has been using Social Identities for SharePoint access for over a year. They are now looking to use social logins for staff alumni access to PeopleSoft with trust elevation on a transactional basis – playing the 20 questions game (knowledge based authentication).

Someone made the point that although Google hasn’t refreshed their FICAM status (apparently no-one has), the fact that they were FICAM certified means you could say Google has better certification than most University systems. Also, Google can determine where a user is, whether a device needs a PIN etc. Delegates were asked what extra features they would want Google to support, but it seems that Google want to deprecate SAML.

Echoing comments from the recent #IGidentity event it was also noted that a clearing house is needed to help deal with account compromises and how you can’t rely on trusting another account for account recovery. Andrew Nash an ex-Googler is working on this, so one to watch out for.