JA-SIG UK meeting 30 June 2003

On 30 June, representatives of 13 organisations gathered at the University of North London for JA-SIG UK’s second meeting.

The main foci for the meeting were a report on the recent JA-SIG Summer conference in Denver; discussion around authentication, authorisation and network identity; and an exploration of current progress in the UK, and possibilities for inter-institutional collaboration.

Denver JA-SIG meeting

Ian Dolphin reported on the Summer JA-SIG Conference, held just outside Denver in June 2003. Around 200 people attended, mainly from North America, but with a reasonable European presence from Sweden and the UK.

Participants fell into one of three main groupings; those implementing uPortal on live sites; those (like Hull) well into a pilot implementation; and quite a number who were evaluating uPortal alongside other portal products. Unlike previous years, where the participants were almost exclusively from Higher Education, both community colleges and service providers to the K-12 sector were represented.

Presentations are now available on the JA-SIG website [ http://web.princeton.edu/sites/isapps/jasig/2003summerWestminster/ ], two of which were from the UK.

It appears from the conference that the uPortal development model is becoming increasingly well established and of interest across the sector. A round-table meeting prior to the conference, for example, attracted representation from Internet2, OKI, Educause and others. Of these, OKI is apparently now considering depositing software in the uPortal repository, and the OKI-related CHEF project at Michigan is looking at the feasibility of using uPortal as the presentation layer to their learning services.

As well as uPortal itself, the community continues to work on a number of related products, including:

• Yale’s CAS Authentication system

• Columbia’s Content Management System, CuCMS

• Memorial University Newfoundland’s system for embedding legacy applications, CWebProxy

• Nagoya University’s ongoing work to internationalise uPortal

Columbia has submitted an application to the Mellon Foundation to extend CuCMS.

Much of the current work on the uPortal framework has been undertaken using a grant from the Mellon Foundation, which has enabled the involvement

of various commercial companies and has resulted in significant progress from earlier versions of the portal. This Mellon grant, though, is due to end over the summer of 2003, and the subsequent lack of funding will inevitably require a shift in the manner that uPortal continues to develop. It appears likely that commercial companies such as IBS, IM&M, and SCT will remain involved to a degree.

The JA-SIG Board is keen to recognise and build upon the growing international dimension to uPortal, as well as to capitalise upon increasing interest from beyond JA-SIG’s traditional administrative computing roots. As part of this trend, Ian Dolphin from the University of Hull has been invited to join the JA-SIG Board.

Robert Sherratt from the University of Hull reported on current developments with uPortal, basing his comments upon a presentation [ http://web.princeton.edu/sites/isapps/jasig/2003summerWestminster/presentations/uPortal Roadmap.ppt] in Denver from Ken Weiner and Dan Ellentuck.

Version 2.1 of uPortal was released at the end of last year. Amongst a number of changes, three major enhancements were the introduction of the remote channel proxy, a combined groups and permissions manager, and a capability to gather usage statistics.

According to Ken and Dan, version 2.2 is due in October of 2003.

A key feature of this release will be support for Aggregated Layouts, a mechanism that allows ‘fragments’ of content (a channel, a group of channels, a tab and contents, etc) to be published to the portal.

Additionally, the mechanism by which user preferences for channel layout are currently specified will change quite radically, moving towards a WYSIWIG view of the portal layout which the user can modify.

The Groups and Permissions area is also due for an overhaul, with improved support for LDAP and the ability to specify multiple sources of permissions data rather than assuming that all portal users have all of their permissions data held in a single source.

Support for the Web Services for Remote Portals (WSRP) specification is also promised, building upon UNICON’s existing remote channel.

Work is ongoing, utilising the XLIFF specification, to improve uPortal’s internationalisation options. It is possible that these enhancements may not be completed in time for the 2.2 release.

Importantly, the database structure for version 2.2 will differ from that used in 2.1, requiring work by existing 2.1 sites who wish to upgrade. It is hoped that such drastic database changes will not be a regular occurrence!

Network Identity

Malcolm Murphy from Sun Microsystems gave a presentation on Network Identity, and the role of the Liberty Alliance. The presentation is available from http://www.ja-sig.org.uk/.

4 July 2003 2

In essence, Malcolm demonstrated, Network Identity can be seen as a set of attributes that describe profiles or roles of an individual;

• Who you are (authentication)

• What you can do (authorisation)

• Other attributes

These identities can be managed in one of two ways; either centrally as a single ‘big list’, or in a federated manner with different stakeholders taking responsibility for maintaining accurate and current information needed for their purposes. Malcolm suggested that each approach has its place, and pointed to the work that the Liberty Alliance is doing to ensure that the federated model is able to work, with various stakeholders able to exchange the pieces of information that they need to.

The presentation provoked wide-ranging discussion around such issues as the need for campus systems like the portal to reach and be accessible to support staff of various kinds, who are not traditionally registered with campus usernames. Universities with associated teaching hospitals also identified problems with registering and tracking NHS staff who might teach for short periods of time. It was suggested that a federated approach to their identification would go some way towards solving this problem, with the university simply accessing and trusting relevant personal information stored in NHS systems.

Currency and accuracy of central information emerged as a key issue if universities were to build effective federated (rather than merely duplicated) information flows. A number of attendees were able to point to a current situation where, because of excessive delays in obtaining comprehensive information on new users at the centre, individual departments felt it necessary to construct their own local databases, and to keep these current, often in addition to any information they were required to provide to the centre.

Paul Browning, from the University of Bristol, gave a presentation [ http://www.ja-sig.org.uk/] on their approach to authorisation. Bristol have issues about how to deal with “grey users”, particularly amongst staff, people who may only work for the University for a short length of time and are often not recognised as “official” staff. Another important issue is the mapping of local group membership, such as tutor group and supervisor groups, the devolution of the management of these groups, and the combining of the local group data with centralised University group membership details. As Paul points out, it is only when all of these memberships are successfully controlled that a truly personalised portal can be presented to users.

4 July 2003 3

UK round-up

London Metropolitan University

London Met has been working for some years with various elements of portalisation, beginning with a Cold Fusion-based prototype around 2000.

There has been work done to integrate with the Talis library management system, including the use of SOAP-based calls into the library database.

At present, the institution is in the process of resolving differences between the systems of the two institutions that merged to form London Metropolitan. It is currently unclear in a number of cases as to which of the legacy systems will be deployed across the new institution.

A significant drive is towards the use of J2EE applications across the institution, integrated with Cold Fusion.

University of Hull

Hull developed a staff intranet in the late 90’s, using a series of Perl scripts to access data held in institutional corporate systems.

During 2000, work was done to scope a student intranet to accompany this, but it was quickly decided that the level of duplication would be high, and that a better approach would be to develop a single institutional portal to meet the needs of staff and students, integrated closely with a content management system to address the needs of the institutional web presence.

Since September 2002, around 800 students in two departments have been trialling an installation of uPortal. This portal is due to go live to all staff and students across the university from September 2003.

The current focus of work is in migrating the existing Perl scripts of the staff intranet into Java, XML and XSL for deployment through the portal.

Key interests are in content management (including discussion with Columbia over CuCMS) and in ensuring that the portal is accessible to all users.

University of Bristol

Further to Paul’s presentation, he reported that Bristol is working on integration of their uPortal development with the Enterprise edition of Blackboard. They have achieved single-sign on, but are exploring the most meaningful way in which to deliver real integration of content and services between portal and VLE.

Within the library, there is interest in exploring some of the ‘portal’ features of their Aleph product, and there will be a need to examine the best way for this to move forward in relation to the institutional portal.

4 July 2003 4

University of Birmingham

At Birmingham, developments are moving forward in two broad areas; extending the reach of the institutional Web strategy, and exploring deployment of a portal.

In evaluating portals, the two front runners were uPortal and Oracle’s portal product.

The concept of a portal has been sold to the institution, and funding has been allocated to a new task force, which now has the job of deciding between the open source uPortal or one of it’s commercial instantiations from either SCT or UNICON.

The institution has decided not to deploy a content management system, but is instead relying upon its established institutional Web strategy, with use of a central filestore for all institutional web content, alongside standardised templates, and provision of training to designated web authors. The latest stage is the distribution of new copies of Macromedia’s Contribute product to 500 identified web authors across campus.

University of Oxford

The University Computing Service is undertaking a consultation process on the need for and best way to implement a portal for use by the institution. This has included a number of presentations from members of other institutions, and at the moment OUCS are proposing to build a pilot portal that will link with a number of institutional systems.

University of Edinburgh

Three years ago, Edinburgh and a number of other institutions were involved in a SHEFC-funded project to develop a student portal in Cold Fusion. Edinburgh subsequently took the product, rebadged it, and launched it to their students in 2002.

They are now looking at the need for an Enterprise Portal to serve current, past, and future members of the institution. As with several other institutions, the choice for them came down to layering Oracle’s portal on top of their existing Oracle databases or deploying uPortal.

uPortal was chosen, and a demonstrator is due to launch in September 2003, with a pilot staff portal ready by July 2004.

For now, the Cold Fusion-based student portal will continue to be developed, and CWebProxy is being examined as one way in which the existing investment might easily be redeployed within uPortal.

University of Nottingham

The University of Nottingham, which has had it’s uPortal-based COMPASS system for some time has recently decided to switch to the commercial offering from SCT. This will allow them to build upon their existing investment, but additionally offers a Content Management Solution (Documentum) that

4 July 2003 5

4 July 2003 6

they have a need for, as well as integrated search capability (from Verity) and a means of single sign on to Nottingham’s VLEs.

Training

Stan Smith from the University of Nottingham reported on current provision of uPortal training. At present, this comes from UNICON-IBS, who work with a host institution and send trainers across from the US.

Nottingham has worked with the trainers on a number of these events, with the last one in their current arrangement due to be held in July. Additionally, Edinburgh will be hosting an advanced course later in the year.

IBS are apparently interested in exploring means of establishing a body of knowledge in the UK, in order that training could be delivered by people from within the country, rather than them having to fly trainers across from the US for every event.

Future Activities and Collaboration

PEPC 2004

Following on from PEPC 2003 in Geneva, there is interest in the 2004 conference being hosted in the UK. Attendees were asked to consider whether or not they might be interested in hosting this conference, probably for around 200 participants.

Funding Opportunities

There are a number of areas in which implementers both here and in North America are tackling similar problems; for example the work that both Hull and Columbia are doing on content management. It was suggested that we remain alert to possible mechanisms for funding such trans-Atlantic collaboration, in order to feed UK developments back into the JA-SIG process more effectively.

Acknowledgements

JA-SIG UK wishes to thank the University of North London for their hospitality on the day. Refreshments were provided by the JISC-funded PORTAL project and by Access Computing.

Notes compiled by Paul Miller of UKOLN

4 July 2003

JA-SIG UK June 2003 Meeting Attendees

Name Institution

Laura Allison Dynix

Chris Awre JISC

Paul Browning University of Bristol

Ian Dolphin The University of Hull

Digby Entwisle Royal Holloway College, University of London

Mike Jones Cardiff University

Paul Miller UKOLN

Mike O'Reilly London Metropolitan University

Art Pasquinelli Sun Microsystems

Francisco Pinto Oxford University

Sebastian Rahtz Oxford University

Chris Richards University of Southampton

Anne-Marie Scott University of Edinburgh

Robert Sherratt University of Hull

Stan Smith University of Nottingham

David Supple The University of Birmingham

Paul Walk London Metropolitan University

Authorisation Issues

paul.browning@bristol.ac.uk

PORTAL - (n). Lat. porta, (door, gate)portalis, (like a gate). A doorway, gate or other entrance, especially a large or elaborate one.

Right People, Right Stuff, Right Pain?

John Byrne (York), James Currall, Colin Farrow (Glasgow)

Institutional Web Management Workshop Junne 2002: The Pervasive Webhttp://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-2002/materials/currall/

Authentication

• Pretty much sorted ….– Yale’s Central Authentication Service (CAS)– Single sign on– Sneak preview

• …. except– “Grey Users”– “Trusting the Trust?” (NHS)– Need multiple authentication services – cascade

through them

Personalisation

• So if you’ve got authentication sorted then personalisation (=“portal”) will be a doddle – right?

• Wrong!• It goes like this …

“The Digital Library”

The challenge – Central vs. Local data

The Data Model

Staff (PIMS)

Students(Dolphin)

Curriculum(Dolphin & Unit Cat)

ResourcesIs there a common local data model?

Why do departments maintain local systems?

Central vs. Local DataWhy do departments maintain local systems?

Teaching Week 0 6000Teaching Week 2 5000Teaching Week 3 3000Teaching Week 4 1000Teaching Week 5 100

Programme registration progress

Teaching Week 6 50%Teaching Week 7 58%Teaching Week 11 83%Teaching Week 13 86%Teaching Week 14 92%Teaching Week 15 93%Teaching Week 16 94%Teaching Week 17 95%

Unit registration progress(=120 credit points)

Driven by assessment & external compliancenot learning & teaching!

The challenge – central vs. local data

The risks1. The portal may be partly empty2. The portal may be wrong in parts3. The portal will not contain local added value

(like tutor groups …)4. The portal will not be personalised

What problems are we trying to solve?

• Authorisation– Membership of some group determines role– Role determines level of access– Group information is often maintained at local

end of Central-Local join (e.g. tutor groups, research groups)

• Preferences (= personalisation)• Multiple authentication services

Authorisation & Central-Local data join

• We need a “Groups Manager” which allows:– Use of groups in an authorisation framework

(i.e. permissions database)– Definition of numerous ad hoc groups (where

group size >= 1)– Definition of groups of groups– Devolution of creation of some groups– Devolution of maintenance of some groups

Bodington does this …..

Preferences

• We also want to be able to store personal attributes such as– Bookmarks– Portal layout– Calendars– Address books

Is LDAP the answer?

Level 6 Level 6

Level 5 Level 5

Level 4

Level 6 Level 6

Level 5 Level 5

Level 4

Level 3 Level 3

Level 2 Level 2

Level 1

Central – database driven

Local – rampant ad hocery?

Practical realities

• Capturing local added value• Incentivising maintenance of local added

value

What else is bubbling under?

• Angel?• Akenti?• Permis?

Six MLEs - more similar than different

Standard title slide formatNetwork Identity Management

Malcolm MurphyTechnology ManagerSun Microsystems

Agenda

● What is Network Identity?● The problem we have today● Centralised vs. Federated models

– Which is better?

● The Liberty alliance● Demo● Conclusions

Agenda

● What is Network Identity?● The problem we have today● Centralised vs. Federated models

– Which is better?

● The Liberty alliance● Demo● Conclusions

What is Network Identity?

● Network Identity is a set of attributes that describe profile(s) of an individual– Who you are (authentication)– What you can do (authorisation)– Other attributes

● Basic element of an enduring or high value relationship

Network Identity componentsCOMPONENT

A level of security guaranteeing the

validity of an identity representation

The provisioning of services or activities

based upon an authenticated

identity

DEFINITION EXAMPLE

Traits, profiles, preferences of an

identity, device, or business partner

• NUS card• Staff/student ID • Username/password• PIN

• Services based on attributes• Transaction consummation• Gradient levels of service

• Personal consumer preferences• Identity specific histories• Device capabilities information

AUTHENTICATION:

AUTHORIZATION:

ATTRIBUTES:

Foundation for Web servicesWeb Services

Network Identity Infrastructure Platform

Authentication, Attributes, and Authorization

Staff Students Partners DevicesTechnology

Agenda

● What is Network Identity?● The problem we have today● Centralised vs. Federated models

– Which is better?

● The Liberty alliance● Demo● Conclusions

Phases of internet evolution

Communication

Marketing

Commerce

Personalized Commerce

email

Web site

Website.com

myCustomer.com,mySupplier.com

Federated Commerce Identity-based TrustedServices

The “Identity Crisis”

Joe’s Fish Market.ComTropical, Fresh Water, Shell Fish,

Lobster,Frogs, Whales, Seals, Clams

The “Identity Crisis”For End Users (students/staff/etc.)

- Privacy/Security concerns

- Hassle of Multiple logins and passwords

- Multiple disparate views of identityFor Institutions

- Cost to manage Users- Security and administration of disparate systems- No single view of the End User- How to interoperate with other institutions?

For Suppliers/Content providers- “User” profile control and ownership

- “User” affiliation and sharing

- Security and auditability

The “Identity Crisis”

● Poor Identity management is impeding the development of online services– Difficult for users to manage– Expensive for institutions – Issues for service providers

● Who is authorised to do what and how do we charge?● Entry costs (e.g. Athens)

Agenda

● What is Network Identity?● The problem we have today● Centralised vs. Federated models

– Which is better?

● The Liberty alliance● Demo● Conclusions

Models for Network Identity

Providers Students

JISC

University Dept

PORTALNUS

Univ B

LEA

Univ A

No single entity controls the Network

Requires interoperability standards

Creates “broker” between providers and users

“Passport is widely seen as Microsoft’s way to collect a % of every online sale” – WSJ 7/29/02

Centralised Management● User and providers

enroll with global identity operator

● Operator issues unique global identifier

● User can access all operator sites

Centralised Management

Pros● Single source of

control/audit

● Enables common service model

● Can be delivered now (e.g. Athens)

Cons● Security/Privacy

– tracking possible without permission

– operator controls some profile data

● Does not mirror real world trust relationships

● Operator has control over access device

Federated Management

JISC

University Dept

PORTALNUS

Univ B

LEA

Univ A● Based on account “chaining”

● No unique global identifier

● User and services need to be explicitly linked

Federated Management

Pros● User has complete

control over who/what to share

● Nodes have complete control over profile data

● Incremental profile sharing possible

● Opportunity for Identity service providers

Cons● Profile data may be

inconsistent

● Requires standards to interoperate

● Lack of centralised control, if required

Federated Management

● Digital relationships can mirror the way we behave in the real world

● Allows users and service providers to better manage their data on their own terms, not those of a third party

● Allows separation of authentication from authorisation

A bit like ATM networks...Separate Cards with Each Bank

Linked Cards within Bank Networks

Seamless Access Across all Networks

Bank AATM Card

Bank BATM Card

Bank CATM Card

Bank ATMNetwork A

Bank ATMNetwork B

Bank ATMNetwork C

Bank ATMNetwork A

Bank ATMNetwork B

Bank ATMNetwork C

Bank AATM Card

Bank BATM Card

Bank CATM Card

Individual Accounts with Many Web Sites

.com

.com

.com

Federated Accounts within Trust Domain

.com

.com

.com

.com

.com

.com

Linkage of Trust Domains

.com .com.com.com

.com.com

.com .com.com.com

.com.com.com .com

.com.com

.com.com

Evolution of Federated Identity

Federated Linked

Accounts

John Smith#555-534-3321

JSmith#ADF-7-RF-3

JPSmith#3295

Circle of Trust

John Smith#555-534-3321

Bank

Airline

JSmith#ADF-7-RF-3

Linkage of Multiple

Circles of Trust

Identity Silos

Agenda

● What is Network Identity?● The problem we have today● Centralised vs. Federated models

– Which is better?

● The Liberty alliance● Demo● Conclusions

• Enable a broad range of platform neutral identity-based products and services. Deliverable is a set of specifications.

• Enable commercial and non-commercial organizations to realize new revenue and cost saving opportunities

• Enable businesses and consumers to better manage their data on their own business terms not somebody else’s

32

A Business Alliance to establish an open standard for federated network identity.

Over 100 members (8/02)

32

So what does it define?

• Permissions-based attribute sharing• Schema/protocols for core identity

profile service• Trust Circle Interoperability• Delegation of authority to federate

identities/accounts• Interoperability for Network Identity

enables services (e.g. calendar, presence, geo-location,alerts…)

• Federated Network Identity enabled Commerce Transactions

• Payment Services

Future VersionsVersion 1.0• Federated network identity• B2B, B2C, B2E application support• Opt-in account linking• Simplified sign-on • Security built across all the features

and specifications• Interoperability between existing

legacy ID systems• Authentication context• Global log out• Fixed and Wireless device support• Pseudonyms

Liberty 1.0 protocols

● Three participants– Principal, Service Provider, Identity Provider

● Four main functionalities:– Authentication, Pseudonym, Identity

Federation, Single Logout

● Four protocols:– Single sign-on, Name registration, Federation

Termination notification, Single Logout

Functionalities

Identity federation● Principal is informed

about Federation andDefederation

● SP and IP inform each other aboutdefederation

● IP tells SP about account termination

Authentication● support all methods of

navigation● IP and SP mutually

authenticate each other● support various types

of auth mechanism● IP and SP exchange

minimal information about Principal

Functionalities

Pseudonym● IP/SP support unique

pseudonyms on a per Federation basis

● E.g. a Principal might be FredF to an IP and Flint001 to an SP

Single logout● When a Principal logs

out of an IP, all appropriate SP will be notified

Protocols

● Each protocol may be implemented in more than one way – called a profile

● Four profiles defined– Liberty Browser Artifact– Liberty Browser POST– Liberty WML POST– Liberty Enabled Client/Proxy

Implementing Liberty

● Interoperability Prototype: open source Java implementation of Liberty 1.0 available now

● Sun ONE Identity Server 6.0– 1st commercial Liberty enabled product– Builds on Sun ONE stack (directory, policy

management, delegated admin)– Open standards support for Liberty, SAML,

XML

Implementing Liberty

● Build basic infrastructure: – start with an LDAP directory

● Consolidate Identity initiatives– Interoperability is key

● Define Identity mgmt strategy– Technologies and standards– Auto provision / Principal self service– Policy based entitlement; group definition and

management

Agenda

● What is Network Identity?● The problem we have today● Centralised vs. Federated models

– Which is better?

● The Liberty alliance● Demo● Conclusions

Agenda

● What is Network Identity?● The problem we have today● Centralised vs. Federated models

– Which is better?

● The Liberty alliance● Demo● Conclusions

Conclusions

● Federated identity solves the problems of identity in a way that empowers the Principal and the Service Provider● Different circles of trust need to interoperate; THIS IS WHAT PROJECT LIBERTY ENABLES● A good first step is to deploy LDAP

Possible applications of Federated Identity● Lifelong learning● Ubiquitous access to content/services

– Student: Halls, parents, nearest vacation uni– Staff: home, office, sabbatical– From whatever access device you have

● More power/flexibility to ACL● Swifter take up of e-learning

Malcolm Murphymalcolm.murphy@sun.com