Interview: Online publishers embrace federated access management
Users ‘enthusiastic’ about the new technologies, says Elsevier’s Ale de
Vries
Federated access management can bring a wide range of benefits. As well as
reducing the numbers of IDs which users have to remember when accessing
resources, it can support more complex e-learning and e-research
collaborations, and allow institutions to take greater control of access
management procedures.
But the benefits are not confined to educational institutions. Publishers
are also discovering the advantages of the new technologies.
‘It’s about people, not computers’
Elsevier is one of the largest online publishers in the world, publishing
some 2,000 online journals, 160 books series and 50 reference works on its
main full-text platform, ScienceDirect. Ale de Vries is one of
the Product Managers for ScienceDirect, and one who has been closely
involved in some far-reaching developments which are changing the ways in
which users access vital online resources. He says that traditional
authentication technologies can bring a wide range of benefits, but in the
end cannot meet all the needs of users and institutions.
‘I think the main needs for organisations and individuals are to be able
to provide organization-wide and non-discriminatory access to resources
and to be able to access resources you are allowed to access, from
wherever you are,’ he says.
He suggests that while the great benefit of the ‘blanket access’ granted by
IP-based authentication – systems based on the unique number of each
networked PC - is the delivery of anonymous access to a large group of
people, the disadvantage is that ‘organisations will have to have a stable
IP address or IP range for that.
‘Not all organisations have that luxury,’ he says. ‘IP addresses are tied
to computers, and not to users. So whether users get access or not
depends on what computers they’re using. That's a downside. Why
should access be dependent on the computer you're using? It's
about people, not computers.’
On the other hand, systems which use names and passwords can personalise
access since these are tied to users, and can also enable remote access.
‘However,’ says de Vries, ‘this takes away the benefit of blanket,
non-discriminatory access, and also leaves the end user personally
identifiable. So,’ he suggests, ‘neither system can meet all user or
organisational needs.’
Federated access management, says Ale de Vries, can answer these needs.
‘It offers far greater flexibility than traditional authentication
methods,’ he suggests. It can also be supported by a range of
technologies, including Athens IM, Guanxi, WS-Federation, Shibboleth and
others. Institutions, as well as publishers, can choose which
technologies to adopt, depending on their particular needs. When
you try to get into a website with protected access, the
website has to know who you are in order to grant access. With
technologies such as Shibboleth, instead of you telling a website who you
are, you ask your institution – known as an identity provider - to tell
the website who you are. So if you log in to a website, you're
actually logging in to your college or university, who in turn will log
you in to the web site you're trying to access.’
A ‘richer’ user experience
‘The new technologies allow institutions to decide what information about
users is sent to websites,’ he continues, ‘so if the website only needs
to know that you're a researcher with university X to grant you
access, then that's the only thing your university will tell the
website about you. If the website also needs to know if you're in the
Chemistry or in the Physics department to personalise your experience,
then your university can also disclose that. All these
little pieces of information that can be disclosed about end users are
called “attributes”. There is a lot of flexibility in deciding what
attributes are sent to websites, and with that, there is a lot of
flexibility to decide how to personalise services based on that user
information. This doesn't exist in traditional authentication
methods. So these technologies allow personalized
user experiences in a richer, better controlled and more secure
manner.’
Workshops held with customers four years ago led to an early decision by
Elsevier to implement Shibboleth technologies, an open source system
developed by Internet2, on ScienceDirect. A successful pilot in 2004
involving five US universities explored some of the challenges involved,
and subsequent implementation has seen some of the early difficulties
ironed out and users of ScienceDirect enthusiastic.
‘Customers are responding quite well,’ says Ale de Vries, ‘to
the extent that they are actually becoming familiar with
these initiatives. Few customers are aware of the emergence and
benefits of these new technologies, and even fewer are actually actively
involved in their development. However, more and more national initiatives
are starting up, with organisations like Jisc and SURF in the Netherlands
representing their national academic communities - and without exception
they are acknowledging the potential and are very enthusiastic about it.
Because of this, there is definitely a strong preference for these
types of authentication technologies over older technologies. But the
adoption is largely up to the end user, not to the facilitating parties.’
Institutional challenges
Although federated access management is becoming the international
standard, there are considerable challenges faced not only by publishers
but by colleges and universities as they transition from the ‘older
technologies’. How can both communities be supported in making these
far-reaching changes? And what are the particular challenges?
‘I see a large role for Jisc here,’ says Ale de Vries. ‘They are doing
great work, but I think that the complexity of the technology in general,
and the scale of things in the UK, in particular, pose challenges. First
of all, universities need to be supported in their transition, and I
think the roadmap and the three generic implementations outlined by
Jisc provide a good framework for tackling the technological and
operational challenge. The high uptake of Athens provides a good starting
point for large-scale adoption of Shibboleth and other systems.’
Jisc’s work in setting up the Middleware Assisted Take-Up
service (MATU), based at Eduserv, to support institutions in
making the transition, its establishing of the UK Access Management
Federation to be run by UKERNA, its setting out of the three
strategic options open to institutions and its funding of early adopter
projects draws praise from Ale de Vries. So does its targeted advice and
guidance to publishers, issued in February.
‘Jisc has been very helpful in clearing up the UK situation for us,’ he
says. ‘Initially, charting the landscape was difficult because we
weren't sure what role Eduserv was going to play, and there were some
relatively isolated initiatives going on. I think this is the fate of the
early adopter - you are, often quite literally, moving into uncharted
territory in which things haven't really settled yet. I think that
Jisc started to play a more central role at a good point in time for
those early adopters, and from what I am seeing they are now providing a
good platform for late adopters to explore the landscape and move
forward.’
‘However, there is the risk,’ he continues, ‘that partly because of
Jisc's involvement, universities in the UK will adopt federated
access management at a higher pace than the services they have access to.
There might be some room for improvement in how resource providers are
guided towards adoption, perhaps by providing them with starting points
for adopting the technology, sharing best practice, and getting them in
touch with, for example, the SDSS federation – the pilot UK Federation -
if they want to pilot their implementations.’
‘Get on board!’
While large publishers like Elsevier might have the resources to make the
significant changes needed to make the transition to federated access
management, what of the smaller publishers? Is there a danger that some
might be left behind?
‘The further the technology is developed and implementation is
standardised,’ de Vries replies, ‘the lower the cost will be. Obviously,
for a really small online publisher any cost is significant - but I think
the main challenge for a small publisher is securing the skills needed
for implementation. Shibboleth and related technologies are quite new and
complex, and you really need good IT professionals with some time on
their hands to master the technology, if you want to do everything
in-house. I think there is definitely room for technology vendors and
consultants in this area, and especially third-party hosting platforms
can provide added value to small publishers here.’
But federated access management has many significant advantages for online
publishers, says Ale de Vries, adding a particular and very direct message
to those who have not yet become involved: ‘Get on board,’ he says
enthusiastically. ‘Shibboleth and other federated authentication schemes
are not widely deployed yet, and the vast majority of our users are still
relying on IP-based or username and password access. But there's more
than publishing that drives adoption.
‘Federated authentication is increasingly used for institutional resources,
e-learning environments, and even in the public services sector - and is
actually also moving into the consumer market area. For example, Microsoft
will be releasing a new Windows version next year that deploys a federated
authentication scheme called Cardspace. This could cause the adoption of
federated authentication to pick up speed fast. Also, I have personally
found out that active participation in developments is a great way to reach
out to, and be involved in, the academic community - which is
something each publisher can benefit from.’
For further information
UK Access Management
Federation