JISC

Users ‘enthusiastic’ about the new technologies, says Elsevier’s Ale de Vries

Federated access management can bring a wide range of benefits. As well as reducing the numbers of IDs which users have to remember when accessing resources, it can support more complex e-learning and e-research collaborations, and allow institutions to take greater control of access management procedures.

But the benefits are not confined to educational institutions. Publishers are also discovering the advantages of the new technologies.

‘It’s about people, not computers’

Elsevier is one of the largest online publishers in the world, publishing some 2,000 online journals, 160 books series and 50 reference works on its main full-text platform, ScienceDirect. Ale de Vries is one of the Product Managers for ScienceDirect, and one who has been closely involved in some far-reaching developments which are changing the ways in which users access vital online resources. He says that traditional authentication technologies can bring a wide range of benefits, but in the end cannot meet all the needs of users and institutions.

‘I think the main needs for organisations and individuals are to be able to provide organization-wide and non-discriminatory access to resources and to be able to access resources you are allowed to access, from wherever you are,’ he says.

He suggests that while the great benefit of the ‘blanket access’ granted by IP-based authentication – systems based on the unique number of each networked PC - is the delivery of anonymous access to a large group of people, the disadvantage is that ‘organisations will have to have a stable IP address or IP range for that.

‘Not all organisations have that luxury,’ he says. ‘IP addresses are tied to computers, and not to users. So whether users get access or not depends on what computers they’re using. That's a downside. Why should access be dependent on the computer you're using? It's about people, not computers.’

On the other hand, systems which use names and passwords can personalise access since these are tied to users, and can also enable remote access.

‘However,’ says de Vries, ‘this takes away the benefit of blanket, non-discriminatory access, and also leaves the end user personally identifiable. So,’ he suggests, ‘neither system can meet all user or organisational needs.’

Federated access management, says Ale de Vries, can answer these needs.

‘It offers far greater flexibility than traditional authentication methods,’ he suggests. It can also be supported by a range of technologies, including Athens IM, Guanxi, WS-Federation, Shibboleth and others. Institutions, as well as publishers, can choose which technologies to adopt, depending on their particular needs. When you try to get into a website with protected access, the website has to know who you are in order to grant access. With technologies such as Shibboleth, instead of you telling a website who you are, you ask your institution – known as an identity provider - to tell the website who you are. So if you log in to a website, you're actually logging in to your college or university, who in turn will log you in to the web site you're trying to access.’

A ‘richer’ user experience 

‘The new technologies allow institutions to decide what information about users is sent to websites,’ he continues, ‘so if the website only needs to know that you're a researcher with university X to grant you access, then that's the only thing your university will tell the website about you. If the website also needs to know if you're in the Chemistry or in the Physics department to personalise your experience, then your university can also disclose that. All these little pieces of information that can be disclosed about end users are called “attributes”. There is a lot of flexibility in deciding what attributes are sent to websites, and with that, there is a lot of flexibility to decide how to personalise services based on that user information. This doesn't exist in traditional authentication methods. So these technologies allow personalized user experiences in a richer, better controlled and more secure manner.’

Workshops held with customers four years ago led to an early decision by Elsevier to implement Shibboleth technologies, an open source system developed by Internet2, on ScienceDirect. A successful pilot in 2004 involving five US universities explored some of the challenges involved, and subsequent implementation has seen some of the early difficulties ironed out and users of ScienceDirect enthusiastic.

‘Customers are responding quite well,’ says Ale de Vries, ‘to the extent that they are actually becoming familiar with these initiatives. Few customers are aware of the emergence and benefits of these new technologies, and even fewer are actually actively involved in their development. However, more and more national initiatives are starting up, with organisations like JISC and SURF in the Netherlands representing their national academic communities - and without exception they are acknowledging the potential and are very enthusiastic about it. Because of this, there is definitely a strong preference for these types of authentication technologies over older technologies. But the adoption is largely up to the end user, not to the facilitating parties.’

Institutional challenges

Although federated access management is becoming the international standard, there are considerable challenges faced not only by publishers but by colleges and universities as they transition from the ‘older technologies’. How can both communities be supported in making these far-reaching changes? And what are the particular challenges?

‘I see a large role for JISC here,’ says Ale de Vries. ‘They are doing great work, but I think that the complexity of the technology in general, and the scale of things in the UK, in particular, pose challenges. First of all, universities need to be supported in their transition, and I think the roadmap and the three generic implementations outlined by JISC provide a good framework for tackling the technological and operational challenge. The high uptake of Athens provides a good starting point for large-scale adoption of Shibboleth and other systems.’

JISC’s work in setting up the Middleware Assisted Take-Up service (MATU), based at Eduserv, to support institutions in making the transition, its establishing of the UK Access Management Federation to be run by UKERNA, its setting out of the three strategic options open to institutions and its funding of early adopter projects draws praise from Ale de Vries. So does its targeted advice and guidance to publishers, issued in February.

‘JISC has been very helpful in clearing up the UK situation for us,’ he says. ‘Initially, charting the landscape was difficult because we weren't sure what role Eduserv was going to play, and there were some relatively isolated initiatives going on. I think this is the fate of the early adopter - you are, often quite literally, moving into uncharted territory in which things haven't really settled yet. I think that JISC started to play a more central role at a good point in time for those early adopters, and from what I am seeing they are now providing a good platform for late adopters to explore the landscape and move forward.’

‘However, there is the risk,’ he continues, ‘that partly because of JISC's involvement, universities in the UK will adopt federated access management at a higher pace than the services they have access to. There might be some room for improvement in how resource providers are guided towards adoption, perhaps by providing them with starting points for adopting the technology, sharing best practice, and getting them in touch with, for example, the SDSS federation – the pilot UK Federation - if they want to pilot their implementations.’

‘Get on board!’

While large publishers like Elsevier might have the resources to make the significant changes needed to make the transition to federated access management, what of the smaller publishers? Is there a danger that some might be left behind? 

‘The further the technology is developed and implementation is standardised,’ de Vries replies, ‘the lower the cost will be. Obviously, for a really small online publisher any cost is significant - but I think the main challenge for a small publisher is securing the skills needed for implementation. Shibboleth and related technologies are quite new and complex, and you really need good IT professionals with some time on their hands to master the technology, if you want to do everything in-house. I think there is definitely room for technology vendors and consultants in this area, and especially third-party hosting platforms can provide added value to small publishers here.’

But federated access management has many significant advantages for online publishers, says Ale de Vries, adding a particular and very direct message to those who have not yet become involved: ‘Get on board,’ he says enthusiastically. ‘Shibboleth and other federated authentication schemes are not widely deployed yet, and the vast majority of our users are still relying on IP-based or username and password access. But there's more than publishing that drives adoption.

‘Federated authentication is increasingly used for institutional resources, e-learning environments, and even in the public services sector - and is actually also moving into the consumer market area. For example, Microsoft will be releasing a new Windows version next year that deploys a federated authentication scheme called Cardspace. This could cause the adoption of federated authentication to pick up speed fast. Also, I have personally found out that active participation in developments is a great way to reach out to, and be involved in, the academic community - which is something each publisher can benefit from.’

For further information

UK Access Management Federation 

Access Management - JISC’s advice to publishers 

Middleware Assisted Take-Up service