JISC has been supporting access management services for the UK Further and Higher Education communities for many years. For the last ten years JISC has provided Athens, an access management service run by Eduserv. However, the Athens service is proprietary in nature, requires a lot of maintenance and is not standard-based. For the last two years, JISC has been investing significant funds and effort into developing a new generation access management service based on the new Shibboleth technology. JISC has announced that it will stop funding the Athens service by July 2008.
The JISC-funded Core Middleware: Technology Development and Core Middleware: Infrastructure Programmes have facilitated the development and testing of a range of Shibboleth-based technologies and have given HE institutions an opportunity to explore the new technologies by becoming Early Adopters. In order to provide support for the Early Adopters, JISC awarded Eduserv the contract to operate the Middleware Assisted Take-up Service (MATU). The purpose of the MATU was to provide a helpdesk, advice, training and support for the institutions taking part in the Shibboleth Early Adopter Programme.
After several years of research, Becta, the JISC’s equivalent for the School sector, has also come to conclusion that a federated access management service based on Shibboleth would be the most suitable solution for providing secure access to online educational resources. JISC and Becta are working together on the development of the UK Access Management Federation for Education and Research due to go live at the end of November 2006. JANET has been awarded the contract to run the Federation on behalf of JISC and Becta.
JISC has established the Access Management Transition Programme to assist institutions across the Higher Education and Further Education sectors in the adoption of the new access management service. With six hundred and forty one institutions to be taken care of, it is vital that there is an effective support mechanism in place to help institutions manage the transition. It is, therefore, necessary to move away from the project support MATU service, designed to provide to the Early Adopters, towards a whole-sector support service. This is a challenging task, due to the complex nature of the technical area, diversity and size of the sectors in question, and different levels of institutional readiness to adopt the new technology.
For those reasons, it would not be appropriate for this support function to be absorbed by any other JISC service. A comprehensive review of the MATU service was undertaken in order to determine the most appropriate way forward. The review report suggested several possible courses of action and was presented to the Core Middleware Advisory Board (CMAB). CMAB recommended desegregating the MATU support functions to be managed by JISC, the Federation and the service partners (e.g. JANET, SDSS). This was later agreed by the JISC
Integrated Information Environments Committee (JIIE).
This project is responsible for delivering against PKG06 in the JISC Access Management Transition Programme Plan. The project will commence in January 2007(the current MATU contract ends in December 2006) and will finish in December 2008.
Aims, Objectives and Scope
The main aim of this project is to bring UK Higher and Further institutions to IdP (Identity Provider) readiness by providing appropriate training and support.
The specific objectives of this project are to:
- Support institutions in choosing the most appropriate route for implementing the new access management system (as detailed in the ‘Roadmap for institutions’ document, see Annex 1)
- Provide practical training in all the steps required by institutions to implement federated management (see Annex 1)
- Provide onsite support for institutions
- Provide helpdesk and mailing list support
- Develop, organise, store and promote public documentation generated by the Access Management Transition Programme (e.g. training materials, case studies, presentations)
- Ensure easy public access to all related information, documentation etc by creating and maintaining the Assisted Take-up website
Scope and Methodology
The Assisted Take-up service will be provided by JISC in close collaboration with JANET and SDSS (responsible for PKG01-02 - Federation), BECTA (School sector support) and Eduserv (PKG05 – Gateway support). The service will be managed by Nicole Harris, the Access Management Transition Programme Manager, and led by the JISC Executive. The Assisted Take-up service will work closely with the new Outreach team (PKG07-09, 14-15 – Service Provider support, Outreach Programme, inter(national) liaison). The PERSEUS Project at the London School of Economics will provide direct support to the service in the form of 0.1 fte of Project Manager and 1.0 fte of Project Officer (as detailed in PID-006; PKG16 – Scoping new assisted take-up and outreach programmes). PERSEUS has been granted a one-year extension to support the work of the Transition Programme by helping the JISC Programme Management to scope and embed the assisted take-up and outreach plans. The Transition Plan high-level work package descriptions are attached for reference (Annex 2).
As mentioned earlier, the Access Management Transition Programme has produced a roadmap document detailing the six necessary steps that institutions have to follow in order to implement the new federated access management system (Annex 1):
- Institutional audit
- Directory development
- Authentication development
- IdP software implementation
- Joining the Federation
- Institutional roll-out
The document also describes the three choices available to institutions and the associated benefits and costs:
- ‘Become a full member of the Federation, using community-supported tools
- Become a full member of the Federation, using tools with paid-for support
- Subscribe to an ‘outsourced Identity Provider’ to work through the Federation on the institution’s behalf, such as continued use of Athens with the Athens-to-Shibboleth and Shibboleth-to-Athens Gateways’.
The first choice will require institutions to join the Federation by following the six Steps described in the Roadmap document. The Transition Programme team is currently in the process of investigating companies that could support the second option, such as Salford Software. Continued use of Athens will be a logical choice for some institutions. The JISC-sponsored Gateways, provided by Eduserv, allow Shibboleth-enabled organisations to be able to access Athens protected resources, and to allow Athens users to be able to access Shibboleth-enabled resources.
The Assisted Take-up support service will use the institutional roadmap document as a framework for planning and delivery of all its support functions, particularly the training.
The new ATU service will have a dedicated website (a sub-site of the Federation website) that will provide a public gateway to all related information and resources, such as training documents, presentations, useful links etc. The Federation website is hosted and maintained by JANET (in consultation with JISC) and is currently under development. The ATU website will be clearly branded as part of the Federation website to provide consistency of service but will, in effect, be a separate website. The current proposal is to host the ATU website within the new JISC content management system. In addition to new information and resources, the new ATU website will make use of the documents and materials collected and/ or produced by the MATU service. The Federation website (with its ATU part) will provide the first port of call for the education community, so it’s very important that careful thought is put into its overall structure (e.g. clearly labelled sections for institutions and Service providers, links to relevant documents), appearance and maintenance. It should also provide links to the project’s partners, such as Becta.
Helpdesk and Mailing List Support
The ATU service will provide helpdesk and mailing list support to institutions. The first line of support will be provided by the JANET helpdesk with additional support from JANET and SDSS. There are plans to recruit a dedicated member of staff that could respond to mailing list queries promptly and efficiently.
Training and onsite support
Carefully planned, flexible and comprehensive training opportunities are crucial to the national take up of the new federated management service. Therefore, the ATU service will deliver training in a variety of formats, including events, workshops, bootcamps, case studies and presentations. There are also plans to create podcasts of some of the presentations.
It is important that the training programme planned and delivered by the service reflects the varied institutional requirements and is very practical in nature. Other training requirements include:
- Flexible (SAML-based technologies are still in the state of active development, so the training programme needs to be flexible to reflect that)
- Hands-on (although some general awareness training will be needed, most of training needs to be very practical in nature, e.g. ‘what do I need to do to get my institutional directory to work and how do I go about it’)
- Portable (self-contained training units that can delivered by different trainers or even as a self-taught online modules)
- Available in a range of formats, depending on needs (2-3 day boot camps as core training plus supporting events, workshops, surgeries, installfests, case studies etc)
- Aimed at different audiences and levels of technical expertise.
Although it is recognised that it will not be possible to cover all institutional scenarios and individual requirements, training is likely to be the most difficult support area to scope and deliver. In order to get a better idea of training requirements and the state of institutional preparedness for federated access management, the Transition Programme has recently undertaken an ‘Institutional Preparedness Study’. The results of the study are currently being analysed.
It may be possible to deliver training in three phases:
- Phase 1 Develop and deliver training for Step 4 of the Roadmap to ‘fast track’ Early Adopters (most will have completed Steps 1-3 of the Roadmap, some even Steps 1-4) with Steps 5-6 to follow shortly
- Phase 2 Prioritise/’fast track’ other organisations that are at early stages but are committed and recognise the need to act quickly (the ‘Preparedness Study’ will be very useful for identifying those institutions). Some of those institutions may also be ready for Step 4.
- Phase 3 Develop training for Steps 1-3 for
institutions that are approaching at a slower pace.
Training for step 5 (Joining the Federation) will be developed and delivered by JANET . JISC is currently looking at choosing outside training providers, such as Netskills, to develop and deliver the rest of the training programme. Due to the volume of training required, it is envisaged that some training will be free to institutions and some will be provided on a cost recovery basis.
Another important aspect of support is onsite support. There are many models for providing onsite support. For example, one of the Early Adopter projects, KC-ROLO at Kidderminster College, has been doing an effective job in this area. It is possible that initial onsite support can be delivered by the Outreach team.
There is already a wealth of useful documentation that can be made available to the community (e.g. roadmaps, case studies, presentations etc), thanks to the Core Middleware Programmes. All documentation and materials collected or/and produced by the MATU service will be transferred to the new service and made available on the ATU website.
With the volume of relevant information growing rapidly, it has been decided to set up a searchable repository of project outputs. This work is currently in progress. A document review will be undertaken prior to populating the repository with content. The review will also help organise content on the new ATU website (e.g. links to documents relevant for each step in the ‘roadmap‘ document).
Project planning and implementation
A detailed operational plan for the ATU service will be produced by the Access Management Transition Programme Manager and PERSEUS, in close collaboration with the newly appointed Transition Programme Outreach team, JANET and SDSS. The project will be rolled out in two phases. The first phase will be to scope all the options for each support function and write an operational plan, and the second phase will be to implement the operational plan.
The project is primarily responsible for Workpackage 6 in the High-level Transition Programme Plan. The project will be managed by the Transition Programme Manager with support from the PERSEUS project (PKG16 – Scoping new assisted take-up and outreach programmes)