JISC

Overview

This project proposes to review the potential uses of OpenID in the UK academic community. It will do this by:

• Determining potential use cases through structured interviews with a representative sample of stakeholders throughout the academic community;
• Evaluating the potential use cases by performing a risk assessment of them using the known security and trust properties of OpenID, in order to determine a set of valid use cases;
• Building working demonstrators to ensure our understanding of the technology is robust. to allow the community to experiment with OpenID within the context of the UK Access Management Federation, and, if possible, addressing a sample of the valid use cases, using federation compliant Identity Providers;
• Producing a final report describing our conclusions and recommendations for the future use of OpenID in the UK academic community.

Aims and objectives

The primary aim of the project is to produce a report which will allow busy decision-makers to understand OpenID’s security properties well enough, quickly enough, to apply it safely and avoid its potential security pitfalls, based on first establishing by means of a survey a sound understanding of how such decision-makers are likely to proceed in the absence of such guidance. The secondary aims are to develop bridging software that will allow OpenIDs from any source to be used as identities within the production UK (SAML) federation, creating opportunities for early adopters to experiment. We will also demonstrate a library-type service modified to make use of such identities.

Project methodology

The work will be structured as follows. First, a survey of potential deployers of OpenID technology will help establish how deployment is likely to proceed in the absence of further guidance and identify any common use cases, issues or misconceptions. This will include extended face-to-face interviews with example decision-makers to ensure two-way understanding. In parallel, the technical work to create a bridge node within the UK federation, allowing experimental use of OpenIDs with (willing) UK federation service providers and the creation of a demonstrator target service will take place. Following the survey, the proposed applications of OpenID within the community will be subjected to detailed security analysis. Finally, a report based on these analyses should convey, as simply and clearly as possible, which potential applications are most likely to lead to the benefits of OpenID being realised without putting institutions or their users at undue risk, and which applications should be avoided in the current state of the technology.

Anticipated outputs and outcomes

Tangible deliverables:

• a report giving guidance on useful and safe applications of OpenID technology in education
• a UK federation identity provider that uses OpenID to authenticate its users
• a UK federation service provider that can accept the identities issued by 2, governed by a simple Access Control List maintained by the SP.

The most desirable outcome is that the project assists in the deployment of OpenID beyond the obvious minimal applications of blogs and wikis, contributing to simplified, unified access to resources across sectors, but safely. An outcome where the friction of moving between disparate resources is minimised should lead to the middleware becoming desirably invisible, thus avoiding distractions from real learning.

Technology / Standards used

Lead Institution

• EDINA, University of Edinburgh

Project partners

• ISSRG, University of Kent

NOTE: Due to recent increased demand for support from SDSS for the UK federation, this project is experiencing delays in completion. Please come back for updates.