JISC

JISC is devoting significant funds to the development and implementation of the next generation access-management service, based on Shibboleth technology. This will have significant implications for FE and HE institutions. Here are some of the most common questions about the new service. 

1. What is access management?
2. What is federated access management?
3. What are the reasons for moving from Athens to federated access management?
4. What is Shibboleth?
5. What technologies does Shibboleth use?
6. What are the benefits of using Shibboleth?
7. What does Shibboleth mean and where does the name come from?
8. What is the latest version of Shibboleth software?
9. What is SAML?
10. What is a federation?
11. How can I join the UK federation as an Identity Provider?
12. How can I join as a Service Provider?
13. What if my institution decides not to adopt Shibboleth technology?
14. Can I use commercial products?
15. What will be the costs of joining the UK federation?
16. How will JISC support my institution to meet any of these costs?
17. What do I need to do now?
18. What is the last point at which my institution can make a decision about joining the UK federation?
19. What will happen to Athens?
20. What will happen to Athens after July 2008?
21. What is the difference between Shibboleth and AthensDA? 
22. What is OpenAthens and what is its relationship with the UK federation?
23. How can my institution get support and guidance about the transition?
24. Is this the same for FE as it is for HE?
25. What next?
26. Where can I find out more on the terminology?

1. What is Access Management?

Access Management is the term used to describe the process of permitting access to protected online information, usually in the context of web pages or web based applications. It describes both the means by which an online information resource decides whether to allow access to a protected area, and also the administrative process of allowing access for approved individuals.

For more information on access management, please go to the Introduction page.

Back to top

2. What is Federated Access Management?

Federated Access Management builds a trust relationship between Identity Providers (IdP) and Service Providers (SP). It devolves the responsibility for authentication to a user's home institution, and establishes authorisation through the secure exchange of information (known as attributes) between the two parties.

JISC has moved away from the Athens service in favour of a new generation access management service. This new service is based on Shibboleth, a federated access management technology developed by the Internet2 group.

For more information on federated access management, please go to the Introduction page.

Back to top

3. What are the reasons for moving from Athens to federated access management?

The Athens service has not ceased, so you are welcome to continue using it (see below). However, there are a number of advantages for institutions and users in the adoption of a federated access management system based on Shibboleth technology, in particular the evolving needs of e-learning and e-research communities for a single access management systems that supports a range of authentication scenarios, including access to internal resources, external resources and collaborative requirements. Continued use of Athens will only allow access to external, third-party resources.

In addition, while the UK has been using Athens, other countries have developed their own solutions to the problem of accessing multiple resources with a single identity. Shibboleth, which is a product of the US's Internet2 initiative, has emerged as the frontrunner for the most widely-adopted standards-based approach.

Shibboleth also separates authentication from authorisation. Authentication is controlled by the user's home institution and authorisation is based on user attributes and controlled by the service provider. Users don't have to acquire and remember a separate identity for accessing protected services - they simply use their local institutional username and password. This should increase the use of subscribed services.

JISC's contract with Athens was renewed in July 2006, and ran for two years, until July 2008. Athens will continue to be available to institutions beyond July 2008 on a subscription basis.

Back to top

4. What is Shibboleth?

Shibboleth is an open source technology that enables federated access management, developed by the Internet2 Group. It both triggers the authentication process within an institution, and supports the secure exchange of information to establish authorisation.

Shibboleth is an implementation of an open standard known as SAML (Security Assertion Mark-Up Language). There are several alternative Shibboleth implementations, such as the Guanxi implementation.

Find out more about Shibboleth and how it works.

5. What technologies does Shibboleth use?

The identity provider software is written in Java and can run on both Windows and Unix. The target software is written in c++ and can also work on Windows and Unix. Shibboleth itself is a SAML profile, which is an XML language for exchanging security information. The protocol utilizes SSL over HTTP to transport information between entities.

Back to top

6. What are the benefits of using Shibboleth?

Users will have a single sign-on using an institutional ID and password for a wide range of resources, as well as the assurance that their personal data will not be disclosed to third parties.

Librarians will be free of the burden of user name and password administration, and will have new tools for managing licenses and service subscriptions.

IT managers will have more control of the access management process through enhancements to enterprise directories, although this will require additional institutional effort in the short term.

Institutions will have a single service to meet the requirements of e-learning, e-research and library-managed resources. Simplification of the authentication process has also proven to lead to increased use of subscribed services.

Back to top

7. What does Shibboleth mean and where does the name come from?

Shibboleth is a Hebrew word that means an ear of corn, stream or flood. The word comes from the Old Testament (Judges 12:1-6). The Ephraimites who lived to the west of the river Jordan invaded Gilead on the other side of the river and were defeated. Retreating, their way was blocked by the Gileadites who controlled the fords. They had different accents and the Ephraimites pronounced the "sh" sound as "si". To differentiate friend from foe, those crossing the river were asked to pronounce the word "shibboleth". According to the bible, the 42,000 who pronounced it "sibboleth" were killed.

Therefore it has come to mean a word or sound which a person is unable to pronounce correctly; a word used as a test for detecting foreigners, or persons from another district, by their pronunciation. In this context, it is used in the wider sense of a catchword or formula adopted by a party or sect, by which their adherents or followers may be discerned, or those not their followers may be excluded.

Back to top

8. What is the latest version of Shibboleth software?

The latest version of the Shibboleth software is 2.0. To find out more, please go the Shibboleth Downloads page on the Internet2 website.

Back to top

9. What is SAML?

Shibboleth is an implementation of an open standard known as SAML (Security Assertion Mark-Up Language). SAML is an XML-based architecture, framework and protocol for the secure exchange of security credentials between separate security domains. SAML is a standard, ratified by OASIS (Organisation for the Advancement of Structured Information Standards). The goal of SAML is to provide a standard mechanism and language for the exchange of security-related information between organisations (or across distinct units of a single organisation). SAML works on a federated trust model, where mutual trust between participating organisations is established to allow secure interactions between them.

Back to top

10. What is a federation?

A federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of resources and services. The federation combined with identity management software within institutions and organisations can be referred to as federated access management.

How authentication is carried out by the institution and how rights management is carried out by the service provider is left up to the respective parties. In doing so, Shibboleth depends on a certain level of trust. These trust agreements are managed by Federations. Federations are typically being established at a national level.

The UK federation is called the UK Access Management for Education & Research. It is run by JANET(UK), building on the experiences of a successful pilot federation at EDINA (a JISC data centre), on behalf of JISC and Becta.

Examples of other federations include:

Other federations include:

• InCommon (http://www.incommonfederation.org/) in the US
• SWITCHaai (http://www.switch.ch/aai/docs/AAI_Org_Processes.pdf) in Switzerland
• HAKA ( http://www.csc.fi/suomi/funet/middleware/english/index.phtml) in Finland

Back to top

11. How can I join the UK federation as an Identity Provider?

JISC recommends that all institutions carry out an institutional audit, and include these developments within the Information Strategy. A potential Identity Provider will need to carry out the following activities:

• Review the information structure within its institutional directory and ensure that it meets the required standards for exchanging information.
• Adopt a Single Sign-On or Common ID Solution for authentication.
• Implement Identity Provider software.
• Join the Federation (see the Federation website).
• Roll-out the service within the institution.

The Federation roadmap document produced by JISC gives a simple visual explanation of these processes and choices available to institutions.

For more information, go to the Identity Provider page.

12. How can I join the UK Federation as a Service Provider?

A potential Service Provider will need to carry out the following activities:

• Review the information structure within its organisational directories and databases and ensure that it meets the required standards for exchanging information.
• Implement service provider software.
• Join the Federation (see the Federation website).
• Roll-out the service to user groups.

For more information, go to the Service Provider page.

Back to top

13. What if my institution decides not to adopt Shibboleth technology?

There is a third option available and that is to subscribe to an 'outsourced Identity provider' to work through the federation on your institution's behalf. The costs of this option include the subscription costs to the external supplier (from July 2008) and internal administration.

14. Can I use commercial products?

Institutions are free to choose both open-source or commercial products. The products chosen must be SAML-compliant, and meet the requirements of the federation. Recommendations can be found in the UK Federation Policy Documents, particularly here.

Back to top

15. What will be the costs of joining the UK federation?

Membership of the UK federation is free at the point of use for both Identity Providers and Service Providers within or serving the UK HE and FE community.

Costs of implementing the federated access management solutions will depend on the model chosen by institutions or service providers. There are two options:

• Adopt technologies using community supported (or open-source) tools. This will mainly involve internal costs in terms of the effort required to implement the solutions.
• Adopt technologies using tools with paid-for support.

It is estimated that the up-front costs of adopting federated access management range from £5,000 for a simple implementation to £150,000 for a full directory replacement project. Pragmatic costs are recommended at £40,000 for large institutions and £10,000 for small institutions.

16. How will JISC support my institution to meet any of these costs?

JISC is providing extensive support mechanisms for institutions wishing to adopt federated access management solutions.

Back to top

17. What do I need to do now?

It is important to emphasise that institutions will have choices, and that these choices should be supported by informed decisions. The potential models for adoption are outlined above and in the briefing papers recently sent out to institutions. Institutions should now consider how well each of these models fits with their IT strategy. Case studies, reports and advice are all available from JISC. Please see the Identity Provider and Service Provider pages for more information.

18. What is the last point at which my institution can make a decision about joining the UK federation?

If you are currently using Athens, you can join the UK Access Management Federation at any time from November 2006 onwards. There is no end date for the Athens service.

19. What will happen to Athens?

Athens is still fully supported and available from Eduserv on a subscription basis.  Athens products are compatible with the UK federation.

Back to top

20. What will happen to Athens after July 2008?

Athens will continue to be available to institutions beyond July 2008 on a subscription basis.  The new OpenAthens product is compatible with the SAML standard and can be used by members of the UK federation for both Identity Provider and Service Provider software.  For more information about OpenAthens please visit the Athens website.

21. What is OpenAthens and what is its relationship with the UK federation?

Q: Does an institution planning to use Athens post July 2008 need to join the UK federation?

A: YES.  There are some resources that will only be offering access via the UK federation (e.g. BBC Motion Gallery) and the only way that Athens institutions will be able to access these resources is if they are a member of the UK federation. 

Q: How does an institution planning to use Athens post July 2008 join the UK federation?

A: This is a simple process of sending in a letter of application and declaring Eduserv as the institutions 'outsourced Identity
Provider'.  A template letter is available from the UK federation website.

Membership of the federation is free and if you would like a hand joining then you are welcome to contact
jisc-access-management@jiscmail.ac.uk and we will go through the process with you.  

Q: What is OpenAthens?

A: OpenAthens is a container term for a variety of products including Classic Athens and AthensDA. Most institutions that
purchase OpenAthens will simply carry on using the same Athens service they are currently using (Classic or DA).  These have now be renamed 'LA - meaning Local Authentication (was AthensDA)' and 'MD - meaning Managed Directory (was Classic Athens).

Q: Are Classic Athens and AthensDA federation compliant?

A: All products are now available via the OpenAthens package, which is fully compliant with the UK federation. 

Q: Will JISC Collections and JISC Services resources continue to support Athens?

A:  We will no longer be asking for Athens in any agreements with publishers, and will not be financially supporting Athens usage
within JISC Services. Since late 2006 JISC Collections and JISC Services have been including federation compliance in all of
their agreements with publishers and have been working to make sure that all resource providers that currently use Athens
will be federation compliant as soon as possible. Many Service Providers may also chose to continue supporting Athens for Athens
customers.  For those resources that don't ,subscribers to OpenAthens will still be able to access resources via the UK federation.

Q: Can institutions that no longer use Athens, access resources that only use Athens post July 2008?

A: Not directly, unless the institution purchases an OpenAthens subscription.  For institutions that do not wish to purchase
OpenAthens we are recommending that they use the federation compliant EZProxy solution as an alternative and JISC is offering
advice and support on how to move forward with this.  More information is available from Nicole Harris (n.harris@jisc.ac.uk).

Q: How does this affect IP access?

A: Institutions should see no change to their current IP access arrangements with publishers. 

22. How can my institution get support and guidance about the transition?

JISC is committed to support institutions in this changing environment. As well as funding the UK federation, JISC is:

• funding the provision of the Athens service until July 2008
• funding assisted take-up activities to support the community
• providing case studies, reports, toolkits and advice from the work carried out in its 'early adopter' programmes
• making the services hosted by MIMAS, EDINA and other JISC services Shibboleth-compliant
• providing roadmaps for educational institutions and publishers to clearly outline the choices that they have to make.

Back to top

23. Is this the same for FE as it is for HE?

All of the services described are available to all Higher and Further Education Institutions.

24. What next?

The key milestones in the transition to Shibboleth are:

July 2006
Renewal of the Athens contract and launch of the Athens Gateways

August 2006
The first early adopters joined the UK Federation

November 2006
Launch of the UK Access Management Federation

New Nesli2 and JISC contracts with suppliers will specify UK Access Management Federation compliant technologies

July 2008
End of current contract for Athens
End of funding for the gateways

Back to top

25. Where can I find out more on the terminology?

The ' Glossary' section of this website contains definitions of terms commonly used when discussing SAML, Shibboleth and middleware.

Back to top