Information for Librarians who are involved in implementing federated access management to online resources in UK further (FE) and higher (HE) education institutions.

Federated Access Management: A Guide for Academic Libraries' briefing paper (PDF)

• JISC transition arrangements announcement
• Federated IP proxy service
• Where to start
• Planning for change
• User experience
• Understanding attributes
• Service Provider liaison
• JISC Model Licences
• Other things your library might be concerned about
• Further information and support

Access Management for Libraries: Joint SCONUL/JISC Briefing Day, 7 March 08, London
Presentation slides and audio recordings available

JISC transition arrangements announcement

On 22 Jan 2008 JISC announced its decision to stop funding the Federation Gateway Services past July 2008, as it has been unable to reach an acceptable agreement with Eduserv. 

More information and JISC advice to institutions

Also see the section below for more information.

Federated IP-proxy service

JISC has explored ways in which institutions can streamline access to all of their resources using federation-enabled IP proxy software. This software is of particular interest to institutions that currently access resources by IP address, IP-proxy or legacy access management systems.

JISC considered providing a national IP-proxy service to UK institutions, however following expert advice from Shibboleth Development and Support Services (SDSS) decided not to proceed with the development of this service due to the substantial risks that were involved. The report provided by SDSS documents the benefits and dis-benefits of a national IP-proxy service and is now available on the JISC website: Word, PDF.

The report suggests an alternative solution for could be for institutions to implement their own IP-proxy service. JISC investigated two IP proxy software products (proprietary and open source) and further information about this is now available from the JISC website:

Proxy servers FAQs

Where to start

The first step was to ensure that your institution has signed the UK federation membership agreement (even if you plan to continue subscribing to the Athens service).

When an institution has joined the UK federation and any technical work has been completed, it is time to roll out the new service to end-users.

With federated access management, IT services staff are likely to take the overall responsibility for access management, while library staff concentrate on ensuring positive user experience by providing a good user interface for their library resources, user education etc. It is, therefore, important that IT services and library staff work closely together to ensure a smooth and successful transition.

Planning for change

As with any change, careful planning was key to successful institutional roll-out of federated access management. We recommended that you follow the three steps set out below to enable you to manage the change effectively.

1. Library review

Libraries should start by reviewing their existing access management practices. A library review should look at:

• Resource access status All institutions should hold a spreadsheet or database of the resources they currently access, the license period for that resource and the current method of access management (Athens, UK federation, IP address, IP proxy server etc). This can be appropriately updated as Service Providers join the UK federation, and will help you manage the information you pass to end-users.
  
  List of live services available via the UK federation
  Other service providers JISC is in dialogue with and their federation status
  Federation status of the most popular library applications and e-book platforms

• Defining user groups Create a master list of all of the user group types within your institution, such as ‘member’, ‘staff’, ‘student’, ‘alumni’ etc.
• Existing user documentation It is likely that the wording of information provided to end-users in print and on the web will need to be changed.
• Current e-resource management practices Where and how is licensing information stored? Is there an e-resources management system that can store information about end-users and their access rights?

2. Planning

A library review should help plan what needs to be done next. Likely action points for the library are to:

• Consider best access route for each resource.
• Plan a strategy for resources that are not members of the UK federation.
• Liaise with Service Providers to ensure that you are gaining access via the UK federation where appropriate.
• Appoint a dedicated contact for user queries.
• Review end-user information.
• Plan for library staff or other ‘friendly’ users to test information and links prepared for end-users.
• Plan staff awareness raising/ training, if required.

3. Managing the change

It is also important to decide in advance how the plan is going to be implemented, in liaison with the IT department who is implementing the federated access management solution.

• Decide on timescales and resources.
• Identify a project leader and key stakeholders.
• Devise a project plan.
• Keep stakeholders informed via a website, newsletter or wiki.

User experience

Institutional login

It is important the end-users understand what information they are required to enter when asked for a username and password. We recommended that all institutions and service providers ask users to enter their ‘institutional log-in’ when asked for a username and password.

Imbedded resource links

When federated users want to access a protected resource, they are normally directed to the WAYF (Where Are You From) server first – a web page that displays a list of all the institutions whose users are entitled to access the resource. Users select their home institution from the list and are prompted to log in using their institutional credentials.

If your library presents pages of resource links that are only intended for users from your own institution (such as course reading lists), then it is possible to use URLs that include this information, and make access quicker by cutting out the WAYF step. 

• List of known WAYFless URLs - UK federation website
• Simon McLeish of the London School of Economics has written some instructions on how to do this
• ScienceDirect have developed a way for institutions to initiate a Shibboleth session directly from a library page or portal, thus simplifying the login process for users. More information

Understanding attributes

The UK federation does not pass information about individuals to Service Providers in order to protect the privacy of end-users. Instead, it passes information about groups of users (such as member, staff, student, alumni etc) or information to allow services to be personalised.

You can find more information on the UK federation web pages, including information about which attributes Service Providers require.

You need to be aware of the four core attributes that the UK federation recommends, and how these relate to your resources. These are:

• eduPersonScopedAffiliation which defines the user’s relationship with the organisation and maps directly to definitions used in the JISC Model License (staff, student etc).
• eduPersonTargetedID which is used to recognise a returning user as the same individual as last time to enable personalisation.
• eduPersonPrincipalName which is a persistent user identifier that is the same across all resources. This is used for accountability and traceability.
• eduPersonEntitlement to allow for special and unique access rights.

Commonly, licences will cover ‘members’ of your institutions and possibly ‘walk-in users’. If your institution is implementing its own federated access management services, these will use a directory that distinguishes ‘members’ (staff and students) from others, such as external library users. If your library registers all ‘walk-in’ users (rather than allowing public access), these can be distinguished in the directory too.

Service Provider liaison

JISC is actively working with publishers and Service Providers to encourage them to join the UK federation and adopt federated access management. Many major Service Providers have already joined the UK federation and many others are either planning or are in the process of adopting the new technology.

JISC also has a programme of support for smaller publishers. More information

Some useful links

List of live services available via the UK federation 
Other federated services in the UK and beyond
Other service providers JISC is in dialogue with and their federation status
Federation status of the most popular library applications and e-book platforms

Contacting the publisher directly

To ensure that as many services become available through the UK Access Management Federation, JISC encouraged institutions to contact publishers directly and refer them to the JISC website and the the JISC Access Management Team for further information.

We recommended that institutions draft their own letters or emails but may want to include some of the following:

• Ask them to confirm which access methods they will be providing from 1st August.
• Stress that as a customer you would like them to join the UK Access Management Federation and implement a federated access management solution based on open-standards.
• If they currently provide access through legacy Athens software, ask them to move to a federated access management solution by the end of July this year. If they are using older versions of Athens which rely on the Federation gateways, stress the cost implications and impact this will have on your institution and ask them to move to a SAML-compliant technology based on open standards.
• Please ask them to contact the JISC Access Management Team (jisc-access-management@jiscmail.ac.uk) for further information about joining or implementing a federated access management technology.

JISC Model Licences

The JISC Model Licence and NESLi2 Model Licence now ask Service Providers to adopt federated access management technologies and join the UK federation. All user groups defined in the JISC Model Licences map directly to attributes used within the UK federation to ensure consistency of definitions across the UK educational community.  

Other things your library may be concerned about

Personalisation features

Increasingly, publishers and Service Providers provide personalisation services for their federated access management users. The use of federated access management allows Service Providers to personalise their service without being able to identify the actual user, and thereby helps your institution to meet its responsibilities under the Data Protection legislation.

If some of your users are already using personalisation features (such as saved searches or email alerts) that are based on their old Athens login, it may be necessary for them to re-register these preferences after they first access a resource with a federated login.

User statistics

Federated access management is based on internationally agreed standards, so it offers greater potential for consistent and comparable usage statistics across more online resources than older technologies.

There is work in progress on using combined institutional and service provider logs to provide facilities for gathering usage statistics, notably the AAIEye Monitoring & Reporting Tool being developed in Finland.

Further information and resources

JISCmail lists (join at www.jiscmail.ac.uk)

Announcements JISC-shibboleth-announce@jiscmail.ac.uk

Practical information for library staff JISC- shibboleth- libraries@jiscmail.ac.uk

For further information please contact the JISC Access Management Team:
JISC-access-management@ jiscmail.ac.uk