The advertised aim of my talk is ‘to help you recognise the wolves – that make running and IDP difficult and recruit the helpers – who can enable you to reach your goal’. This comes out of the experience of my role as Athens Domain Administrator for many years and particularly the transition from OpenAthens MD to something easier for our studnets to use.
I want to recruit Red Riding Hood as a Helper for this talk. It is not just that the release of a film by that name this month makes my talk seem topical. Really I wanted to start with something that most people here would think they know about. A lot of the talk today uses terms like ‘eduPersonScopedAffiliation’ that give people headaches just thinking about them. I hope to avoid some of that by looking at all this from a slightly different point of view.
RRH is a folktale and folktales have their own literature exploring how they work.In RRH the Mother sends some food to the Grandmother, She asks RRH to take it for her. RRH is aided only by her natural cuteness and is opposed by the Wolf.
The is a general pattern that can be observed in many different narratives. The Sender – Object – Receiver row works for RRH, but also for Lord of the Rings: Gandalf wants to send the Ring to oblivion. He asks Frodo as the Agent to take it, helped by Sam and opposed by Sauron and his allies.
So what happens if you take this narrative structure and apply it to the way university students login to access electronic resources? Well, the characters in the different roles change, but the structure remains the same. The University wants to send login credentials to the protected electronic resources. The Library has been given this task and is helped in this, at the moment, by Eduserv’s OpenAthens MD. The Adversary, or Wolf in this slide, is the personification of everything frustrating about this task.But I learnt from Alfred Hitchcock not to reveal your monsters too soon. So next I want to look at:
How much is at stake in this story? Lots of staff use their Athens accounts everyday. I was going to divide the spend on resources by the number of hours in a year to get a figure for the cost of this system breaking down. But that would not cover half the cost of helpdesk calls, disrupted research, frustrated students, etc.
What about OpenAthens MD as a helper?At DMU we have a long experience of using this tool. We have developed routines for administering the service. Staff are familiar with how it works and can explain it to new students.It works for lots of resources.We get useful statistics back that help build a picture of electronic resource usage.
What is wrong with current set-up?Students forget passwords: 178 requests for help through me and justask in November 2010.Some account details never deliveredStudents leave, interrupt or extend their studiesUse of resources may be lowered by password problemsHow can we identify current staff members?Some of these issues are familiar to everyone, some are specific to DMU.
There is more in Grandma’s basket of food than a username and password. The system we move to has to be easy for the students to use; tied into University membership so that new students are recognised and departing users removed; it has to abide by the commitments we agreed to in joining the UK Federation, access a wide variety of services and not leak data about people.
What happens if we put Shibboleth in the Helper role?By ‘Shibboleth’ I mean an implementation of an open source piece of software by the University’s Central IT Dept, known (last year) as ISAS.Login details are now SAML credentials ‘eduPersonTargetedID’Agent is Library and ISAS working together;Helper brings potential advantages like:Familiar username and password;Tied to membership database;No third party involved in data sharing;Discreet information transmitted.
Shibboleth and the wolvesLocally slow development of ShibbolethNot all subscribed resources are members of UK federation
OpenAthens LA would bring some advantages to the library: students would not forget their passwords so often and would go somewhere else to get them reset.Library teaching sessions would be a bit simpler as they would not have to raise awareness of ‘Athens passwords’ when explaining how to login to resources.Administering the system would mean building our own LDAP tree, based on the main University LDAP. We could still use OpenAthens MD for such ‘special cases’ as Emeritus Professors, if they turn out not to be in the original source of data.
My version of the RRH story is about taming wolves and making them friends, rather than chopping them up with hatchets. We have been waiting for version 2.1 to come out of beta and for more documentation to be published. Setting up the application ourselves has meant getting to grips with how the software itself works, and particularly how it interacts with the University LDAP service. Building it this way has meant we have been suggesting ways in which the main service could be improved. It may still be that we need to set up more formal understandings with the services that we are going to be relying upon: maybe Service Level Agreements are a way of achieving this.
Progress at De Montfort UniversityStart mid-2010UK Access Management Federation registration in December 2010 in hidden modeTesting authentication and authorisation Jan 2011Investigating enhancing LDAP dataRe-organisation of IT staff out of Library and into University Central Services department: Feb. 2011
In one sense we are ‘in the middle’ of setting up OpenAthens LA. We have all the testing, marketing and explaining still to do. In another we are ‘at the beginning’ as there is much more that we could do, once these wolves have been tamed or scarred away. Most of the things on this list are to do with relationships. That is what the story has been about all along.
Little Red Riding Hood and the Federated IdP
Little Red Riding Hood and the Federated Identity Provider<br />
Narrative Analysis of Red Riding Hood – Opening Section<br />Scanned by NobbiP, via Wikimedia Commons<br />
Narrative Analysis of a folktale via Vladimir Propp<br />Photo used under Creative Commons from Stevecadman via Flickr<br />
Narrative Analysis of current authentication arrangements<br />Photo used under Creative Commons from Stevecadman via Flickr<br />
How much is at stake here?<br />27000 Athens users<br />£875000 annual spend on electronic resources<br />A lot of annoyed people, with good reason, if the authentication service breaks down<br />
OpenAthens MD as a helper<br />We have been using this for years<br />We have routines for administering and supporting the service<br />It works for Athens and UK federation authenticated resources<br />We get usage statistics for logins<br />Scanned by NobbiP, via Wikimedia Commons<br />
What is wrong with current set-up?<br />Students forget passwords<br />Password reset does not match email aliases<br />Some account details never delivered<br />Students leave, interrupt or extend their studies<br />Use of resources may be lowered by password problems<br />How can we identify current staff members?<br />Photo used under Creative Commons from Fremlin via Flickr<br />
What are we trying to deliver?<br />Easy for students to use;<br />Tied in with University membership;<br />Abiding by access regulations;<br />Access wide range of electronic services;<br />No more information revealed than necessary.<br />Photo used under Creative Commons from Ewlas via Flickr<br />
Will Shibboleth help?<br />Photo used under Creative Commons from Stevecadman via Flickr<br />
Shibboleth and the wolves<br />Locally slow development of Shibboleth<br />Not all subscribed resources are members of UK federation<br />Photo used under Creative Commons from Dennis from Atlanta via Flickr<br />
OpenAthens LA as a helper<br />Familiar login details;<br />Existing password reset page;<br />Usable interface for categories and attributes;<br />Integrates with University database for staff and students;<br />Can still use OpenAthens MD for ‘special cases’;<br />Usage statistics for logins to different resources.<br />Scanned by NobbiP, via Wikimedia Commons<br />
How about OpenAthens LA?<br />OpenAthens LA and the wolves<br />Wait for version upgrade close to meeting our needs<br />Need to set up application ourselves<br />Need to understand authentication terminology<br />Need a Service Level Agreement with local LDAP provider<br />Photo used under Creative Commons from Dennis from Atlanta via Flickr<br />
Progress at <br />De Montfort University<br />Start mid-2010<br />UK Access Management Federation registration in December 2010 in hidden mode<br />Testing authentication and authorisation Jan 2011<br />Investigating enhancing LDAP data<br />Re-organisation of IT staff out of Library and into University Central Services department: Feb. 2011<br />Photo used under Creative Commons from Stevecadman via Flickr<br />
On the ‘to do’ list<br />More testing<br />Develop launch strategy<br />Integrate with teaching and support in Library<br />Explain changes to Faculties<br />Investigate OpenID, OpenAthens SP<br />Tame Wolves, make into Helpers<br />By Scanned by NobbiP, via Wikimedia Commons<br />