When I started with RSC Wales back in June 2007 one of the first things I did was attend a JISC Access Management (AM) event. And here I am again a few years on, having just got back from the 2009 event which I attended hoping to find out what the current access management landscape looks like. What has changed and what have we learned in the interim?

I’ll blog about some of the sessions and some of my thoughts, with  inevitable emphasis on the areas most relevant to libraries and LRCs. I haven’t been Tweeting with the rest of the Twittoratti, but there was plenty to digest on the #fam09 tag.

If you want to find out more about the event you can view the programme, download many of the presentations or visit the FAM09 social site.

First, a recap of the access management options for e-resources

Shibboleth (by which I mean Federated Access Management) was the main option under discussion. It requires either in-house support, or you can pay a third party to set to it and provide support until you have enough in-house experience.

A related option, offering the same functionality, is to pay for a subscription to the OpenAthens Service, to gain Shibboleth-like features. I think of the Shibboleth/OpenAthens options as being like looking for somewhere to live.

OpenAthens is like renting a nice appartment. It is nice to live in, but you can’t do what you like with the apartment (e.g. replacing the windows if you don’t like them), and you will never own the apartment – if ever you stop paying the rent you get kicked out and have nothing to show for the years you paid for. Though while you do pay rent, someone else will (hopefully) be responsible for repairs to the property.

Shibboleth is like buying a house. There is a cost at the start, and you the one reponsible for maintaining the property. You can do that yourself if you have the skill; or pay someone else to do so, and maybe when you understand more go on a DIY course yourself and start to do your own maintenance.

There are two other common access management options, though I can’t think of a way of extending the house analogy to them without it being contrived, so I’ll just describe them straight. One option (often used in conjunction with Shibboleth) is to use the more traditional IP plus proxy solution to on-and-off campus access to resources and services.

There is also sometimes the option to have a single, fixed username and password for off-campus access, which can be workable for small e-resource portfolios. This option is gradually disappearing for many resource providers though.

Some of the sessions I attended

Identity and Access as UK Priority, Sara Marsh and Peter Tinson

This session was a summary of where we came from (beginning in 2004), where we are, where we’re going, and potential barriers to getting there, so was an appropriate conference opener. Sara likened herself to the jam of the talk, sandwiched between Peter’s opening and closing bread. I was glad to see that the bread was wholemeal.

The early landscape was one where there were few Shibbolised resources and a lack of in-house skills. Organisations lacked institutional access management strategies, and IT departments felt that access management was just about access to e-resources, and was therefore only a library issue.

And now? All but a few of the big publishers offer Federated Access Management as an option, and those that don’t offer it are under increasing pressure. UCISA and SCONUL surveys found that access and identity management is now in the top ten strategic issues listed by their members, so the importance has risen (though the issue is not at the top of the list).

What is needed for the future? Two main things stood out. Firstly access and identity management/Federated Access Management needs to get into top-level strategies. Secondly we need more examples of the benefits early adopters have gained from Federated Access Management in order to make the strongest possible management case.

Federated Access, the Library Experience, Sarah Pearson, Richard Cross and Francis Lowry

The experiences of two institutions (the University of Birmingham and Nottingham Trent University) in implementing Shibboleth. Many of the things said rang true to my experiences of being involved with a university implementation.

Sarah Pearson spoke about the Birmingham experience. In Birmingham they have used Shibboleth to implement single sign-on (SSO) to Metalib (their federated search tool) and EZproxy, but not to the VLE yet. They try to push users through Metalib as the primary means of accessing e-resources, since then the library can make access more seamless to users.

Sarah showed a diagram of the various ways in which a user at the University of Birmingham accesses e-resources (see below – click to enlarge). It illustrates the complexity of managing the various access options – a diagram like that can be a valuable thing for any library to create in attempting to identify areas which need work.

Collaboration for the University of Birmingham Shibboleth implementation was between:

• Serials Team (Library Services)
  They activated e-resources, customised links, implemented authentication, and did troubleshooting.
• Digital Library Team (IT Services)
  Managed Metalib and SFX installation including interaction with the IdP (Identity Provider)
• Networks Team (IT Services)
  Setup and maintenance of IdP and interaction with BIIS registry

See Sarah’s presentation for the implementation timescale and process – it shows the complexity of the move from the librarian’s perspective, all the processes involved before you even reach the user education element! Issues such as contacting service providers, finding out what information to provide, obtaining WAYFLess URL information, testing etc is all time-consuming, and if you need to manage resources in a federated search tool like Metalib there are extra steps.

One issue Sarah raised was the fact that some users will navigate directly to a resource rather than going through the library portal, so they will have to deal with WAYFs. Her team has now incorporated that route into their user education (guidance on Metalib and in induction).

Then Richard and Francis gave the Nottingham Trent University perspective. Nottingham Trent University were early Shibboleth adopters, and the central message I took away from their part of the presentation was the positive one that they had experienced no problems, Shibboleth has been stable with no downtime, and it all just worked from day one – on which day it was heavily used by students to take advantage of Microsoft’s free DreamSpark offer (it requires an institution to be using Federated Access Management for their students to benefit – another reason to switch!)

A valuable piece of advice from the presentation was that they never refer to Shibboleth when communicating with users, they only talk about the ‘University username and password’. Obviously they refer to it among library and IT staff though.

In terms of transition, they had a roadmap and a blog to inform staff. They also created a wiki that includes every e-resource they subscribe to and how users access it (since terminology varies from provider to provider), so that staff know how to help off-campus users for each resource. Bear in mind that the help staff on campus won’t see login screens, they will be automatically validated via IP, so this kind of information is invaluable for user suppport. Richard and Francis lamented that there is no consistency of terminology in how Service Providers refer to the login options, necessitating this approach.

The main lessons Richard and Francis wished to share:

• Plan early
• IT and library staff must work together (a partnership emphasised in other talks too)
• Communicate with Service Providers – don’t assume anything
• Don’t expect glowing praise from users – access management should be invisible to them if it works (but expect complaints when it doesn’t!)

They concluded that it is an ongoing process of development, it is not all over on the day that Shibboleth is installed. Also Shibboleth is not a solution to everything, but it is an important and flexible building block in the organisation’s infrastructure.

There were some similarities between the setup at the two universities. For example, both institutions currently use a combination of Shibboleth, IP/EZProxy and other methods (for a minority of resources). Both are currently using Shibboleth 1.3 but are planning to move to version 2.

Both also agreed on some of the challenges:

• There are personalisation issues when using dual authentication (e.g. Shibboleth plus IP). However they can be dealt with e.g. Nottingham Trent University migrated accounts wholesale where possible (e.g. for Refworks) and when that wasn’t an option they supported users individually in migrating settings. In a few instances users had to rebuild their personalisation from scratch.
• Not all Service Providers use a standard WAYFless URL structure, and many don’t include the ability to deep-link it e.g. to a particular e-book or database. Those that do have WAYFless structures may not tell you. There is a lack of standards here.

Tech 101 for Librarians, Andy Swiffin

Andy tackled the issue of terminology, trying to unravel the acronyms, as well as placing the emphasis on why and how you deploy an IdP (Identity Provider). He emphasised the relative simplicity of the process – if you have a web server with Tomcat, and have an identity source e.g. LDAP or Microsoft Active Directory, then you can do it easily. Andy has done a Shibboleth install and configured and tested it in just 12 minutes!

Why adopt FAM?

The same answers came up in a number of sessions, so it makes sense to just summarise the common answers here.

• Increased user privacy.
• KISS – Keep things simple for the user by enabling single-sign-on (SSO) for internal and external resources.
• Granularity – Federated Access Management enables fine-grained authorisation, so it should be possible to save money by only buying a specialist resource for the group that needs it, rather than paying for a subscription for the whole institution that will only be used by a few people. Obviously the ideal from a librarian’s perspective is to offer access to everyone, but as Sara Marsh pointed out – if it is a choice between paying for access for a group that needs something, or not getting the resource at all because access for the entire organisation is too expensive, the former is better than no access at all.

Social gaming

After the evening meal on Monday there was a games room for socialising to take place in. Four Nintendo Wiis were set up so that people could compete in Mario Kart, boxing, baseball, ten-pin bowling, Wii Fit and winter sports; along with giant Jenga and Connect 4, table football and air hockey. I put in some sterling defence work on the table football, but my gaming ability was a major letdown at ten-pin bowling, and for some reason my bowling ball always ended up in the gutter or – even worse – rolling away from me in the wrong direction. I’m almost certain that it was a faulty controller :-p but it made it look like I couldn’t hold my own in a Wii-ing contest.

Today I was in Newtown at the ILT Champions Meeting, to give a brief talk about Federated Access Management. It sparked a bit of discussion about the need for different solutions for different colleges, depending on their needs and starting point.

In the UK as a whole 33% of FE (and 80% of HE) institutions have joined the UK Access Management Federation, ready for the academic year 2008-9. Those figures are roughly comparable to the figures for Wales, and it is expected that they will be higher for 2009-10 once the systems are fully established and colleges have had the extra year to make a final decision on implementation.

OpenAthens pricing from Aug 2008

For colleges that want to continue to use Athens as their authentication system after August 2008, here is a link to the new OpenAthens pricing by JISC band. There is further information in the flyer here.

RSC Wales Athens / Shibboleth survey results

I will take this opportunity to circulate the results of the Athens / Shibboleth survey conducted by Samantha Edwards (between January and March 2007). The free text comments have been anonymised as far as possible). It seems a number of people are planning to move to Shibboleth, though lots of people were happy with Athens – the only problem being the need to pay for it after August next year.

What is your college institution? / Response Count

Barry / 0
Bridgend / 1
Coleg Ceredigion / 0
Coleg Glan Hafren / 1
Coleg Gwent / 1
Coleg Harlech / 1
Coleg Llandrillo / 0
Coleg Llysfasi / 0
Coleg Meirion Dwyfor / 0
Coleg Menai / 0
Coleg Morgannwg / 2
Coleg Powys / 1
Coleg Sir Gar / 1
Deeside / 0
Gorseinon / 1
Merthyr Tydfil / 0
Neath PT / 1
Pembrokeshire / 1
St Davids / 0
Swansea College / 1
WEA South Wales / 0
Welsh College of Horticulture / 0
Yale / 0
Ystrad Mynach / 0
North East Wales Institute (NEWI) / 0
Royal Welsh College of Music and Drama / 0
Swansea Institute / 0
Trinity College / 1
University of Wales Lampeter / 0
[answered question 13 / skipped question 0]

What is the current usage of Athens at your institution? (Select any that apply) / Response Percent / Response Count

None / 0.0% / 0
Registered for service but not used / 15.4% / 2
Accounts issued on request / 69.2% / 9
Self-Registration / 15.4% / 2
Bulk Upload / 7.7% / 1
Athens DA / 7.7% / 1
[answered question 13 / skipped question 0]

Are there any issues that deter your usage of Athens?

No, it is now being very well used (85 students have registered this academic year) as a result of publicising the service more strongly. We have 42 journals that are accessible online via an Athens account. The students who use this service are mostly, but not exclusively, HE students who find that we have the journals they need. The FE students are mostly on Access to HE courses.Yes, for example, not long ago I tried to access EMERALD with Athens, but it did not work.

Yes, students have to self-register in this institution. Last year, we merely handed out Athens passwords – ready to use. Many students don’t have e-mail addresses, so we first have to set up an e-mail address for them. The whole procedure takes about 15 mins per student.

Lack of funding to purchase subscriptions, and a dearth of relevant free resources. There may also be an issue with the perception of Athens as a ‘place’ on the web, rather than a gateway to resources.

No

It can be time consuming to issue accounts on request for larger courses, however although we’ve considered moving to Athens DA we have not been able to justify the cost and time involved at present.

Keen to move to Shibboleth, so haven’t put work into Bulk Upload or alternative system.

The Learning Centres are keen to use Athens (or equivalent). Athens was previously administered by our ILT Manager who has now left the college -usage was very low. We now have a new ILT Manager and have started discussions re Shibboleth as a future solution.

Students don’t know about it or the resources available to them.

No

Has Shibboleth been trialled or implemented at your institution? / Response Percent / Response Count

Yes / 7.7% / 1
No / 84.6% / 11
Not Sure / 7.7% / 1
[answered question 13 / skipped question 0]

Have you any future plans within your institution to trial or implement Shibboleth technology?

I need to know more about the implications of using Shibboleth.No, I would prefer to carry on using Athens for the time being, at least until 2008, but would wish to keep up to date with developments.

We had some meeting about it, or some member of the staff, I think, reported about it when he returned from some seminar; I also have some papers on it, but never, actually tried it.

The Athens administrator at this college has not mentioned any such plans, if they are in place.

Yes. We are currently taking advice from the RSC on the timing of swtiching to Shibboleth.

In initial stages of discussion with Senior Management, and Technical Support.

Possibly, depending on documentation and support issues.

No, not yet.

We would like to implement Shibboleth at some point, but are unlikely to do so in the near future.

Yes – ILT / Computer services working towards this.

Only at early discussion stage at present.

Yes, we hope to implement it by July 2008.

We are looking to move towards Shibboleth, but it doesn’t look as though it is a priority yet.

Would you like more information or training on any of the following? (Select any that apply) / Response Percent / Response Count

Athens DA / 38.5% / 5
Athens Administration / 23.1% / 3
Bulk Upload / 23.1% / 3
Self-Registration / 15.4% / 2
Shibboleth & the UK Access Federation / 84.6% / 11
Other (please specify) / 38.5% / 5

I want to access different electronic articles with a single password, not complecated staged process!I have a meeting with Richard Dunning from Eduserv on Friday 16th to discuss

Dependent on the timing of the switch to Shibboleth, we may need further training on Athens, for our library assistant.

Examples, step by step configuration guides etc would be useful. Implementation workshops, or even an advertised list of consultants, experience, timescales and prices.

We need to be clear when AthensDA is coming to an end, the cost impact of continuing, the cost of implementing Shibboleth, and what Shibboleth will do for us. Once we have this information we can then put together a solid business case and take it forward.

[answered question 13 / skipped question 0]

I have been very busy since I started with RSC Wales, and have decided to create a blog to record my travels. My travels may prove to be a challenge, since I intend to make them all by public transport. My blog can record the experience of doing this!

Other reasons for this blog include the need to be familiar with the whole range of Web 2.0 tools and services that may be useful to education and libraries; also to give a flavour of some of the work that RSC Wales does. As my profile shows, I am an e-Learning Advisor with RSC Wales, and perhaps this blog will help me to understand what the job involves.

My first month has been exciting and informative, and involved more travelling around Wales than I had probably done in the last ten years! There was lots of settling in to begin with, and a few days spent in Swansea getting to know the RSC Wales team. The RSC Wales annual conference was held at Gregynog, Newtown, in my first week (Wed 16 – Thu 17 May), which was a trial by fire I suppose, since there were so many people to meet. Gregynog is a lovely place to visit – the image below shows the main house.

[Gregynog Hall]

On Tuesday 22nd May I went to a demo of some voting systems. The Promethean system also included a demonstration of their interactive whiteboard, and looked like it could have many uses for presentations, teaching, voting, groupworking and so on. The other system was Interwrite PRS, which is mostly aimed at the HE market, and includes offline modes and a display screen (on some handsets), and has its own possible uses.

Tue 29-Wed 30 May – more travelling, this time to Birmingham for the JISC Federated Access Management Event. Federated Access (whether through Shibboleth or some other system) could open up a lot of doors in the near future – not just in terms of access to e-resources, but also in terms of interoperability between institutions, and within institutions. It is an area I will discuss in more detail in later posts, no doubt – and I will be happy to discuss the options and ‘federated access roadmap’ with FE LRC staff (just give me a few more weeks to understand how it all works!). Three things that I got out of the event:

1: One session I found particularly useful was the one exploring the impact of the move towards federated access management on libraries, including a discussion of the Athens administrator role, changes to library processes and the impact on the end-user. The slideshow from the presentation is available online.
2: For those wanting to set up a system themselves, but lacking the internal skills, Netskills are piloting a 3 day Federated Access Management (FAM) workshop for technical staff, aimed at teaching how to set up Shibboleth at their institution – from nothing up to a fully working server in three days. Taking part in the pilot could be a good way of getting the training for free (as long as the attendees agree to provide feedback on the course). As far as I know the intended dates for the pilot of this event are 18th – 20th July (Newcastle University). Further information will become available via the Netskills website.
3: For those who would rather just pay someone else to do the dirty work (!) it was announced that Salford Software have come up with a charged service whereby they come into an FE college and set up a federated management system. Apparently costs vary, but for a college with a good technical infrastructure it would be a fixed fee of £5,000, with support costs on top of that if required. It would cost more for a college that needs a full audit and some changes to systems. However it is another alternative if short on IT expertise.

June arrived, and I needed a break! So I had a night away with my family near Harlech. On the way there I realised I was passing Coleg Harlech – one of the colleges I am meant to liaise with.

“Stop the car!” I yelled.

“Why?” asked my Mother, in a panic that something had gone wrong.

“I need to visit a library!”

I got out and visited the college library (which is apparently modelled on the National Library of Wales – and I could see a resemblance in the way the balcony overlooks the central area). I chatted to Delyth Heath about college library services for a while before continuing with my holiday.

Which seems a good point to finish my first blog. Here are a few holiday photos.

[Me and my nephew on top of Harlech Castle]

[Resting in the garden at Tremeifion]

[View from the Tremeifion conservatory]