Over the past six months or so the F-word has been in every sentence around here as the OpenAthens service extends to incorporate federated access.
So what does this mean and are there any differences between the OpenAthens Federation and access management federations such as the UK AMF, InCommon or GakuNin?
The simple answer is no; but…
The OpenAthens service has been delivering on and off-site access to online content for more than twenty years, primarily to the academic and healthcare markets around the world. The extension of the OpenAthens service to include federated access simply means that organisations can connect to each other using a wider variety of technologies. OpenAthens was built using proprietary technology that has so far been adopted by more than 2,000 organisations worldwide. However, in the past five years or so access management technologies have converged towards a number of standards from SAML (Security Assertion Mark-up Language), to OAuth or even OpenID Connect. By far the most established (at the time of writing) is SAML, often implemented by organisations themselves using an open source product called ‘Shibboleth’. It was with the advent and increasing adoption of Shibboleth (say, SAML) that the decision was made to embed Shibboleth connectivity into the OpenAthens service and provide a fully supported federated service.
So, what does the F-word give us? Well, by federating the OpenAthens service, organisations can connect to other OpenAthens customers either using our own OpenAthens products and services (MD, LA or SP) or third party SAML products such as Shibboleth. For publishers this might be their native Shibboleth implementation (built, maintained & supported by themselves), and for consuming organisations (identity providers) this might be an off-the shelf product such as Ping Federate, Novell Access Manager or Microsoft FIM etc.
Increasing the variety of products or solutions that can connect to the OpenAthens service increases the number of organisations that can potentially federate (share) services with each other. This in turn increases the value of the service to publishers and other service providers in terms of market size. With a greater number of identity providers connecting to the service, the potential for sharing information between each other also expands. For example if hospital x specialises in genecology and university y wants to re-use information available from hospital x, then the two could share data over a web service using the OpenAthens federation. The opportunities for exchanging information (for a fee, or not) across markets expands exponentially.
This pan-sector example is where the OpenAthens Federation differs significantly from most other access management federations. Most, if not all access management federations are confined to one sector – primarily education.
Most access management federations are funded centrally or organised by a collection of [academic] organisations that results in their membership being confined to political or geographic borders. The OpenAthens Federation is not constrained in this way which makes it attractive to organisations in the academic, healthcare and publishing industries as well as professional firms and banks that have traditionally stayed out of federations.
There is a movement, coordinated by Terena, to enable inter-federation working. This requires each federation to align their terms and conditions, obtaining all their members agreement and ensuring a technical compatibility of their respective SAML implementations. Clearly, this is a long hill to climb and there is some momentum to deliver some of the benefits, but obviously these will be confined to the academic sector alone.
Providing a pan-sector federated service that is easy to connect to, regardless of which product is used (OpenAthens, Shibboleth, or other SAML product) can be a challenge – multiple protocols need to be supported and different mechanisms need to work in unison to provide a consistent service. In the OpenAthens ‘world’ organisations are known by an Organisation ID, but in the federated world SAML/Shibboleth uses Entity IDs and Scopes to identify organisations. Of course organisations that choose to use our own OpenAthens products have this functionality built-in and ‘under-the-hood’.
So where does this leave us? F is for federation fantastic! The OpenAthens service is all-encompassing and provides a unique opportunity for organisations in any sector to access and share information online anywhere, any place, anytime.