Major single sign-on work starts in the UK and Australia
It should be so simple: just log in once, then get access to all networks, electronic journals, learning objects, applications and sundry other stuff that you have the right to access. But experience teaches that isn't so easy, yet. Two programmes are addressing this problem of authentication, authorisation and access in truly networked environments. Many more are waiting to see how they could benefit from the outcomes.
In order for anyone to get access to anything electronically, three things need to happen: the identity of the person needs to be established (authentication), the right of a person to access a resource needs to be determined (authorisation) and the access to the resource given (access). Thing is, there are a multitude of ways of doing each of these things, and in a networked environment, you wouldn't want to go through the process manually for each resource.
Yet that's what can typically happen in any educational establishment: in order to get access to the Virtual Learning Environment (VLE), the library system, the portal and the intranet you have to get access by logging in and hoping that the system knows that you can still use it. This gets worse for systems that span across institutional networks or for people who work in groups that span more than one institution.
Little wonder, then, that when people talk about a Managed Learning Environment (MLE), single sign-on is among the first features that are requested.
Fortunately as well as unfortunately, many people in and outside of the direct MLE field have already tried to address the issues. Most urgently in the fields of national resource collections such as the venerable Athens system in the UK, and the more recent distributed computing infrastuctures such as Internet2 and the Grid.
Though neither of these areas are directly linked with learning and teaching, they do have a long established need to manage identity and access in a federated manner. That is, they have learned that neither some sort of single über-gatekeeper or a bunch of isolated systems is not going to work. Rather, institutions or other groups have to establish webs of trust in which the partners recognise the credentials of each others members. And, crucially, are able to establish and exchange these credentials automatically.
That is some way off in the typical MLE, as the Australian COLIS project amply demonstrated. In this e-learning interoperability project, both the potential for single sign-on and the dire need to make it technically much easier was made quite clear.
The same team, led by the Macquarie E-Learning Centre of Excellence (MELCOE), have now started to address the issue with the Meta-Access Management System (MAMS). Like most solutions for identity and access management, it focusses on middleware- dedicated systems that broker between the other parts of a network, and do the heavy lifting on a specific function such as access management on those other systems' behalf.
Notable aspects of the programme include the recognition that most institutions' networks will have many systems that can't be made to comply with the latest and greatest in access management technology, so one focus will be on an approach that accommodates a multitude of single-sign-on techniques: hence the 'meta' bit. Another aspect will be the goal of not just exchanging the necessary attributes of someone (i.e. whether x is a student) across a federation, but also implement a component that can read an access policy, and make decisions accordingly (x is a student so she can see this learning object).
Over in the UK, projects are now being chosen to participate in the JISC's Core Middleware strand, which addresses very much the same area, but from a slightly different angle. Compared to MAMS, the focus is slightly less pragmatic, and more oriented on entirely new systems. Though both are research and cross-institution based, the MELCOE people are traditionally more teaching and learning oriented.
The major focus areas for the Core Middleware programme include virtual organisations and shared resources. Respectively, organisations that are spread across multiple institutions, and resources such as e-learning courses that are shared between different colleges.
One crucial aspect that both initiatives have in common, though, is the reliance on the Internet2 Shibboleth technology to federate authorisation. Shibboleth is essentially a means of realising webs of trust in networks. It is not concerned at all with authorisation or with access control, but focusses solely on passing credentials around. Anonymously.
Given those similarities, and the firm commitment on either side to link up to international best practice, here's hoping that the two initiatives will be mutually reinforcing. More directly teaching and learning facing projects such as the equally fresh JISC Frameworks programme or any MLE one cares to mention need a single (sign-on) solution.
ResourcesThe MAMS project page at MELCOE.