Nicole in the UK (JISC Access Management Team) writes her three new access and identity management mantras:

1. Content is Not King.
Access management is not about getting x user to y resource but about the management infrastructure of your website.
2. Thou shalt not make users generate accounts.
This does not just focus on the need to use organisation centric federated access management on websites, but recognise and builds in to the larger question that institutions may in the long term chose to broker user-centric identities rather than provisioning identities. Service Provider managed user accounts are generally to be seen as bad though!
3. We are all Service Providers now.
It is important for institutions to think of themselves as Service Providers to their users, and think of the controls they need around those services to provide a good service to the end user. If you expect users to have federated accounts to access content at Wiley or OUP, why not have it on your website / VLE / Library Portal?

The third point goes directly into the debate on Web 2.0, where we are truly all contributors (and thus we are all Service Providers in the SAML lingo).  However, the access management infrastructure for light-weight contributors is lagging behind.  The current federation infrastructure is organization-centric, and this makes it hard to re-use the same infrastructure.

I would restate the mantras as:

  1. Infrastructure matters
    Federations regulate authentication (SSO/SLO), information sharing model (attribute definitions and semantic interoperability) and security models. Security must be good enough, and the access management federations should be exploited.  Align user management with the organizational procedures/infrastructure.
  2. Thou shalt not harass thy users
    Do not force users to have more passwords than they can possibly remember, do not force users to have more user accounts than they are able to manage, do not force users to register new accounts.  Provide Single Sign On and Single Log Out to your users.  Give your users the information needed, including consent and security.  Users are smart, and will do what benefits them, if given tools to help themselves.
  3. You need to participate: we are all Service Providers
    Web sites that have access control do benefit from a shared access management infrastructure.  One size does not fit all, but all that need to use Medium and Large access management should federate to provide their users with a non-harassing Single Sign On and Single Log Out environment.