August 2009

Sharing, withholding and delegating sounds like advice from Management 101, a first introduction to getting things done.  In the case of identity management, there are some hard cases to crack

  1. Sharing metadata: getting information about the right identity provider to the right service provider, as needed
  2. Withholding information about technical detail from the end user, while giving enough information to make informed choices.  One aspect of this is seamless discovery service, where the before mentioned identity provider information is available when needed, without prompting the end user to input something
  3. Delegation of rights.  I may wish to delegate rights to my husband or to a process running on my behalf (webmail should be able to check my mail account via IMAP, even if IMAP is a non-web protocol)
  4. Aggregation of information about me from multiple Identity Providers, while keeping my privacy and giving a user friendly interface to managing my own information

The discussions on these issues have tended to get into complicated corner cases and some heavy protocol elephantiasis.  The simple and elegant design of OAuth gives some hope, as people start experimenting and throwing connected ideas around.  An example is Andreas’ draft work on attribute aggregation.

Simple is good. Testing various ideas helps us sort out how the issues above prevents us from solving some of the use cases

  • Grandfather wants access to e-learning platform, needs to check on school work and see if grandson handed in assignments.  Depends on delegation of rights from parent.  Depends on discovery service to sort this role from the primary role as professor at university.
  • Parent wants to delegate limited rights to supervise schoolwork to grandfather.  Depends on attribute aggregation from multiple sources, as parent-child relation is independent of authentication method.  Depends on seamless discovery service, since this must be possible for all parents.
  • Integration of Web2.0 applications without total mesh coupling.  Depends on withholding information to preserve privacy, and delegation of rights to several process keeping track of social network updates.
  • Universal access to web sites, while preserving privacy.  Getting information about disabilities (sensitive information) to adjust web sites to end user needs.  Depends on aggregation of attributes from multiple sources and delegation of rights.

The issues need to be solved for user centric identities, organization centric identities and federations.  We are not there yet – but the space needs watching.


Some of my smarter coworkers added several interesting features in the SimpleSAMLphp statistics module.  And the numbers show that if the users are presented with a log out option, half of the users prefer to use this option to closing their browsers.  This trend has stayed stable during summer, when the number of logins have fluctuated wildly.

The graph shows an initial fluttering as the functionality was tested, then support was gradually added in more services.  The large jump from .2 to .5 and above comes as several large scale services migrated to the new interface.

Logout to login ratio

Logout to login ratio

In my earlier posting Single Logout grows I pointed to this trend and wrote about the implementation.  A good user interface has proven to be alpha and omega, as shown in Andreas Solberg’s implementation.

I wish Shibboleth would add support for logging out, as the feature is wanted by half the users.  Not to mention all the vendors and software houses that have told us that logout is neither requested nor possible to do in a useful way.  Our users are voting with their clicks on this issue!

Logout interface

For the first time there has been a major study of ICT usage in Norwegian higher education, to complement the biannually ITU monitor that has been conducted since 2003 for primary and secondary education.

The main finding is that there is great variation in use of ICT in higher education.  Some factoids

  • 92% of lecturers publish their lecure notes (slides) for the students in their class.  Lecturers make a real effort to share information?
  • 97% of students find lectures notes useful.  The lecturers effort to share information is appreciated?
  • 85% use a learning management system for their teaching/learning, most students use LMS for handing in assignments.  LMS works for managing learning, facilitates the learning administration?
  • Students depend on SMS as their primary mode of communication.  Cell phones really are body parts for students?
  • Staff depend on email for communication with other staff, but the majority use LMS-messages to communicate with students.  Does this indicate that communication patterns mould on work needs, or just a age differential?
  • There is no age difference in the staff use of ICT or attitude towards ICT  Contradicts earlier studies, but aligns with the need to use ICT to get the job done?
  • 4% of lecturers regularly publish sound/video of the lectures online, 9% publish some lectures.  High profile, but still early stages?
  • Student use of presentation tools (powerpoint etc) disappears as students go from secondary to higher education. Learning patterns change?
  • Institutes with ICT in their strategies have higher usage and more varied use of ICT than other institutes.  Think about what you do, and what you changes?

The different communication modes are interesting to note, I wonder how that will continue to play out as cell phones get integrated into the rest of the Internet.

Students spend on average

  • 10.4 hours/week on personal ICT
  • 1.7 hours/week on ICT use during teaching activities
  • 9.4 hours/week on ICT-supported studying

Students spend over 20 hours/week using ICT.  Given that they also on average spend 9 hours/week earning wages, the high use of ICT forms a large part of the student’s life.

There are more facts on the split in services used by staff and students, and this will impact federation services.  That information will have to wait for another day.

Pair in facts beats house of guesswork, to quote one of my colleagues.