[Advisory] Sending pupil-level data outside of the school

[Crispin Weston]

Hi Frances,

Thanks for this background on current work regarding WAYFless urls. As
argued in my previous post, it seems to me that this work will inevitably
lead to solutions involving content packaging.

Regarding trust, any system which requires people to tell the truth is
inherently insecure, as well as involving the overhead of having to
establish trusted status. Most medium secure systems rely on secrets, not
truth-telling.

Take for example, the simple system using basic web authentication
illustrated at http://www.saltis.org/transparent_bwa.gif. In my view, this
has two significant advantages over Shibboleth: it requires no-one to be
trusted; and it does not require the publisher to do anything other for
authentication than what the publisher is already doing (handing out
username/password combinations). The only extra step required is for the
encoding of authorisation methods within a content package.

A third benefit is that this system uses cheap, automatic systems which can
be provided commercially either to schools or in the local authority. It
does not matter whether the technician sits and all he/she has to do is to
enter a username/password at install time, just like any home user would. I
am sure that you are aware that there are many schools that are unhappy with
a model which forces them into adopting a Local Authority model of what
software they should be buying. All the services you mention, such as email,
role-based access, real-time reporting to parents, can all be provided by
commercial systems sold to schools. I do not understand the argument for
forcing a one-size-fits-all provision on schools at LA level. Economies of
scale can be achieved more efficiently by successful commercial companies,
operating in a competitive market, than by regional consortia.

Basic Web Authentication is not necessarily suitable for everyone, so there
might be a range of authentication and authorisation systems, including a
SAML/Shibboleth-based system, which could be encoded in the content package.

@ Mike - this does not depend on the ubiquity of VLEs any more than it
depends on the ubiquity of Shibboleth identify providers - in fact, much
less so. SSO is a very useful thing but it is not a critical function, not
something that does not work at all unless everyone is doing it, and it
might even be wasted on a school which is not using remote content services
in the classroom yet. Why not let schools buy a cheap SSO solution when it
is perceived to be needed in that school? And my proposed first-step
solution, using basic web authentication, requires publishers to do nothing
extra for authentication than what they are doing already, so there is no
sense that they need to be reassured that the basic infrastructure is
already in place.

And whether or not Shibboleth is easy for publishers to implement (I have
heard both favourable and unfavourable reports of this), the fact remains
that it needs to be implemented and, after 5 years, it is not much
implemented except where companies are specifically paid to implement it. My
solution requires no extra implementation at all, other than a robust
content packaging spec, on which work is now being done and which the
publishing industry is very keen to implement.

Crispin.


> -----Original Message-----
> From: advisory-admin@talk.naace.org [mailto:advisory-
> admin@talk.naace.org] On Behalf Of Frances Burton
> Sent: 03 December 2009 16:59
> To: advisory@talk.naace.org
> Subject: RE: [Advisory] Sending pupil-level data outside of the
> school
> 
> Hi Crispin
> 
> You are right that the WAYF is clunky but is designed as a backstop
> solution to the discovery issue in FAM. It is, at present,
> undergoing a
> review of its design by a working group from across all the
> education
> sectors but this aside, the best way to achieve discovery in
> federated
> access management is to avoid it altogether.
> 
> WAYFless URLS do look complicated and they are also subject to a
> review
> at present by a working group looking at their format and
> standardisation. However, authentication for services will always
> have a
> requirement to work with individual service providers, whether
> through
> FAM or not.
> 
> The UK federation provides the trust fabric that underpins the
> technology. Those that sign up to the rules of membership basically
> agree to tell the truth so Service Providers can have confidence
> that
> the impersonal data they are getting is related to an authentic
> individual.
> 
> There are local solutions to authentication but the strength of
> regional
> deployments are in the opportunity for wider benefits. They have the
> potential to relieve the school of the burden of credential
> administration and the burden for, particularly smaller service
> providers, generating and administering login details. SPs are happy
> to
> be able to sell their services on a regional level and not have to
> administer logins for figures like 750,000 users per region.
> 
> The 14-19 agenda has students working in both school and college and
> a
> regional deployment at LA/RBC level gives the flexibility for those
> users to authenticate with one set of credentials rather than having
> separate accounts created in College and School. It also allows
> access
> to resources for pupils who are not always in a school setting, even
> if
> they are associated with one region but physically working from
> another.
> 
> It is my understanding that Local Authorities have a responsibility
> for
> identity management and have operational requirements for accessing
> the
> data held in school MIS, therefore, school controlled MIS data is
> already being re-used at LA level.
> 
> Given that this information has a place at LA/RBC level then there
> is an
> opportunity to provide authentication to access not just online
> services, but for parents to access children's assessment data,
> staff to
> access email services, and simplified sign-on, based on roles, being
> finely granulated to authenticate a user to access services in one
> school as a teacher, another as a parent or governor and, perhaps,
> the
> LA as a student. Identity management in this context cannot be
> achieved
> inside a VLE but can be applied equally to a VLE. Therefore the
> benefits
> of a UK wide Access management system are not just in school, and
> not
> just within the needs of educational content in VLE's, there are
> other
> regional systems and services that can benefit from a robust and
> privacy
> preserving authentication system.
> 
> Details of case studies for regional deployments in the schools
> sector
> can be found at
> http://www.ukfederation.org.uk/content/Documents/CaseStudies.
> 
> Kind regards
> 
> Frances
> 
> 
> 
> -----Original Message-----
> From: advisory-admin@talk.naace.org
> [mailto:advisory-admin@talk.naace.org] On Behalf Of Crispin Weston
> Sent: 03 December 2009 08:23
> To: 'Paul Browning'; advisory@talk.naace.org
> Subject: RE: [Advisory] Sending pupil-level data outside of the
> school
> 
> > Is this not where the UKAMF comes in?
> >
> > http://www.ukfederation.org.uk/
> Hi Paul,
> Yes and no! And apologies in advance for the essay.
> You have to face the fact that, five years after its initial roll-
> out
> for
> the schools sector, take-up of Shibboleth, particularly by
> commercial
> publishers, remains poor.
> Personally, I have always had my reservations about Shibboleth,
> believing
> that, at least as originally conceived, it implemented an
> inappropriate,
> HE
> model. It assumed that students would land on whatever resource they
> wanted
> and this resource would call back, via a "Where are you from"
> service,
> to
> fetch whatever personal data the service required from the identity
> provider.
> Back in I think 2004, my principle objections were
> (1) the clunky "Where are you from" service pretty much defeated the
> whole
> object of single sign-on, which was to make sign-on transparent.
> (2) at schools level, students will access resources *through* the
> VLE
> gateway. Given this model and given proper attention to VLE
> interoperability, the VLE can handle authorisation transparently
> without
> the
> unnecessary complexity of Shibboleth (diagram at
> http://www.saltis.org/shib.gif).
> (3) Shibboleth requires commercial content providers to implement
> special
> authorisation services. This may not be a great burden to larger
> publishers
> (though I understand that the technology has not always been easy to
> work
> with). But it is often prohibitive for small cottage industries
> which,
> if
> there is to be a healthy supply of innovative learning services,
> must
> not be
> excluded from the market.
> (4) the amount of personal data that gets thrown across the net just
> to
> support an authorisation process which does not actually need any
> personal
> data at all (a product key or school-level username/password might
> suffice).
> 
> My understanding is that Shibboleth has moved in two significant
> directions
> since 2004:
> (1) to remove the WAYF by the use of "wayfless urls", the WAYF being
> found
> to be unnecessary where students, as predicted, tend to access
> content
> through the VLE (this addresses problems 1 & 2, though, if you had
> started
> with this assumption, you would not have adopted Shibboleth in the
> first
> place); and
> (2) to remove any personal data from the profile, ending up with an
> anonymous ID and an affiliation to a school (addressing point 4). As
> Frances
> I think suggests, Shibboleth is not really suited for use as a
> provisioning
> system, which would be better managed by a SIF-like system.
> My own view is that both these developments are moves in the right
> direction
> and open up opportunities for convergence between existing
> SAML/Shibboleth
> implementations and new content packaging technologies.
> Let me try and explain why I think the convergence is required.
> 1. Everything is moving, as stated above, in the direction of
> wayfless
> urls.
> Here is an example of a wayfless url:
> https://idp.protectnetwork.org/protectnetwork-
> idp/SSO?target=https%3A%2F
> %2Fg
> abriel.lse.ac.uk%2Fsimon%2Fcgi-
> bin%2Fprintenv.pl&shire=https%3A%2F%2Fgab
> riel
> .lse.ac.uk%2FShibboleth.sso%2FSAML%2FPOST&providerId=urn%3Amace%3Aac
> .uk%
> 3Asd
> ss.ac.uk%3Aprovider%3Aservice%3Agabriel.lse.ac.uk
> This essentially combines the URL of the site being visited with all
> the
> information required to manage authentication via a particular
> identity
> provider. These wayfless URLs need therefore to be created
> separately
> for
> every institution and for every specific link which the institution
> wants to
> provide for its learners. The creation of wayfless URLs may be a
> trivial
> task for university computer departments, but for a small primary
> school, I
> suspect that it is a bit of a show-stopper.
> There is a need for content to be disaggregated, so that teachers
> can
> send
> their students straight to the particular piece of content that is
> required
> for a lesson or homework - this means that there need to a lot of
> very
> teacher-specific links to be created.
> What is needed is for content to distributed (in content packages)
> without
> any school-specific authentication and authorisation data, but with
> whatever
> data is required to enable the VLE to add automatically the
> learner-specific
> authentication and authorisation data required to access the remote
> site
> transparently.
> Transparent authorisation of disaggregated content is an essential
> prerequisite for the effective integration of content with VLEs -
> and
> Shibboleth, even after 5 years of development, does not yet provide
> a
> viable
> solution.
> 2. The publishing industry perceives that a key pedagogical
> requirement
> is
> to achieve data integration with the school VLE, e.g. for the
> storing of
> marks in a common markbook, the saving of state and the returning of
> student
> product for marking and sharing. This requires that third-party
> content
> calls back to an API provided by the school VLE. If content
> providers
> need,
> for pedagogical reasons, to implement this callback anyway, and all
> the
> student identity information is held by the school VLE anyway, why
> should
> the content providers implement two callbacks where one will do?
> I would ask two further questions (and they are genuine questions -
> there
> may well be good answers):
> 1. If it is now recognised that data being passed via Shibboleth
> should
> be
> restricted to anonymous data, why is the bureaucratic overhead of a
> trust
> federation required at all? There is a pressing need to encourage
> innovation
> in the market and any unnecessary barrier to entering the market
> should
> be
> removed. Why should I have to establish that I trust someone before
> I
> send
> them anonymous data?
> 2. If the industry can implement this functionality without all the
> bodging
> involved with the creation of wayfless urls, and all the student
> identity
> information is held in any case in school MIS/VLEs, then why do we
> need
> duplicate systems to be run at local authority level?
> What I expect is a convergence of SAML/Shibboleth technology and
> SCORM-type
> technologies being used for content-VLE integration. I am hoping
> that
> SALTIS
> will be able to set up a working group in the early summer to look
> at
> this,
> on the back of the outcomes of the BECTA/ISB content packaging
> project,
> and
> we would welcome the participation of the UKAMF and anyone else
> working
> in
> this space.
> Details of the content packaging project are at
> http://www.saltis.org/papers.htm.
> Crispin.
> 
> 
> _______________________________________________
> Advisory mailing list Advisory@talk.naace.org
> http://talk.naace.org/mm/listinfo/advisory
> To unsubscribe send a message to Advisory-admin@talk.naace.org with
> the
> body text:
> 
> unsubscribe Advisory YourEmailAddress
> 
> or: send a message to Advisory-request@talk.naace.org
> with the body text:
> 
> unsubscribe YourPassword YourEmailAddress
> 
> JANET(UK) is a trading name of The JNT Association, a company
> limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG
> 
> 
> _______________________________________________
> Advisory mailing list Advisory@talk.naace.org
> http://talk.naace.org/mm/listinfo/advisory
> To unsubscribe send a message to Advisory-admin@talk.naace.org with
> the body text:
> 
> unsubscribe Advisory YourEmailAddress
> 
> or: send a message to Advisory-request@talk.naace.org
> with the body text:
> 
> unsubscribe YourPassword YourEmailAddress