Pilot of Athens Account Linking facility launched

Athens users will soon have the ability the link two or more separate Athens accounts into a single but independent identity; and access the combined set of resources. This facility has been developed and is currently being piloted by a number of Athens resource providers. Eduserv is working with the NHS Connecting for Health Design Authority to finalise the functionality and deliver the best possible user interfaces. For full details of this facility see the Account Linking White Paper.

Project timetable:

• 31 March 2006
  End of service provider consultation period
• 3 - 21 April 2006
  Service provider evaluation and testing
• 24 April - 5 May
  Review of service provider testing results
• 8 - 19 May 2006
  NHS and UK HE organisations pilot
• 22 May - 2 June 2006
  Review of user pilot

When the testing cycles listed above have been completed and fully reviewed, we expect to consult with the steering group on deciding an appropriate release schedule and any further actions.

Account linking FAQ:

• Why are we doing this?

  Account linking was developed to meet the needs of Athens administrators working in the UK education and healthcare communities. There are extensive and well-established links between the two sectors, e.g. university medical schools, teaching hospitals, etc, and this project is seen as part of the move towards greater collaboration across the two sectors, e.g. http://www.nhs-he.org.uk/.

  The NHS Design Authority Group are also interested in this project, and recognise that it will help simplify access for their users.

• Why is this a good thing?

  Athens users with multiple affiliations will be able to link their accounts in a single one-off action that will allow them to subsequently login with a single set of credentials to an aggregated set of services. Athens administrators will retain overall control of user accounts: expiry dates, access rights, etc for their organisation's Athens accounts can't be superseded by other accounts they have been linked to. If an Athens account that has been linked is deleted, then the links to the other account(s) will also be deleted.

• How will our service benefit from this?

  Any simplification in user access to electronic resources usually results in increased usage of those services, and it is anticipated that this will be the case for linked accounts.

  It also formalises a process which has happened in ad-hoc manner, whereby a user may use multiple account to access a single service. The advantage of formalising this process is that when a user links an account, Athens will be presenting a single unique identifier to the service provider. The consequence of this is that personal information, saved searches etc, stored by the service provider will be shared between all their accounts, making the experience more consistent for the user. This has the further advantage that when users move between organisations, their persistent identity remains constant, removing the necessity to migrate saved information between accounts (or users losing it).

• Will a 'super' account with access to the entire service be created?

  No. When an Athens user who has linked two or more accounts logs into a service, they will pass a list of Athens organisation IDs (org_IDs) to service providers. This should only enable Athens users to see the sum of the products or services that the user's various affiliations entitle them to.

• How many Athens accounts can be linked together?

  There is no limit at present, but this will be reviewed in-line with the views of the communities we serve.

• Can a single account be linked more than once?

  No. When Athens accounts are linked, an Athens 'identity' is created. An Athens account can only belong to one Athens identity.

• How will usage statistics be logged?

  Statistics will be logged against the account nominated as the primary account for a particular service provider. However, service providers will be able to view which organisations a user is affiliated with, so this information may be used to log additional information, based on the access policy employed by the service provider.

• Is it possible to link AthensDA-enabled accounts?

  Yes, but only one AthensDA-enabled account can belong to an Athens identity.

• Is it possible to link SAML/Shibboleth-enabled accounts?

  Yes, but only one SAML/Shibboleth-enabled account can belong to an Athens identity.

• Will my service be able to tell when an account has been linked?

  Yes, multiple organisations will be available via attributes, in the same way that organisations are identified at present. The advantage of this is that more accurate information is being provided to a service provider, so that they may apply more accurate access-control policies, based on this information. At present users may access with multiple accounts in an ad-hoc fashion, but logging on with different accounts at different times. Linking of accounts means that the information which may be passed to a service provider will more accurately reflect the user's affiliation(s).

• How will this affect personalisation?

  Personalisation will be stored against the user's persistent identifier. When a user links accounts, they establish an 'identity' which has its own persistent identifier. The advantage of this approach is that the user's identity remains with them even if they move between organisations. However, as far as service providers are concerned, they should continue using the persistent UID attribute, available via the Agent - there are no requirements to change the use of this attribute to support account linking.

• Do I need to make technical changes?

  In order to support users with multiple affiliations, we recommend that service providers make greater use of the organisation identifier attribute, which may possess multiple values in the case where a user has affiliations with multiple organisations. The recommended approach is for service providers to use an access policy which aggregates the permissions from the organisations to which the user has affiliations.

  However, in order to maintain compatibility with resources which do not take this approach, the user will be able to nominate 'preferred' accounts, from which their primary organisation affiliation will be obtained, in preference to their other affiliations. In this case a service provider will use the first organisation identifier which they receive for a user.

  We do strongly encourage Service Providers to make use of this additional information at the earliest possible opportunity.

• Do I need to upgrade the Athens agent?

  The only explicit requirement for the Agent is support for multi-valued attributes. This has been supported in the Java Agent since version 3.6.4(released on 17 May 2004) and the C Agent since version 3.6.2 (release on17 June 2004). DSPs using other versions should consult with the DSP service desk.

April 2006