Trust, Identity and Access Blogs UK Access Management Federation

Federated SSO: Monopolies for good?

A blank monopoly board showing all of the property colours without any of the names or branding

Bear with me while we have a little history lesson. As anyone who has ever used an Inertial Navigation System knows, you can only get to where you want to be, by knowing where you are coming from…

Coming of age in the 80’s, I had a few certainties. Liverpool FC always won, C15 blank cassette tapes were ONLY ever used for computer game piracy and Monopolies and Cartels were bad. I knew this because I watched Dallas and JR liked them, so they must be bad.

Working in education in the decades that followed did little to dissuade me. In fact it just reinforced the feeling. Especially following the 2010 Bonfire of The Quangos when BECTA (a kind of Jisc for schools) was abolished.

One could argue the abolition left room for the free market to compete and lower prices. Conversely, one could say that the schools sector was left without a trusted guardian and advisor. Fresh meat for the full avarice of the private sector.

You can take your choice.

Monopoly for good?

Unlike BECTA, The Joint Information Systems Committee, later JISC and later still, Jisc, did survive. In the area of access management, Jisc did what any good custodian of a public sector should do. Keep standards, while providing the breeding ground for competition – be it price or capability.

Back in 2007, when the UK federation was launched, Jisc was the custodian of the keys on behalf of the UK academic community. Yet, as Peter Parker will tell you “with great power comes great responsibility”.

There could have been a monopoly. Especially as Jisc made it a mandatory part of the Jisc Collections model license, that publishers join the UK federation. Jisc also had access to a fair chunk of the SAML expertise in the country at that time, through our friends at EDINA, MIMAS and JANET.

Thankfully we didn’t go down that approach.

Creating a level playing field

We hear a lot now of “levelling up” but back then we focused on creating a level playing field.  If you could meet international agreed SAML standards you could come and play on our field – the UK federation.

We wanted it to be open. Hence Jisc was one of the three initial (and back then, main) funders of the Shibboleth consortium. The consortium provided a non-proprietary open-source solution for federated SSO use within the UK federation. If you had the technical expertise – it made it easy. Simply download and deploy the Shibboleth code, register an entity in the UK federation and there you have it:  21st century access management at zero cost.

Now, we also knew that zero cost doesn’t always mean zero cost. A pre-requisite was a tech team with SAML compatible experience – or at least time. This meant we needed to help grow the community with organic talent.

To support this, JISC programmes at the time used funding to develop centres of expertise at various institutions. As a result of some of what might now be considered “seed” funding – we later saw SAML support companies such as Overt emerge. And then we had OpenAthens – a not for profit organisation, providing a UK federation compatible technology. OpenAthens’ competitive advantage was to launch a managed service focused around librarians. Comparatively Shibboleth has a slight bias towards the IT side of institutions.

So, plenty of choice, and plenty of competition. All carefully regulated by a common set of standards where participation in the UK federation was concerned. And it wasn’t just competition in a domestic context. When the UK federation joined eduGAIN in 2013, it meant that service providers could be registered in any eduGAIN federation. What’s more – they could use 3rd party support suppliers in any country. It was a nicely balanced, Open, triangle.

Keeping things competitive

Like I said – Jisc is only a custodian of a federation, not a ruler of.

We’ve worked hard to create a level playing field, a triangle of competition. And then fate dealt a surprise…

Eduserv (responsible for the OpenAthens IdP/SP technology) and Jisc (responsible for the UK federation and Shibboleth technology), merged in 2019.

At first glance that triangle of competition started to look a lot smaller (or larger depending on your point of view – inside or outside).  And I suspect that if Jisc had been a commercial company who now owned both of the top selling caffeine and soda-based beverages, we would have been looking at only one cola on our shelves at this point.

But Jisc isn’t an evil Lexcorp, so we’ve ensured that the healthy balance of a level playing field continued.

Institutions still have a variety of technological solutions to choose from when it comes to the UK federation. This includes Shibboleth, which is still free to download/DIY, and supported by third parties like Overtsoftware, as well as our own consultancy team. Alternatively there are solutions like PingFederate or the managed service from OpenAthens. Interestingly, Overtsoftware originally emerged out of Kidderminster college, which had received some of that early federation test bed funding back in the noughties.

Similarly, the UK federation has also avoided acting as a restrictive gatekeeper for service providers. UK registered entities are exported to eduGAIN for use by all participating federations. On the flip side of that – we import thousands of entities from eduGAIN for use by our members.

Ensuring an open community  

So back to where we started  –  Jisc has a pretty major worldwide stake in federated SSO and its associated provision. However we’ve done as much as we can to ensure no one is exploiting their position, and we have kept choice and competition going.

I don’t think you’d find a similar ed tech in the private sector make such choices…..and this hasn’t been an advert but a reminder that the public sector has responsibilities that the private sector would have nightmares about…

To read more from Mark, check out ‘I’m not a number, I’m a pseudonymous identifier’. You can also learn more about Jisc’s Trust and Identity Portfolio via the website, or by contacting  

Leave a Reply

Your email address will not be published. Required fields are marked *