Since the Open Academic Environment's main cloud deployment, *Unity, rolled out to 20,000 universities and research institutions last month, one of the most common questions has been how so many people are able to use their campus credentials to sign in. I’m going to explain, but be warned: after that I’m going to say why I think this is the wrong question. The right question, I think, is, "Why did no one do this before?"
The Open Academic Environment software at the heart of *Unity integrates with most of the commonly used authentication strategies, including open standards such as Shibboleth. Using these different strategies we’ve been able to establish single sign on with almost half our 20,000 tenancies.
The benefits are real. You don’t have to remember another username and password; instead, you can sign into *Unity with your campus credentials. And so can the majority of your colleagues around the world. It’s one of the features that makes *Unity a uniquely suitable venue for all your research projects.
We’ve managed to hook up with so many universities partly by making bilateral arrangements, campus by campus. But we’ve also worked through the many access management federations to which we belong. These national federations act as brokers; on one side are the universities, on the other are service providers such as *Unity. The federations allow us to hook up with many institutions in one go, reducing the effort involved.
So, given that the username / password thing is one of the biggest barriers both to adoption and usage, why is it that none of our competitors have gone to the effort of integrating with institutions’ single sign on strategies? How is that none of Facebook, Google, LinkedIn, Academia.edu or ResearchGate let you use your campus credentials to sign in?
To see why, compare our old friend email with one of the newer services offered by these companies such as file sharing.
Email is a federated service based on open standards. Each university controls its own servers, data and users. Even if these days they may buy the service in from a cloud provider, the university retains control.
If you draw a diagram of the connections, it looks like this. Each individual dot connects to a university server, which connects to other servers, which connect to other individual dots. The connections between the users are mediated by their universities.
File sharing via, say, ResearchGate, is different. There’s no open standard. The service is not federated but owned by one company. It controls the servers, data and users. The university is, literally, nowhere.
In this diagram, each individual dot simply connects to the ResearchGate servers in the middle.
What these Silicon Valley companies have done is to disintermediate the universities themselves.
Now, from the point of view of these companies, what happens if they integrate with an institution’s own single sign on system is that they reintroduce the university into the diagram. Now the university itself has re-acquired control. It will examine your terms and conditions and veto things it doesn’t like. It will demand that the privacy of its users is protected. It will demand ownership of the content they create. And if it doesn’t get it, it may switch off the single sign on and take its users elsewhere. Even worse, maybe 100 institutions might get together and move elsewhere all at the same time!
So that explains why I think the Silicon Valley companies don’t work with campus credentials. And it explains why universities should prefer services that do. It’s the difference between control that is centralised and control that is federated. Or, to put it another way, between colonisation and independence.
But, you may say, file sharing is different to email. File sharing can’t be provided in a federated way; it needs a centralised infrastructure. Indeed it does. But a centralised infrastructure does not have to mean centralised control. You can have centralised infrastructure in which each university owns and controls its own tenancy, its own users, its own data. This is *Unity, and the logo of the Open Academic Environment project shows you the kind of connections we have in mind.
In the centre is the central OAE infrastructure (known to you as *Unity). This is connected to the institutions (the small dots), which in turn are connected to the individual users (the big dots).
This is exactly the arrangement that is effected when we integrate with your university’s single sign on system, and it reflects our vision. Not the disintermediation of the universities but rather their re-intermediation, a step which means empowerment for the university and respect for the user.
You can find out more about *Unity and the issues raised here by downloading our briefing for university Chief Information Officers