Athens access and identity management

From Wikipedia, the free encyclopedia

Athens is an Access and Identity Management service that is supplied by Eduserv to provide single sign-on to protected resources combined with full user management capability. Organisations adopting the Athens service can choose between the Classic Athens service, where usernames are held by Eduserv, or Local Authentication where usernames are held locally and security tokens are exchanged via a range of protocols: SAML, Shibboleth or Athens Devolved Authentication (AthensDA) [1]. Over 4.5 million users worldwide can gain access to over 300 protected online resources via the Athens service.

Athens replaces the multiple usernames and passwords necessary to access subscription based content with a single username and password that can be entered once per session. It operates independently of a user’s location or IP address.

Contents

[edit] Infrastructure

There are two main elements to Athens. Firstly, the ability to manage large numbers of users, their credentials, and associated access rights, in a devolved manner where administration can be delegated to organisations, or within an organisation. Secondly, Athens provides a managed infrastructure which facilitates the exchange of security tokens across domains in a secure and trusted way.

[edit] Trust

The Athens service is a trust federation where Identity Providers, Service Providers and Athens operate under common rules and licenses. Trust is enforced by the use of public-key cryptography and other security mechanisms.

Trust is enforced at the Identity Provider through an appointed administrator who uses browser-based tools provided as part of the Athens service to manage their user accounts in a truly federated manner. Accounts can be grouped into categories with different attributes, and given access to different sets of resources.

The Athens service is neutral; it is not involved in the selling process between a Service Provider (SP) and an Identity Provider (IdP). The SP informs Athens when access to its resource is to be enabled to an IdP, and Athens then allows the IdP to allocate the resource to appropriate user accounts.

[edit] Adoption

Athens is used extensively within UK Higher and Further Education institutions, the UK National Health Service, and in more than 90 countries worldwide. It has been adopted by over 2,000 organisations, and over 300 online resources since it was first launched in 1996. Over 4.5 million accounts are now registered with Athens. The majority of IdPs use Classic Athens; however more than 60 organisations, representing around one million users have moved to the fully federated Local Authentication model. In 2006 Athens was represented at the Medical Library Association Annual Meeting. Since then hospital libraries in the United States have begun using Athens as method for providing off campus access to library resources.

[edit] Standards

Once SAML became a ratified standard, Athens adopted SAML and Shibboleth interfaces to the Athens system to facilitate inter-working with a larger number of systems. The Athens service now offers SAML and Shibboleth connectivity for both IdPs and SPs through Gateways, whilst the native SAML protocols are being implemented.

[edit] Attributes

Athens makes a number of attributes relating to its organisations and its user accounts available to its Service Providers through its agent technology. These are generally organisation-related as in the case of the ‘issuing organisation identity number’ or ‘issuing organisation country’, or pseudonymous like the persistent unique identifier for a user account.

[edit] Attribute-based authorisation

Athens user management facilities, whether for Classic or Locally Authenticated users, allow the administrator to allocate a different set of resources to each user account. This provides fine-grained authorisation for resources. However, the ability to deliver attributes through the agent technology will offer a long term ability to authorise based on attributes, when attributes and their meaning are commonly understood by IdPs and SPs.

[edit] Trivia

The service was originally named Athena after the Greek goddess of knowledge and learning. It is rumoured that the name change was partially caused by a common typo, but it was actually due to the name Athena being already trademarked. Consequently, Athens is not an acronym and doesn't need capital letters.

[edit] External links