Updated 25 March, 2000

The aim of the proposal is to provide a common means of authentication and authorisation to provide researchers with single signon access to a range of networked information resources, independent of the researcher’s location and means of access to the network.

The objectives of the proposal are:

• to develop and evaluate models for a national system of authentication and authorisation of access to major licensed information resources
• to evaluate existing solutions and identify the one most appropriate for the Australian situation
• to implement the preferred solution

CAUL (Council of Australian University Libraries) (lead institution), on behalf of all Australian University libraries
CAUDIT (Committee of Australian University Directors of Information Technology)
CSIRO (Commonwealth Scientific and Industrial Research Organisation)
IAC (Information Access Company)

Ovid Technologies is already collaborating with the UK National Information Systems & Services (NISS) to provide ATHENS-authenticated access to their databases to the whole higher education community. The Australia/NZ General Manager, Ms Diane Koen, is keen to collaborate in a similar fashion with the Australian universities, and is currently consulting with her Head Office about actual requirements.

2. Background

Australian university libraries provide their users with access to a range of information resources from a wide variety of sources. Some of these such as the library catalogues are available to all users including the general public but the majority are licensed from publishers or information aggregators and access to them is restricted to institutional members. These latter products may be mounted locally within the library or the institution or be available from remote hosts, either in Australia or overseas. Use of these products needs to be protected such that only the members of licensing institutions have access within the conditions of the license. Authentication is required to provide security and ensure the user is authorised for access under the license. The recent Telecommunications Act has also emphasised the need for appropriate authentication and authorisation of users of services provided via the Internet.

The provision of access to electronic information is highly complex. It involves

• a multiplicity of information resources including citation databases, full text databases, electronic journals and increasingly linkages between different datasets
• distributed provision of resources. Relevant information resources can be located on servers within an institution, within the region, within Australia or anywhere overseas. Typically libraries provide access to a mix of these.
• arrangements with a diverse group of information providers. These may be individual publishers such as Academic Press who provide access to all their journals in electronic form or information aggregators such as Ovid who provide access to a range of databases and major electronic journals from different publishers.
• consortium arrangements whereby members of CAUL or subsets of the membership under the aegis of CAUL take out a group license for a particular product
• individual arrangements by libraries for particular products or parts of products
• a distributed user base. Researchers are located all around Australia and may work from a number of different locations such as their institution, their home, an affiliated institution, a research partner organisation including industrial partners. An individual researcher may need access from two or three different locations in the course of carrying out their research.
• a dynamic user base. Researchers, particularly graduate students and researchers supported by grants, may work at a particular institution for a relatively short period of time and then move onto another institution.

Authentication and authorisation need to be considered together in management of access in the distributed networked information context. Authentication basically confirms the identity of a user or validates the existence of the user within the system, i.e. the user is who they say they are, whilst authorisation is the process of permitting a user to carry out some actions i.e. allows the authenticated user access to resources according to whether their institution has a license for that resource or not.

Current situation

The mechanisms currently being used in Australia to provide user authentication and authorisation are:

• Institution specific user IDs and passwords

• IP filtering
• IP (Internet Protocol) source address filtering is the most common authorisation mechanism employed by vendors. Each computer attached to a network has a unique IP address assigned to it. These addresses contain a component which relates to the institution in which it is located. By providing a list of relevant IP addresses to a vendor, a filtering mechanism can be set up which allows access only from machines with one of these IP addresses. IP filtering has the disadvantages of permitting access to anyone using the device whether that person is a member of the licensing institution or not as it is the machine which is authenticated not the user.

• Use of passwords

An additional factor in the issue of authentication and authorisation is the increasing use of consortial arrangements for access to networked information resources. The Council of Australian University Librarians (CAUL) has negotiated a number of such arrangements on behalf of its members, for example access to Current Contents online and Academic Press’ electronic journals. Information providers need to be able to distinguish easily the members of the consortium given that the composition of the consortia changes according to the product being licensed i.e. different subsets of libraries may be involved in the joint licensing of access to different products.

Possible solutions

• Proxies

• Credential based approach

• Hybrid proxy/credential approach

International approaches to the issues

This issues of authentication and authorisation have been recognised worldwide.

In the UK, the ATHENS/ISOS system has been adopted by the higher education sector for management of access to a number of databases(http://athens.ac.uk). This system has now been implemented at over 200 sites. The ATHENS/ISOS system represents an enterprise wide solution that provides a single signon facility, integrates heterogeneous sources and provides a high level of local control. As a currently operating system designed specifically for the purpose of provision of access to protected information resources, ATHENS/ISOS will serve as a benchmark for this project.

A detailed outline of the issues is contained in A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources edited by Clifford Lynch, Coalition for Networked Information, Washington, D.C., April 14 1998 (http://www.cni.org/projects/authentication/authentication-wp.html). Further discussion of the application of user authentication and authorisation for a group of diverse libraries can be found in User authentication and authorization in a networked library environment: alliance issues by George Machovec, Technical Director, Colorado Alliance of Research Libraries, Denver, Colorado, November 1997 (http://www.coalliance.org/reports/security.htm).

The European PRIDE Project has the goal of providing a directory service to support authorisation, registration, cost recovery and integration with other interfaces to library services. PRIDE is designed to enable users to gain unified access to a global range of information resources and services in a manner which builds on value added, standards based services. Australia has representation on the PRIDE project through Macquarie University Library. The directory service envisaged by PRIDE would be a basic element in a credential-based system.

Authentication and authorisation is critical to a number of other University functions besides access to externally produced research information resources. It is therefore essential that any system implemented for access to networked information resources can be integrated with local authentication systems which are designed to provide authentication and authorisation of access to internal institutional resources. A number of institutions are already investigating options, including Smartcards, for some of their internal University processes and it is important that any solution for access management to distributed resources is standards based and therefore interoperable with a range of local authentication systems. An important factor is the likely development of public authentication systems and a criterion to be considered is the ability of any system to be implemented now to be able to operate with public key based technologies.

CAUDIT (Committee of Australian University Directors of Information Technology) is currently carrying out a preliminary project addressing authentication system requirements in the university environment. Griffith University has been commissioned to do this project which using funding provided by CAUDIT and to a smaller extent, CAUL. The aim of this Authentication System Project is to develop a functional requirements specification which addresses solutions for Consolidated Security Administration, Single Username and Single SignOn on a university-wide basis. This work is an essential component of the access management project. The current proposal is designed to build on the CAUDIT initiative by addressing the specific models for a common national user authentication and authorisation system in a distributed networked user and product environment , particularly where these are made available as part of a consortium, and ensuring that such a system can be readily utilised and be integrated with local institutional general solutions, with the ultimate aim of implementing an appropriate solution to address the urgent need that has been identified.

Other initiatives include Project Gatekeeper through which the Office of Government Information Technology (OGIT) aims to establish a rationalised voluntary mechanism for the implementation of Public Key Technology by government agencies (http://www.ogit.gov.au/gatekeeper/index.html).

3. Significance of proposal

This proposal is designed to ensure that every researcher has access to the networked information resources licensed or subscribed to by the library of their institution independent of their location of their means of access to the network.

The proposal is also designed to ensure that researchers need to use only one signon process to gain access to the whole range of information resources that they are eligible to use.

These measures will ensure that whilst researchers have a simple single access mechanism, the security of the systems are maintained and the license conditions for access to the individual resources and other regulatory requirements are observed.

From the vendors point of view, a single user authentication and authorisation system would greatly simplify the provision of access to the resources, particularly when the authorised user base can be quite dynamic, and there would be greater assurance that security issues are being handled appropriately.

4. Project plan

The project plan is divided into three part;

• development of models for a national common user authentication and authorisation system suitable for the Australian research environment,
• evaluation of potentially suitable products and identification of the most appropriate model and product, and
• acquisition and implementation of a preferred solution.

As outlined in 2, there are a number of possible solutions for providing a national approach to user authentication and authorisation required for management of access to networked information systems. In this part of the project, a number of models will be developed and evaluated according to their ability to meet requirements of

• feasibility and deployability i.e. practicality from the point of view of the user, the library and the resource provider
• level of security provided
• level of access control
• ability to support a range of protocols, especially http Web access
• privacy
• accountability in terms of the license conditions and the regulatory environment
• ability to collect management data on institutional use of resources as a basis for library collection and resource allocation decisions
• ability to integrate with local institutional authentication and authorisation systems
• cost effectiveness
• inter-operability between research institutions
• scalability in terms of resources accessible and numbers of users
• developmental strategies

4.2 Identification and evaluation of systems

Major currently available products will be evaluated against the preferred model. This phase of the project will draw substantially on the work currently being carried out by CAUDIT and will also take into account the experience of the ATHENS product currently operating very successfully in the UK. The outcome of this phase will be the identification of a product which best meets the requirements of the preferred model.

It is anticipated that these two phases will be completed by June 1999.

4.3 Implementation of a national system

The final phase of the project will be the implementation of the preferred product. This will involve close collaboration between higher education institutions, CSIRO and the information resource providers. Implementation will involve

• negotiating contracts with suppliers on behalf of the participating institutions,
• setting up servers at each institution and central servers as appropriate,
• testing the software,
• testing the data loading and updating facilities at each site,
• testing the ability to transfer data from local systems
• testing the effectiveness of the authentication process
• testing the effectiveness of the authorisation process
• running a trial with a selected group of users from a number of different institutions

It is planned that the system would be in place from the beginning of 2000.

The project will be led by a Project Officer located at the University of New South Wales.

4.4 Management of the project

The project will be managed by a steering committee consisting of representatives of CAUL, CAUDIT, CSIRO, IAC and the University of New South Wales and will be chaired by the CAUL representative.

5. Evaluation

The project will be evaluated on the basis of

• the number of information resources accessible via the system

• the ease of access for all users especially remote users via a single signon

• the ease of maintaining the system

6. Dissemination of results

Results of the project will be disseminated to Australian, UK, US and European interest groups through presentations at conferences, Web and print publications in relevant journals and through demonstration to information resource providers. Active involvement by new information resource providers will be sought through these mechanisms to enhance the range of services utilising this system for authentication and authorisation. This in turn will enhance the effectiveness of the system from the researcher’s point of view.

7. Budget

The final system to be implemented will not be known until the outcomes of the earlier phase of the project. The budget estimates are based on implementation of the ATHENS system since it is already fully operational in the UK and costings have been developed for all aspects of the system.

7.1 Requested from RIEF program

Project Officer HEW 9 (12 months) $73,500 (inc o/c)
Software consultant (3 months) implementation phase $26,000
2 x security servers @ 50,000 ea $100,000
Software for central servers 2 x $25,000 (one-off cost) $50,000
License for 165,500 researchers @ £1 (@0.38) each $434,000
Sub Total $683,500

7.2 Funding provided by participating institutions

Software consultant (3 months) evaluation phase $32,000
Server per institution $30,000 each
(38 x universities, 1 x CSIRO, 1 x IAC) $1,200,000
User administration @$1400/inst. $53,200
Training $10,000
Information Provider Software Development $20,000
Documentation/Promotion/Publicity $5,000
Steering Committee $15,000
Sub Total $1,335,200

7.3 Total cost of project

The total cost of the project is estimated to be $2,018,700

8. Budget justification

8.1 Staffing

A project officer is required to develop the model(s) in consultation with the participants, collaborate with CAUDIT in the evaluation of possible solutions, carry out contract negotiations and be responsible for the testing and coordinating the rollout of the implementation. A person with IT experience and a sound knowledge of the provision of information resources will be required.

A consultant is required to evaluate the existing software products and match these to the identified requirements. A consultant with experience in the software and system selected will be required for the initial stages of the implementation.

8.2 Hardware

Using the ATHENS/ISOS system as a reference model, each participant research institution will be required to set up and maintain a local authentication server with up-to-date details of its users. In addition, the information providers will need to establish servers which maintain the authorisation data. On the ATHENS/ISOS model two central replicating servers would be required. These could be located at AARNet regional hubs. These servers would handle a very high level of transactions. As they would maintain the national data, high capacity machines would be required.

8.3 Software

On the basis of the ATHENS/ISOS model, software will be required for the central servers. There is a one-off cost for the license of $25,000 per server with an annual maintenance cost of $5,000. In addition, a licence is required for each individual authorised user.

8.4 Sustainability

Once the system has been set up, the recurrent costs of the system which would be

• maintenance of the local data
• annual hardware and software maintenance
• additional user licences (including undergraduate students)

The ongoing costs of maintaining central servers would be managed by a levy on each participant institution.

9. Assessment criteria

9.1 Excellence of researchers and research activity to be supported by the proposal

CAUL has a record of successful collaborative activity in providing research infrastructure. Over the past few years it has taken on a very significant role as the leader of Australian consortia brokering deals for the acquisition of major information resources. This proposal is an extension of that role as it is designed to make these information resources more readily accessible to researchers. CAUDIT was responsible for the original establishment of AARNet, prior to its management being passed to the AVCC.

9.2 The need and level of demand for the proposed equipment or facilities in Australia

An authentication and authorisation system as outlined in this proposal is urgently needed as already the restrictions imposed by IP filtering and/or multiple password access are posing a significant barrier to researchers operating off campus. At the same time as the information resources are being provided in a way that facilitates search effectiveness, flexibility and convenience in information retrieval to support research activity, the administrative and technical systems in place to ensure security of access to protected resources are hindering the use of these resources. The national investment in these products is not being as fully exploited and as a consequence research time and effort is not being optimised. All Australian researchers in the higher education sector and CSIRO would benefit from the implementation of a national access management system for distributed information resources.

9.3 Effectiveness of cooperative arrangements between institutions, including access and resource sharing

The universities have a significant record of cooperation and collaboration through CAUL and CAUDIT over a range of areas. Details of CAUL’s activities in this area are appended. CAUDIT has made numerous arrangements with commercial suppliers such as Netscape for the benefit of the whole university community.

9.4 The financial commitment to the proposal by each institution

Each institution will be committing a total of $35,000 to the project; consisting of $30,000 in hardware and $5,000 for training, documentation and support. Each institution will be making an input in terms of provision of user data for authentication and authorisation purposes.

10. Relevance to Australian Research Council objectives

10.1 Contribution to quality of our culture

A common authentication and authorisation system for managing access to essential networked information resources will provide researchers with the ability to utilise resources, licensed on their behalf by their libraries, from a variety of locations including researchers using information services providers.

10.2 Graduates of high quality

The facility to provide access to information resources in a way which supports flexibility in the carrying out of research and supports postgraduate students who may be located at a distance from their institution, even overseas, will greatly enhance their ability to retrieve relevant information. This in turn will provide a more comprehensive and informed basis for their research.

10.3 Direct application of research results

The removal of the barriers to obtaining information imposed by localised authorisation systems and the need to use a different system for the products from different vendors will facilitate access to information and hence the transfer and application of knowledge.

10.4 Increased institutional capacity for contracting, consulting and other service activities

The ability to access information resources independent of physical location has the potential to increase researchers’ capacity to provide contracting, consulting and other services away from the campus.

10.5 International links

The issue of user authentication and authorisation is being actively explored by JISC in the UK, who have developed the ATHENS system, and the Coalition for Networked Information in the USA which is in the process of developing a white paper on the topic. CAULand CAUDIT have well developed links with these bodies and this project would be carried out in consultation with JISC, CAUSE and CNI and relevant international information product suppliers to ensure the most appropriate system is identified and implemented.

11. Library infrastructure criteria

Implementation of an access management scheme which will provide single signon access to a range of diverse protected resources independent of the user’s location will significantly enhance the ability of Australian scholars to access and use information resources. One of the features specified for the model and the software to be selected for implementation is the ability for the system to expand to include a larger number of users, for example, researchers in industry and students. Some existing systems such as ATHENS have already demonstrated this capacity.

11.1 Development of improvements in access to information resources which can be made available nationally

The lack of a common, national authentication and authorisation system has become a significant barrier to effective utilisation of the range of electronic information resources being made available to researchers by their libraries. Libraries are investing significant funding into licensing resources which provide information essential for effective research. Electronic resources have significant advantages in searching and retrieval effectiveness, convenience of use and periods of availability, all of which have a significant impact on the researcher’s ability to obtain the information required to support high quality and efficient research. However, researchers’ productivity can be compromised when access to these resources is restricted through lack of flexibility because access is tied to a specific location rather than based on the authorisation level of the individual and through cumbersome administrative systems which see the researcher obliged to use different signons to a number of information products and resource providers.

The need for more effective authentication and authorisation procedures is recognised as being an urgent requirement for both researchers, libraries and information providers. Until such a system is implemented the national investment in protected electronic information resources will not be exploited to its full potential and research quality and productivity will be compromised.

11.2 Development of innovative models which will lead to improved access to distributed research resources

A feature of this proposal is the development of a model for authentication and authorisation for access to a multiplicity of information resources. This model will serve as a basis for ensuring that access to distributed information resources:

• is managed as cost-efficiently and effectively as possible in the Australian context
• is simple to use from the researchers point of view
• provides the required level of protection of the resource
• can be integrated with internal institutional authentication and authorisation systems
• takes advantage of existing national coordinating structures and consortia such as CAUL and CAUDIT
• can be scaled up in terms of resources available and numbers of users

Send comments/suggestions/requests about this site ....

This site is written, compiled and maintained by Diane Costello, Executive Officer, CAUL.