Athens (access and identity management service)
|This article relies on references to primary sources. (January 2012)|
|This article needs additional citations for verification. (January 2012)|
Athens is an Identity management service based in the United Kingdom that is supplied by Eduserv to provide single sign-on to protected resources together with full user management capability. Organisations adopting the service can choose between the Classic Athens service, where individual usernames are held by Eduserv, or Local Authentication where individual usernames are held locally and security tokens are exchanged via any of several communications protocols: SAML, Shibboleth or Athens Devolved Authentication (AthensDA) . Over 4.5 million users worldwide can gain access to over 300 protected online resources via the service.
Athens replaces the multiple usernames and passwords otherwise necessary to access subscription based content with a single username and password that can be entered once per session. It operates independently of the user’s location or IP address.
The project was conceived in 1996 at the University of Bath, the service was originally named Athena after the Greek goddess of knowledge and learning. It is rumoured that the name change was partially caused by a common typo, but it was actually due to the name Athena being already trademarked.
Starting in 1996, the service has had two periods of significant expansion. The first in 2000 due to a central contract that made the service freely available to almost all UK Higher and Further education institutions, and the second in 2003 when adopted by the UK National Health Service.
Athens provides the ability to manage large numbers of users, their credentials, and associated access rights, in a devolved manner where administration can be delegated to organisations, or within an organisation. It provides a managed infrastructure which facilitates the exchange of security tokens across domains in a secure and trusted way.
The Athens service is a trust federation where identity providers (typically, individual educational institutions or other user organisations or even entire countries), service providers (typically, publishers, distributors, or other resource providers) and Athens operate under common rules and licenses. Trust is enforced by the use of public-key cryptography and other security mechanisms. The identity provider provides an appointed administrator who uses browser-based tools provided as part of the Athens service to manage the user accounts of their group of users. Accounts can be grouped into categories with different attributes, and given access to different sets of resources.
The service is neutral; it is not involved in the selling process between a service provider and an identity provider. The service provider informs the service when access to its resource is to be enabled to a particular identity provider, and the service then allows the identity provider to allocate the resource to appropriate user accounts.
Athens is used extensively within UK Higher and Further Education institutions, the UK National Health Service, and in more than 90 countries worldwide. It has been adopted by over 2,000 organisations, and over 300 online resources since it was first launched in 1996. Over 4.5 million individual user accounts are now registered with the system. The majority of Identity providers use Classic Athens; however more than 60 organisations, representing around one million users, have moved to the fully federated Local Authentication model.
In 2006 Athens was represented at the Medical Library Association Annual Meeting. Since then hospital libraries in the United States have begun using Athens as method for providing off campus access to library resources.
Once SAML became a ratified standard, Athens adopted SAML and Shibboleth interfaces to the Athens system to facilitate inter-working with a larger number of systems. The Athens service offers these connectivity protocols through gateways where native connectivity is not practical.
Athens makes a number of attributes relating to its organisations and its user accounts available to its service providers through its agent technology. These are generally organisation-related as in the case of the ‘issuing organisation identity number’ or ‘issuing organisation country’, or pseudonymous like the persistent unique identifier for a user account.
Athens user management facilities, whether for Classic or Locally Authenticated users, allow the administrator to allocate a different set of resources to each user account. This provides fine-grained authorisation for resources. However, the ability to deliver attributes through the agent technology is expected to offer a long term ability to authorise based on attributes, when attributes and their meaning are commonly understood by identity and service providers.