I'm delighted to be able to report back that in the first week of full operation, over 1,000 people have used the alumni service!
This is great news, and I'd like to thank all those involved in the project for their hard work and perseverance - in particular Taz Siddeeque, Henry Chambers and Chris Peel from the Loughborough Students Union Executive and Richard Barber from our Development and Alumni Relations Office. From IT Services, Graeme Fowler, Nikki Doyle, Kathryn Latham, Chris Beggs and Lee Preston have provided invaluable assistance and support. Most of all, though, Tim and Dan from Google, for their work on the Google Apps multidomain support, and simpleSAMLphp developers Andreas Solberg and Olav Morken from UNINETT - we couldn't have done it without you!
Let's just recap on why this is a big deal - in previous years, leaving students would have had their University IT presence completely destroyed when their IT account lapsed. This is common practice in the education sector, and was a necessity due to the limited resources available to us. However, student feedback indicated that the IT deregistration came at perhaps the worst possible moment - and caused severe stress at a time when people were least prepared for it. From our own point of view in IT Services, summer and winter graduations would invariably be accompanied by a flood of requests for expired accounts' data to be restored and accounts reactivated for a period. By an unhappy coincidence these have also been our busiest times for development work. So, bad all round.
The situation has changed completely now, because we are in a position to convert an expired student Google Apps account into an alumni account without loss of data. It may sound like hard work, but the heavy lifting is done by Google. All we have to do is post an XML fragment like this via Google's Provisioning API:
This API call moves the user's Google Apps account from our student domain to our alumni domain, preserving the associated data - including email, calendar, contacts and documents.
The missing link in all of this is the simpleSAMLphp software developed under the auspices of the Feide federated identity management project in Norway and subsequently widely taken up as a lightweight implementation of the Security Assertion Markup Language (SAML). Google Apps uses SAML 2.0 for single sign-on, which for our students translates behind the scenes to LDAP authentication against our Active Directory.
For alumni users we have hacked simpleSAMLphp to query the Google accounts database if the LDAP authentication fails. I had initially thought that we might achieve this through Shibboleth, but then I looked at the Shibboleth source code! I'd contend that simpleSAMLphp is much more tractable/hackable, and indeed the simpleSAMLphp experience has been so encouraging that we are currently looking at what we need to do to make it play nicely with the UK Access Management Federation.
The initial feedback that we have been receiving on the alumni service has been extremely positive, and I think it's particularly telling that people seem to be starting to take the new service for granted already :-) I saw something similar a few years ago when I led the project to implement the campus wide wireless network at Loughborough, but this took a little longer (two to three months) to reach the same stage of acceptance and expectancy. For me the message here is that this is how things should always have worked!
[To find out more about the Google Apps for Alumni service at Loughborough, please see our Alumni FAQ]