Building a UK Infrastructure for Access Management using Shibboleth

1
Building a UK Infrastructure for Access
Managementusing Shibboleth

• John Paschoud, LSE Library(British Library of
  Political Economic Science)

2
Britain just like America, but squashed into a
very small space
3
Current top academic publishers for UK HE

• ACM
• ALPSP
• Blackwell Publishing
• Cambridge University Press
• Elsevier
• Kluwer Academic Publishers

• Oxford University Press
• Springer Verlag
• Wiley
• ProQuest
• CSA
• Gale
• Thomson ISI for Web of Knowledge

Source National Electronic Site Licensing
Initiative 2, July 2004
4
JISC Common Information Environment
Powell, A, July 2003 (from UKOLN website)
5
Athens AM service
a big database table with 3million rows and 300
columns
6
Athens an advantage or a millstone?

• Over 5 years to develop federation policies
  practices
• An established body (JISC) with (some) authority
  over an unruly community

• Commercial interests in proprietary Athens
  technology
• Resistance to change
• Its been good enough until now!

7
Shibboleth Implications for UK national
infrastructure

• No more dependency on a VERY LARGE centralised
  database
• Need for implementation of a national WAYF
  service
• better than current end-user interface model
• (new WAYF options being developed)
• Lower shared costs?
• (but greater costs devolved to institutions)

8
The JISC Core Middleware programmes

• Approx 7m (12m) investment
• 3 year timetable
• Technology Development Programme
• Infrastructure-building Programme

9
Core Middleware Timescale
Timescales of Athens contract, development and
Core Middleware Development Infrastructure
10
Technology development

• Filling gaps in the range of AM technologies, in
  collaboration with Internet2 other national
  programmes
• April 2004 March 2007
• 15 projects in UK HE/FE (post-16 ed)
• Some covering specific work, e.g
• Shib-PERMIS integration, other Shib extensions,
  DRM
• Others more speculative / open-ended, e.g
• management of virtual organisations,
• life-cycle management of user credentials /
  attributes,
• trust delegation models
• PERSEUS at LSE
• investigating fine-grain authority management
  using Shibboleth, Signet Grouper in portal
  environments

11
Infrastructure-building

• Establishing a UK Shibboleth infrastructure
• April 2004 to March 2006
• Main work areas
• Making national data services Shib compliant
• Creating a service to assist early adopters
• Establishing a national UK federation
• Liaising with suppliers
• publishers, subscription agents, library systems
  vendors etc
• Funding for organisations willing to be early
  Shibboleth adopters
• 10 institutional projects underway, plus
  ShibboLEAP consortium of 7 institutions in London

12
Early adopters ShibboLEAP

• Consortium of LSE 6 other University of London
  colleges
• Royal Holloway, SOAS, Kings, UCL, Birkbeck,
  Imperial
• An existing partnership developing Open Archives,
  using Eprints.org repositories
• Aims
• Establish general-purpose Shib IdPs at each
  college
• Shibbolize the Eprints.org server s/w (and
  release for anyone to use)
• Critical to success Involves key Library and IT
  infrastructure staff at each college

13
Middleware Assisted Take-Up Service

• Providing support to the JISC-funded early
  adopters
• Scoping future requirements for institutions
  adopting Shibboleth
• Support services include
• Comprehensive website
• Documentation
• Help desk
• Onsite support
• Training events
• Links to and information about software
• www.matu.ac.uk

14
Shibboleth-Athens Gateway

• Aims for full 2-way interoperability
• Users at a (registered) Shib IdP enabled
  institution can access any Athens-protected
  resource
• Users with Athens credentials can access any
  Shib-protected resource
• Lists of fully-compliant ( problematic)
  resources maintained on Athens website
• One active user (Leeds) by 15-Jun, others in
  course of registration

15
Shib??Athens Gateway
16
Federations

• Organisations with a common purpose (e.g.
  education and research) who trust each other
• Federation members
• sign up to a set of rules, incl. minimum
  standards for management of passwords etc
• may have legal status
• need the trust of suppliers
• Production federations
• USA - InCommon
• Switzerland - SWITCHaai
• Finland - HAKA
• UK test federations
• SDSS (Edina), Touchstone (Athens)
• Suppliers will need to join the federation to
  which their customers belong

17
Federations One Big Happy Family?
18
Federations (current LSE participation)
19
Implications for Federation models

• How do we manage many (conflicting?) Federation
  policies?
• Bi-lateral
• National
• Trans-national
• How do we present users with a (single?)
  manageable Attribute Release Policy user
  interface?
• How do we map across different namespaces /
  vocabularies? for
• Roles?
• Entitlements?
• but if we can cope with TWO, why not LOTS?

20
DART
Columbia University (New York) in the USA, funded
by NSF LSE (London) in the UK, funded by
JISC Which Federation?
21
Nereus
12 member universities in 7 different European
countries AustriaBelgiumBritainFranceGermany
IrelandNetherlands (4 different working
languages so far) Which Federation?
22
ShibboLEAP
7 separate colleges of the University of London,
already collaborating together to run Open
Archive services Which Federation?
23
Federations?
24
What is shibboleth? (Biblical)
Judges, ch12, v5-6 (New American Standard) The
Gileadites captured the fords of the Jordan
opposite Ephraim. And it happened when any of
the fugitives of Ephraim said, "Let me cross
over," the men of Gilead would say to him, "Are
you an Ephraimite?" If he said, "No," then they
would say to him, "Say now, 'Shibboleth.' " But
he said, "Sibboleth," for he could not pronounce
it correctly. Then they seized him and slew him
at the fords of the Jordan. Thus there fell at
that time 42,000 of Ephraim.

• A word which was made the criterion by which to
  distinguish the Ephraimites from the Gileadites.
  The Ephraimites, not being able to pronounce
  sh, called the word sibboleth. See --Judges
  xii.
• Hence, the criterion, test, or watchword of a
  party a party cry or pet phrase.
• Webster's Revised Unabridged Dictionary (1913)

25
What are shibboleths? (Political)
The greatest needs of the Collectivist movement
in England appear to me The diffusion of
economic and political knowledge of a real kind -
as opposed to Collectivist shibboleths, and the
cant and claptrap of political campaigning. Sidne
y Webb memorandum to LSE Trustees meeting on
8th Feb 1894
26
Who are Shibboleth?
http//goshibbolethgo.com
27
Further information

• LSE access management projects www.angel.ac.uk
• JISC Middleware and Shared Services
  Studieswww.jisc.ac.uk/index.cfm?nameprog_middss
  _studies
• LSE www.lse.ac.uk
• JISC Common Information Environment
  www.ukoln.ac.uk/distributed-systems/jisc-ie/arch/
  
• JISC Core Middleware Programmeswww.jisc.ac.uk/in
  dex.cfm?nameprogramme_middleware
• j.paschoud_at_lse.ac.uk