Building a National Access Federation with Shibboleth: the UK experience

1
Building a National Access Federation with
Shibboleth the UK experience

• John Paschoud, LSE Library
• London School of Economics and Political
  Science, UK

2
summary

• Some UK context
• The History of Athens
• The Plan
• Working with Universities
• Working with Publishers
• Working with Schools
• Being part of the World

3
UK context

• A significant nationalised support
  infrastructure (for a country professing a
  market driven economy)
• JISC and Common Information Environment
  architectures / aspirations
• The Legacy of Athens

4
Britain just like India, but squashed into a
very small space
641 institutions
and perhaps just as friendly to large,
national-level, public-sector infrastructures?
5
LSE involvement (interference?), wide-ranging,
in Identity Management issues
http//www.lse.ac.uk/collections/pressAndInformati
onOffice/newsAndEvents/archives/2006/FIDIS_e-IDCa
rdSurvey.htm
6
The JISC and Common Information Environments

• http//www.jisc.ac.uk/index.cfm?nameabout_info_en
  v
• http//www.ukoln.ac.uk/distributed-systems/jisc-ie
  /arch/
• http//www.common-info.org.uk/
• Partners
• e-Science initiative of the (Govt) Dept of Trade
  Industry
• JISC
• British Library
• Museums, Libraries Archives Council
• National Electronic Library for Health (NHS)

7
JISC Information Environment
Powell, A, July 2003 (from UKOLN website)
8
Athens Access Management service
a big database table with 3million rows and 300
columns
9
Athens an advantage or a millstone?

• Over 10 years to develop federation policies
  practices
• Backed by an established body (JISC) with (some)
  authority over an unruly community

• Commercial interests in proprietary Athens
  technology
• Resistance to change
• Its been good enough until now!

10
Shibboleth Promises for a future national
infrastructure

• No more dependency on a VERY LARGE centralised
  database
• Need for implementation of national federation
  services
• better than current end-user interface model
• (new WAYF options being developed)
• Lower shared costs?
• (but greater costs devolved to institutions)

11
Why has JISC chosen this route?

• Extensive research proved this to be the most
  appropriate technology. Meets the defined
  criteria for an access management system within
  the UK
• Internal (intra-institutional) applications
  (mostly through SSO system)
• Management of access to third-party digital
  library-type resources (as now)
• Inter-institutional use stable, long-term
  resource sharing between defined groups (e.g.
  shared e-learning scenarios)
• Inter-institutional use ad hoc collaborations,
  potentially dynamic in nature (virtual
  organisations)
• International take-up secures future of
  development and support.
• International take-up provides economies of scale
  through work in partnership.

12
The JISC Core Middleware programmes

• Approx 7m (12m) investment
• 3 year timetable
• Technology Development Programme
• Infrastructure-building Programme

13
Technology Development

• Filling gaps in the toolset of AM technologies,
  in collaboration with Internet2 other national
  programmes
• April 2004 March 2007
• 15 projects in UK HE/FE (post-16 ed)
• Some covering specific work, e.g
• Shib-PERMIS integration, other Shib extensions,
  DRM
• Others more speculative / open-ended, e.g
• management of virtual organisations,
• life-cycle management of user credentials /
  attributes,
• trust delegation models
• PERSEUS at LSE
• investigating fine-grain authority management
  using Shibboleth, Signet Grouper in portal
  environments

14
Infrastructure Programme

• Govt Spending Review grant (3.4 million
  across two years) to achieve specific aim of
  working federated access management
  infrastructure
• Focused activities
• Shibbolising of JISC resources held at MIMAS and
  EDINA (national data centres)
• Funding for a support service MATU at Eduserv
• Early Adopter funding to help institutions
  implement required technologies (two calls, 26
  institutions)
• Regional Early Adopters to explore e-Learning
  collaborations with federated access

15
Early adopters ShibboLEAP

• Consortium of LSE 6 other University of London
  colleges
• Royal Holloway, SOAS, Kings, UCL, Birkbeck,
  Imperial
• An existing partnership developing Open Archives,
  using Eprints.org repositories
• Aims
• Establish general-purpose Shib IdPs at each
  college
• Shibbolize the Eprints.org server s/w (and
  release for anyone to use)
• Use LSE Shib-enabled population (10K) to help
  enable a consortium population of 150K (Swiss HE
  140K)
• Critical to success Involves key Library and IT
  infrastructure staff at each college

16
Transition Plan

• Moving from a working infrastructure to a full
  production federation (i.e. with critical mass of
  users) for HE and FE
• (641 institutions in the UK)
• Integration of current work plans within JISC
  Development and JISC Services
• Main workpackages
• Continued support for current Athens contract
  (until July 2008)
• Funding for the Athens/Shibboleth gateways
• Funding for JISC federation _at_ UKERNA
• Communications and outreach plan
• National and International liaison plan

17
JISC Core Middleware Timescale (Jan 2005 vn)
Timescales of Athens contract, development and
Core Middleware Development Infrastructure
18
JISC Core Middleware timeline (Mar 2006 vn)
19
Assisted Take-Up Service

• Providing support to the JISC-funded early
  adopters
• Scoping future requirements for institutions
  adopting Shibboleth
• Support services include
• Comprehensive website
• Documentation
• Help desk
• Onsite support
• Training events
• Links to and information about software
• www.matu.ac.uk

20
Shibboleth-Athens Gateway

• Aims for full 2-way interoperability
• Users at a (registered) Shib IdP enabled
  institution can access any Athens-protected
  resource(Athens as super Service Provider)
• Users with Athens credentials can access any
  Shib-protected resource(Athens as super
  Identity Provider)
• Lists of fully-compliant ( problematic)
  resources maintained on Athens website
• LSE now has many Gateway accesses in live use
  but general uptake has been slow

21
Shib??Athens Gateway
22
Roadmap for Institutions
23
Shib_at_LSE SysAdmins resources page
24
Communication with Users

• Renewing documentation probably needs to be done
  anyway
• ...so take the opportunity to think about how
  electronic resources / security issues /
  authentication issues are presented
• Do you want to mention AM technologies by name?
• (most users should never really see it in
  action...unless it goes wrong)
• At LSE, lengthy description of Athens system was
  replaced by simple paragraph about use of network
  credentials to access most resources with
  information on how to find documentation for
  other resources

25
LSEforYou Library passwords result page
26
LSE e-Library listing
http//www.angel.ac.uk/ShibbolethAtLSE/shibprogres
s.html
27
Working with Schools (pre-16)

• Trials completed successfully in London
  Birmingham
• National readiness audit just completed
• Identity Management (Shibboleth IdP services) to
  be implemented by each delivery organisation
• Most managed access to online resources is via
  web portals
• (operated by these same organisations)
• Delivered via Regional Broadband Consortia
• of Local Education Authorities, which support
  state-sector schools
• (or by some LEAs individually)
• (or by national organisations for N.Ireland,
  Scotland Wales)

28
example(s) of Schools portal DigitalBrain
There are clearly some scaling issues, with such
a large population of Schools (or even LEAs) as
Identity Providers!
29
Working with Schools (pre-16)

• Overseen by Becta
• (http//www.becta.org.uk/)
• like JISC, effectively an agency of the national
  Dept of Education
• May operate as a separate Federation from Higher
  (post-16) Education
• But much cross-talk and liaison
• and probability of both federations being
  co-hosted

30
Current top academic publishers for UK HE

• ACM
• ALPSP
• Blackwell Publishing
• Cambridge University Press
• Elsevier
• Kluwer Academic Publishers

• Oxford University Press
• Springer Verlag
• Wiley
• ProQuest
• CSA
• Gale
• Thomson ISI for Web of Knowledge

Source National Electronic Site Licensing
Initiative 2, July 2004
31
Federations

• Organisations with a common purpose (e.g.
  education and research) who trust each other
• Federation members
• sign up to a set of rules, incl. minimum
  standards for management of passwords etc
• may have legal status
• need the trust of suppliers
• Production federations
• USA - InCommon
• Switzerland - SWITCHaai
• Finland HAKA
• Norway - FEIDE
• UK test federations
• SDSS (Edina), Touchstone (Athens)
• Suppliers will need to join the federation(s) to
  which their customers belong

32
Federations One Big Happy Family?
33
Federations (current LSE participation)
34
Implications for Federation models

• How do we manage many (conflicting?) Federation
  policies?
• Bi-lateral
• National
• Trans-national
• How do we present users with a (single?)
  manageable Attribute Release Policy user
  interface?
• How do we map across different namespaces /
  vocabularies? for
• Roles?
• Entitlements?
• but if we can cope with TWO, why not LOTS?

35
DART
Columbia University (New York) in the USA, funded
by NSF LSE (London) in the UK, funded by
JISC Which Federation?
36
Nereus
12 member universities in 7 different European
countries AustriaBelgiumBritainFranceGermany
IrelandNetherlands (4 different working
languages so far) Which Federation?
37
ShibboLEAP
7 colleges of the University of London,
collaborating together to run Open Archive
services, needing to share specific role-based
attributes for OA administration Which Federation?
38
Federations?
39
Being part of the World

• No more Great British Solutions
• A single academic market for publishers
• (at least, no technology barriers to this)
• A global collection of resources, easily
  accessed, for learners researchers
• Simple, reliable secure online collaboration
  across organisational national boundaries
• Agreement on standards (SAML) and
  schemas/vocabularies
• if we all keep talking

40
What is shibboleth? (Biblical)
Judges, ch12, v5-6 (New American Standard) The
Gileadites captured the fords of the Jordan
opposite Ephraim. And it happened when any of
the fugitives of Ephraim said, "Let me cross
over," the men of Gilead would say to him, "Are
you an Ephraimite?" If he said, "No," then they
would say to him, "Say now, 'Shibboleth.' " But
he said, "Sibboleth," for he could not pronounce
it correctly. Then they seized him and slew him
at the fords of the Jordan. Thus there fell at
that time 42,000 of Ephraim.

• A word which was made the criterion by which to
  distinguish the Ephraimites from the Gileadites.
  The Ephraimites, not being able to pronounce
  sh, called the word sibboleth. See --Judges
  xii.
• Hence, the criterion, test, or watchword of a
  party a party cry or pet phrase.
• Webster's Revised Unabridged Dictionary (1913)

41
What are shibboleths? (Political)
The greatest needs of the Collectivist movement
in England appear to me The diffusion of
economic and political knowledge of a real kind -
as opposed to Collectivist shibboleths, and the
cant and claptrap of political campaigning. Sidne
y Webb memorandum to LSE Trustees meeting on
8th Feb 1894
42
acknowledgements

• Nicole Harris, JISC
• John Chapman, Becta
• Andy Powell, Eduserv
• The Coca-Cola Company
• EDS
• Pink Floyd
• and the usual small-print about these being
  personal views, not the legal responsibility of
  The LSE, JISC or any other organisation, etc

43
further information

• LSE access management projects www.angel.ac.uk
• LSE www.lse.ac.uk
• JISC Common Information Environment
  www.ukoln.ac.uk/distributed-systems/jisc-ie/arch/
  
• JISC Core Middleware Programmeswww.jisc.ac.uk/in
  dex.cfm?nameprogramme_middleware
• j.paschoud_at_lse.ac.uk