Shibboleth and CU

1
Shibboleth and CU

• Carol Kassel
• Digital Knowledge Ventures (DKV)
• James Burger
• National Science Digital Library (NSDL)

2
Table of contents

• What is Shibboleth?
• How is it being used at CU?
• Whats Carols involvement? Jims involvement?
• How could Shibboleth be used?
• What are the advantages to using it (SP)?
• What are the advantages to using it (IdP)?

3
What is Shibboleth?

• Shibboleth, a project of Internet2/MACE, is
  developing architectures, policy structures,
  practical technologies, and an open source
  implementation to support inter-institutional
  sharing of web resources subject to access
  controls. In addition, Shibboleth will develop a
  policy framework that will allow inter-operation
  within the higher education community.
• In English Shibboleth allows users from
  different institutions or groups to obtain access
  to protected content anywhere on the Web. Users
  log in locally and their privacy is maintained.
• Shibboleth is middleware, software that
  facilitates communication between or among
  servers.

4
Shibboleth (Judges 12)
5
How is it being used at CU?

• National Science Digital Library (NSDL) an
  interinstitutional project being developed in
  part by EPIC
• DART (Digital Anthropology Resources for
  Teaching) in development jointly by LSE and CU
  (including EPIC)
• Artstor some CU involvement
• CERO developed by DKV Shib-enabling by EPIC
• Thats itfor now!

6
Shibboleth pieces

• Service provider (SP, or target) the site
  that users want to access
• Identity provider (IdP, or origin) the
  place where users need to log in the holder of
  user data
• Where are you from? page (WAYF) the place
  where users identify themselves so that they can
  log in appropriately
• Attributes info about the user that gets
  released from the IdP to the SP, according to
  policies on both ends

7
columbia.edu/jb701/shib
8
Whats Carols involvement?

• Columbia Educational Resources Online (CERO)
  needed to serve three audiences
• CU affiliates with valid UNI/password
• Non-CU users with valid username/password
• Users at subscribing institutions with valid IP
  address
• CU affiliates included not just on-campus users
  but off-campus users, too, esp. alumni
• New site to be built for alumni
  Learning_at_Columbia, with links to CERO

9
Why we used Shibboleth

• Problem 1 How could we allow access to seminars
  via UNI login and still handle existing
  audiences?
• Problem 2 How could we maintain security of UNI
  system in all transactions?
• Problem 3 How could we make login process smooth
  and seamless?
• Problem 4 How could we require login once and
  keep users logged in for duration of browser
  session?
• Answer Shibboleth!

10
Shibboleth setup for CERO
11
Shib-enabled login process
12
Details of general relevance

• CU IdP existed for NSDL, but needed customization
  for CERO
• New IdP created for alternate reg system can be
  used for other purposes (hence DKV/CU Press
  co-branding)
• CERO now running on alternate web server no
  load balancing, no systems support
• IP address auth still supported (outside Shib)

13
Key players on CERO project

• Walter Hoehn (EPIC, now University of Memphis)
  expertise in Shibboleth
• Noah Levitt (EPIC) creator of alternate reg
  system, no previous Shibboleth experience
• Andrew Johnston, Steve McGrath (AcIS) WIND
  developers, managers of Tomcat, no previous
  Shibboleth experience
• Carol Kassel (DKV) project manager, no previous
  Shibboleth experience

14
Success!

• Deployed November 2003
• Very little downtime very few technical problems
• Promotion to alumni in Feb 2004 excellent
  response rate, no major issues

15
JBs NSDL Mission

• Introduce the Middle School Community to the NSDL
  in hopes that they make use of the resources
  currently available at NSDL.org
• Implement Shibboleth Origin sites in pilot middle
  schools (or at least sell the idea)

16
How could Shibboleth be used?

• Move away from IP address auth to Shib for
  subscribing institutions who have that capability
  i.e., set up CIAO, Earthscape, Gutenbergltegt,
  CAHO as Service Providers
• Involves deploying Shibboleth on main web
  servers, esp. for CIAO
• Use Shib to provide more resources for CU alumni
  while supporting existing audiences
• Shib-enable new web resources when they are
  developed

17
Potential Obstacles

• Lack of Shibbolized Targets Without a selection
  of targets for the Shibbolized Origins to connect
  with, there is little incentive for middle
  schools to participate (the good ol Catch-22
  scenario with essence of Chicken Egg for
  flavor).
• Variety of existing infrastructure and expertise
  Assumption - because the middle schools vary so
  greatly in technical capabilities, guiding them
  through the process will be anything but
  formulaic, so there will be a large amount of
  on-on one consultation.
• Origins are more difficult to set up than Targets
  (trying to figure out why, but a few people have
  told me this).

18
What are the advantages (SP)?

• Much more secure than IP address auth
• Allows off-campus users to access without
  additional user/pw creation
• CU committed to Shib development CU usage of
  Shib sets a good example
• As more institutions set up IdPs, they will begin
  demanding this technology

19
The Shib Advantage (for origins)1/3

• Privacy Users release to the targets only the
  information that they (or a guardian) authorizes.
• Remote Access Users can login to resources in
  campus or remotely, via the WAYF.
• Streamlined Access Users assign their attributes
  to the ARP rather than submitting them to each
  individual resource (saves time and ensures
  accuracy/consistency). Additionally, users do
  not have to maintain a record of several
  different logins/passwords for several different
  resources.

20
The Shib Advantage (for origins) 2/3

• Simplified administration Origins sites use
  their existing identity directories.
• Direct Access to the most relevant information
  because of the ARP assumptions can be made about
  the relevancy of specific materials and user
  needs.

21
The Shib Advantage (for origins) 3/3

• Providing market data is not just altruistic
  Because publishers will receive more detailed
  data from their users, instead of relying on
  generic access attributes, they will be able to
  perform better market research, which, in turn
  helps the educators by providing better, more
  tailored projects.

22
Onward!