Shibboleth - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Shibboleth

Description:

An architecture developed by the Internet2 middleware community ... Wakefield College (WALRUS) 28. RSC-E The JISC's Shibboleth Programme. 29 ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 40
Provided by: terrym152
Category:

less

Transcript and Presenter's Notes

Title: Shibboleth


1
Shibboleth
Joint Information Systems Committee
Supporting education and research
2
The JISCs Shibboleth Programme
  • Terry Morrow
  • JISC Consultant

3
Summary
  • Shibboleth
  • what is it?
  • why do we need it?
  • how does it work?
  • Federations
  • Athens
  • The UKs Core Middleware Programme
  • Publishers and other suppliers
  • The Wider Picture
  • The Future

4
Shibboleth what is it?
  • An architecture developed by the Internet2
    middleware community
  • NOT an authentication scheme (relies on home site
    infrastructure to do this)
  • NOT an authorisation scheme (leaves this to the
    resource owner)
  • BUT an open, standards-based, protocol for
    securely transferring attributes between home
    site and resource site
  • Based on SAML (an OASIS standard)
  • Term Shibboleth also used to refer to
  • the project that has managed the development of
    the architecture and code
  • the code package, running on a variety of
    systems, that implements the architecture an
    open source reference implementation is provided
  • Internet2 Shibboleth web pages
  • http//shibboleth.internet2.edu/
  • Excellent introductory material on SWITCHaai
    website
  • http//www.switch.ch/aai/

5
Shibboleth origin (Judges 121-6)
Gileadites
Ephraimites
Say Shibboleth
Shibboleth
Go on your way, my friend
Sibboleth
Say Shibboleth
Youre dead!( 42,000 others)
6
Shibboleth why do we need it?
  • Rationalises an increasingly complex web of
    usernames, passwords, IP addresses, proxy servers
    etc etc
  • A single solution controlling access to
    resources, both internal and remote
  • Eliminates need for separate identifiers/passwords
    for each protected resource
  • Provides greater security by relying on locally
    managed usernames/passwords
  • Allows for secure, flexible, anonymous access to
    resources
  • Institution individual user can control
    information released to service provider
  • Location independent works just as well on
    campus and for distance learners
  • Encourages increased take-up of expensively
    licensed materials
  • Allows for greater flexibility in controlling
    access
  • Eg restricting access to departments, courses to
    particular groups
  • Allows for ad-hoc groups to share material in a
    secure manner

7
Shibboleth - how it works (thanks to SWITCH)
8
(No Transcript)
9
(No Transcript)
10
Federations trust and responsibility
  • Organisations with a common purpose (eg education
    and research) who trust each other
  • Federations
  • Tend to be country- and sector-based
  • Members (organisations, suppliers) sign contracts
    to agree to a set of rules
  • Have legal status
  • Production higher education federations
  • USA InCommon - http//www.incommonfederation.org
    /
  • Switzerland SWITCHaai - http//www.switch.ch/aai
    /
  • Finland HAKA - http//www.csc.fi/suomi/funet/mid
    dleware/english/index.phtml
  • UK test federation SDSS - http//sdss.ac.uk/

11
About Athens
  • Athens developed by CHEST team at University of
    Bath
  • over 10 years old
  • solution to problem of multiple identities
    accessing multiple remote services
  • centralised authentication authorisation
  • Technology plus service infrastructure
  • Help desk, local administrators etc
  • Very successful very widely adopted in the UK
  • 500 HE/FE institutions over 2 million usernames
    registered
  • Ahead of its time
  • Most service providers have provided an Athens
    compliant access mechanism
  • Mandatory for recent supplier contracts with JISC
  • Approximately 200 licensed resources controlled
    via Athens

12
Athens limitations
  • Requires management of separate Athens accounts
  • Users must obtain separate Athens username
    password (Classic Athens)
  • Have to remember Athens username/password only
    used for remote services
  • Recent development (AthensDA) works more like
    Shibboleth (local ids used)
  • Little take-up of Athens outside UK
  • though used in other sectors in the UK - eg
    Health service
  • Service providers have to licence Athens - cost
  • Not well suited to increasingly complex
    authorisation scenarios
  • Meanwhile, other countries starting to adopt
    SAML/Shibboleth based technologies

13
Middleware
14
Middleware
  • Definition systems and software that connect
    people with resources
  • Core Middleware - central services essential to
    middleware as a whole.
  • Authentication
  • Authorisation
  • Directory services
  • Identifiers

15
JISCs Core Middleware Programme
  • Programme
  • Commenced April 2004 two components
  • Technology Development
  • Infrastructure
  • Aims
  • better understanding of middleware potential and
    application within HE and FE
  • build a working Shibboleth infrastructure
  • support take-up and use of Shibboleth within HE
    and FE
  • ensure join-up across JISC development in
    relation to middleware
  • Details at
  • http//www.jisc.ac.uk/programme_middleware.html

16
Technology Development
17
(No Transcript)
18
Technology Development
  • Core Middleware Technology Development Programme
  • April 2004 March 2007
  • Programme has funded 15 different projects (3.5
    million)
  • Supports investigations into several key areas
  • Internal (intra-institutional) applications
  • Access to external, third-party resources
  • Inter-institutional use
  • stable, long-term resource sharing between
    defined groups e.g. shared e-learning scenarios
  • ad hoc collaborations, potentially dynamic in
    nature (virtual organisations or VOs)

19
Technologies
  • Some of the technologies investigated
  • PERMIS (Privilege and Role Management
    Infrastructure Standards)
  • RADIUS (Wireless Networking and Roaming)
  • SHIBBOLETH
  • 15 Projects include eg
  • PERMIS/Shibboleth integration
  • Integrating Shibboleth with a VLE
  • Inter-institutional management of e-Learning
    (Clinical Teaching)
  • Supported By
  • SDSS (Shibboleth Development Support Services)
    - Edinburgh University
  • Studies of Institutional Roles
  • Expert reports (e.g. Single Sign-on)

20
Technology Development - Outputs
  • Projects produce
  • Test bed implementations demonstrators.
  • Reports on the implementation and deployment
    experiences.
  • Evaluation reports
  • Recommendations

21
Infrastructure
22
Infrastructure Programme
  • Aim - establish a working UK Shibboleth
    infrastructure
  • Government Comprehensive Spending Review funding
  • Additional funding to JISCs main annual budget
  • Approx 3.4m from Apr 2004 to Mar 2006
  • Main work areas
  • Funding for organisations willing to be early
    Shibboleth adopters
  • Creating a service to assist the early adopters
  • Making Data Centre services (MIMAS and EDINA)
    Shibboleth compliant
  • Establishing a national UK federation
  • Creating Athens/Shibboleth gateways
  • Liaising with suppliers publishers, subscription
    agents etc

23
Early Adopters
  • Early Adopter Programme runs from March 2005
    December 2006
  • First round of institutional Adopters
    (introducing Shibboleth at a university etc)
  • 12 projects 18 institutions
  • Funding up to 50,000 available per institution
  • Second round
  • 8 more projects funded

24
Early Adopters
  • First round - 12 Institutional early adopter
    projects (18 institutions)
  • April 05 March 06
  • St Georges Hospital Med Sch (ADAMS)
  • Cardiff (ASMIMA)
  • Liverpool (Cheshire Project)
  • Nottingham Trent (East Midlands deployment)
  • Leeds (GILEAD)
  • Liverpool (LSIP)
  • Bristol (Metaleth)
  • UK Data Archive (SAFARI)
  • Newcastle (SAPIR)
  • ShibboLEAP (consortium of 7 London University
    colleges)
  • Exeter (Project SWISh)
  • Nottingham (UNISA)

25
(No Transcript)
26
(No Transcript)
27
Early Adopters second round
  • Second round - 8 projects
  • November 05 October 06
  • King's College London (SERAPIS)
  • Glasgow University Early Adoption of Shibboleth
    (GLASS)
  • Northumbria Learning (Sur-Pas)
  • Reid Kerr (FEAR)
  • Thames Valley University (Nabatea)
  • University of Bolton (Shielab)
  • University of Swansea (SHORE)
  • Wakefield College (WALRUS)

28
(No Transcript)
29
Middleware Assisted Take-Up Service (MATU)
  • Dedicated support service for early adopters
  • Scoping future requirements for institutions
    adopting Shibboleth
  • Support services include
  • Comprehensive website
  • Documentation
  • Help desk
  • Onsite support
  • Training events
  • Links to, and information about, software
  • See http//www.matu.ac.uk

30
(No Transcript)
31
Early adopter experiences
  • Early days for any structured set of lessons to
    have emerged
  • Some early comments
  • wide range of technical skills needed
  • lack of good, simple, documentation
  • lack of tools for analysing error logs
  • good communication excellent cooperation with
    library staff have greatly eased the project

32
Publishers and other suppliers
  • The following are all believed to be
    Shibboleth-enabling their services
  • OCLC
  • EBSCO
  • Elsevier Science Direct
  • JSTOR
  • Thomson/Gale (currently looking for test sites)
  • Exlibris
  • EZProxy
  • ProQuest
  • Internet2 maintain a status list (not always up
    to date)
  • http//shibboleth.internet2.edu/seas.html
  • Internet2 discussion list (closed) on supplier
    issues shib-enable
  • Related lists for specific suppliers (eg
    Elsevier, Ovid)

33
(No Transcript)
34
(No Transcript)
35
The Wider Picture
  • Countries with established Shibboleth federations
  • US (InCommon), Switzerland (SWITCHaai), Finland
    (HAKA)
  • Countries actively investigating Shibboleth (or
    using compatible technologies)
  • Netherlands, Spain, Germany, Norway, Belgium,
    Denmark, Australia
  • US Federal Government also investigating
    Shibboleth
  • Inter-federation working subject of international
    Cotswolds Meeting, UK
  • Held in Upper Slaughter, Gloucestershire October
    04
  • Sponsored by JISC - included reps from DEST and
    AARNet
  • Issues now being taken forward by REFEDS group
  • REFEDS Research Education Federations
  • JISC an active member
  • UK school sector - BECTA have announced adoption
    of Shibboleth
  • Will liaise with JISC to ensure interoperability

36
Next steps
  • Conclude contract negotiations with UKERNA
  • UKERNA expected to be the operator for the UKs
    new AAI regime
  • UKERNA will establish UK higher/further education
    federation by middle 2006
  • Commence publicity campaign aimed at
  • Identity providers (universities etc)
  • Service providers (publishers, database suppliers
    etc)
  • Encourage institutions to review migration
    options, set timescales
  • Expectation is that migration will take more than
    2 years
  • JISC cant force migration only encourage and
    support
  • Athens operated by Eduserv (independent of JISC)
  • Athens may offer alternatives (but not subsidised
    by JISC)

37
Challenges
  • Suppliers (eg publishers) need to be persuaded to
    adopt the technology
  • International pressure is building
  • Some (eg Elsevier, Ovid) already taking the
    initiative
  • Cultural, organisational change
  • Removing administrative burdens from libraries
  • Information services and libraries need to work
    together
  • Persuading institutions to move from Athens to
    Shibboleth
  • resistance to change
  • short term cost for long term gain enterprise
    directories issues
  • early adopter experiences will encourage other
    institutions
  • strong interest in second call for early adopters
    18 bids
  • Educating the community on the advantages of a
    Shibboleth regime
  • examples more flexible subscription models fine
    control of courseware access

38
Conclusions
  • A very large project
  • will affect most staff students in the majority
    of UKs universities and colleges
  • though most users should be unaware of it
  • May present significant local challenges
  • System depends on clean, up-to-date, compatible
    local directory services
  • A good solution for todays distributed, mobile,
    collaborating, research and teaching communities
  • An excellent mechanism for controlling remote
    access to course materials

39
Further Information
  • JISC web pages http//www.jisc.ac.uk/programme_
    middleware.html
  • Internet2 http//shibboleth.internet2.edu

Terry Morrow JISC Consultant t.morrow_at_jisc.ac.uk
Write a Comment
User Comments (0)
About PowerShow.com