Title: Shibboleth
1Shibboleth
Joint Information Systems Committee
Supporting education and research
2The JISCs Shibboleth Programme
- Terry Morrow
- JISC Consultant
3Summary
- Shibboleth
- what is it?
- why do we need it?
- how does it work?
- Federations
- Athens
- The UKs Core Middleware Programme
- Publishers and other suppliers
- The Wider Picture
- The Future
4Shibboleth what is it?
- An architecture developed by the Internet2
middleware community - NOT an authentication scheme (relies on home site
infrastructure to do this) - NOT an authorisation scheme (leaves this to the
resource owner) - BUT an open, standards-based, protocol for
securely transferring attributes between home
site and resource site - Based on SAML (an OASIS standard)
- Term Shibboleth also used to refer to
- the project that has managed the development of
the architecture and code - the code package, running on a variety of
systems, that implements the architecture an
open source reference implementation is provided - Internet2 Shibboleth web pages
- http//shibboleth.internet2.edu/
- Excellent introductory material on SWITCHaai
website - http//www.switch.ch/aai/
5Shibboleth origin (Judges 121-6)
Gileadites
Ephraimites
Say Shibboleth
Shibboleth
Go on your way, my friend
Sibboleth
Say Shibboleth
Youre dead!( 42,000 others)
6Shibboleth why do we need it?
- Rationalises an increasingly complex web of
usernames, passwords, IP addresses, proxy servers
etc etc - A single solution controlling access to
resources, both internal and remote - Eliminates need for separate identifiers/passwords
for each protected resource - Provides greater security by relying on locally
managed usernames/passwords - Allows for secure, flexible, anonymous access to
resources - Institution individual user can control
information released to service provider - Location independent works just as well on
campus and for distance learners - Encourages increased take-up of expensively
licensed materials - Allows for greater flexibility in controlling
access - Eg restricting access to departments, courses to
particular groups - Allows for ad-hoc groups to share material in a
secure manner
7Shibboleth - how it works (thanks to SWITCH)
8(No Transcript)
9(No Transcript)
10Federations trust and responsibility
- Organisations with a common purpose (eg education
and research) who trust each other - Federations
- Tend to be country- and sector-based
- Members (organisations, suppliers) sign contracts
to agree to a set of rules - Have legal status
- Production higher education federations
- USA InCommon - http//www.incommonfederation.org
/ - Switzerland SWITCHaai - http//www.switch.ch/aai
/ - Finland HAKA - http//www.csc.fi/suomi/funet/mid
dleware/english/index.phtml - UK test federation SDSS - http//sdss.ac.uk/
11About Athens
- Athens developed by CHEST team at University of
Bath - over 10 years old
- solution to problem of multiple identities
accessing multiple remote services - centralised authentication authorisation
- Technology plus service infrastructure
- Help desk, local administrators etc
- Very successful very widely adopted in the UK
- 500 HE/FE institutions over 2 million usernames
registered - Ahead of its time
- Most service providers have provided an Athens
compliant access mechanism - Mandatory for recent supplier contracts with JISC
- Approximately 200 licensed resources controlled
via Athens
12Athens limitations
- Requires management of separate Athens accounts
- Users must obtain separate Athens username
password (Classic Athens) - Have to remember Athens username/password only
used for remote services - Recent development (AthensDA) works more like
Shibboleth (local ids used) - Little take-up of Athens outside UK
- though used in other sectors in the UK - eg
Health service - Service providers have to licence Athens - cost
- Not well suited to increasingly complex
authorisation scenarios - Meanwhile, other countries starting to adopt
SAML/Shibboleth based technologies
13Middleware
14Middleware
- Definition systems and software that connect
people with resources - Core Middleware - central services essential to
middleware as a whole. - Authentication
- Authorisation
- Directory services
- Identifiers
15JISCs Core Middleware Programme
- Programme
- Commenced April 2004 two components
- Technology Development
- Infrastructure
- Aims
- better understanding of middleware potential and
application within HE and FE - build a working Shibboleth infrastructure
- support take-up and use of Shibboleth within HE
and FE - ensure join-up across JISC development in
relation to middleware - Details at
- http//www.jisc.ac.uk/programme_middleware.html
16Technology Development
17(No Transcript)
18Technology Development
- Core Middleware Technology Development Programme
- April 2004 March 2007
- Programme has funded 15 different projects (3.5
million) - Supports investigations into several key areas
- Internal (intra-institutional) applications
- Access to external, third-party resources
- Inter-institutional use
- stable, long-term resource sharing between
defined groups e.g. shared e-learning scenarios - ad hoc collaborations, potentially dynamic in
nature (virtual organisations or VOs)
19Technologies
- Some of the technologies investigated
- PERMIS (Privilege and Role Management
Infrastructure Standards) - RADIUS (Wireless Networking and Roaming)
- SHIBBOLETH
- 15 Projects include eg
- PERMIS/Shibboleth integration
- Integrating Shibboleth with a VLE
- Inter-institutional management of e-Learning
(Clinical Teaching) - Supported By
- SDSS (Shibboleth Development Support Services)
- Edinburgh University - Studies of Institutional Roles
- Expert reports (e.g. Single Sign-on)
20Technology Development - Outputs
- Projects produce
- Test bed implementations demonstrators.
- Reports on the implementation and deployment
experiences. - Evaluation reports
- Recommendations
21Infrastructure
22Infrastructure Programme
- Aim - establish a working UK Shibboleth
infrastructure - Government Comprehensive Spending Review funding
- Additional funding to JISCs main annual budget
- Approx 3.4m from Apr 2004 to Mar 2006
- Main work areas
- Funding for organisations willing to be early
Shibboleth adopters - Creating a service to assist the early adopters
- Making Data Centre services (MIMAS and EDINA)
Shibboleth compliant - Establishing a national UK federation
- Creating Athens/Shibboleth gateways
- Liaising with suppliers publishers, subscription
agents etc
23Early Adopters
- Early Adopter Programme runs from March 2005
December 2006 - First round of institutional Adopters
(introducing Shibboleth at a university etc) - 12 projects 18 institutions
- Funding up to 50,000 available per institution
- Second round
- 8 more projects funded
24Early Adopters
- First round - 12 Institutional early adopter
projects (18 institutions) - April 05 March 06
- St Georges Hospital Med Sch (ADAMS)
- Cardiff (ASMIMA)
- Liverpool (Cheshire Project)
- Nottingham Trent (East Midlands deployment)
- Leeds (GILEAD)
- Liverpool (LSIP)
- Bristol (Metaleth)
- UK Data Archive (SAFARI)
- Newcastle (SAPIR)
- ShibboLEAP (consortium of 7 London University
colleges) - Exeter (Project SWISh)
- Nottingham (UNISA)
25(No Transcript)
26(No Transcript)
27Early Adopters second round
- Second round - 8 projects
- November 05 October 06
- King's College London (SERAPIS)
- Glasgow University Early Adoption of Shibboleth
(GLASS) - Northumbria Learning (Sur-Pas)
- Reid Kerr (FEAR)
- Thames Valley University (Nabatea)
- University of Bolton (Shielab)
- University of Swansea (SHORE)
- Wakefield College (WALRUS)
28(No Transcript)
29Middleware Assisted Take-Up Service (MATU)
- Dedicated support service for early adopters
- Scoping future requirements for institutions
adopting Shibboleth - Support services include
- Comprehensive website
- Documentation
- Help desk
- Onsite support
- Training events
- Links to, and information about, software
- See http//www.matu.ac.uk
30(No Transcript)
31Early adopter experiences
- Early days for any structured set of lessons to
have emerged - Some early comments
- wide range of technical skills needed
- lack of good, simple, documentation
- lack of tools for analysing error logs
- good communication excellent cooperation with
library staff have greatly eased the project
32Publishers and other suppliers
- The following are all believed to be
Shibboleth-enabling their services - OCLC
- EBSCO
- Elsevier Science Direct
- JSTOR
- Thomson/Gale (currently looking for test sites)
- Exlibris
- EZProxy
- ProQuest
- Internet2 maintain a status list (not always up
to date) - http//shibboleth.internet2.edu/seas.html
- Internet2 discussion list (closed) on supplier
issues shib-enable - Related lists for specific suppliers (eg
Elsevier, Ovid)
33(No Transcript)
34(No Transcript)
35The Wider Picture
- Countries with established Shibboleth federations
- US (InCommon), Switzerland (SWITCHaai), Finland
(HAKA) - Countries actively investigating Shibboleth (or
using compatible technologies) - Netherlands, Spain, Germany, Norway, Belgium,
Denmark, Australia - US Federal Government also investigating
Shibboleth - Inter-federation working subject of international
Cotswolds Meeting, UK - Held in Upper Slaughter, Gloucestershire October
04 - Sponsored by JISC - included reps from DEST and
AARNet - Issues now being taken forward by REFEDS group
- REFEDS Research Education Federations
- JISC an active member
- UK school sector - BECTA have announced adoption
of Shibboleth - Will liaise with JISC to ensure interoperability
36Next steps
- Conclude contract negotiations with UKERNA
- UKERNA expected to be the operator for the UKs
new AAI regime - UKERNA will establish UK higher/further education
federation by middle 2006 - Commence publicity campaign aimed at
- Identity providers (universities etc)
- Service providers (publishers, database suppliers
etc) - Encourage institutions to review migration
options, set timescales - Expectation is that migration will take more than
2 years - JISC cant force migration only encourage and
support - Athens operated by Eduserv (independent of JISC)
- Athens may offer alternatives (but not subsidised
by JISC)
37Challenges
- Suppliers (eg publishers) need to be persuaded to
adopt the technology - International pressure is building
- Some (eg Elsevier, Ovid) already taking the
initiative - Cultural, organisational change
- Removing administrative burdens from libraries
- Information services and libraries need to work
together - Persuading institutions to move from Athens to
Shibboleth - resistance to change
- short term cost for long term gain enterprise
directories issues - early adopter experiences will encourage other
institutions - strong interest in second call for early adopters
18 bids - Educating the community on the advantages of a
Shibboleth regime - examples more flexible subscription models fine
control of courseware access
38Conclusions
- A very large project
- will affect most staff students in the majority
of UKs universities and colleges - though most users should be unaware of it
- May present significant local challenges
- System depends on clean, up-to-date, compatible
local directory services - A good solution for todays distributed, mobile,
collaborating, research and teaching communities - An excellent mechanism for controlling remote
access to course materials
39Further Information
- JISC web pages http//www.jisc.ac.uk/programme_
middleware.html - Internet2 http//shibboleth.internet2.edu
Terry Morrow JISC Consultant t.morrow_at_jisc.ac.uk