29May2007 Slide 1

1
AMP meeting title slide
Access Management Programme meeting, May 2007
Access Management for Libraries  John Paschoud
and Masha Garibyan London School of Economics
Joint Information Systems Committee
Supporting education and research
2
Why fix what aint broke?

• Our Athens authentication system seems to work
  quite well, and has done so for several years.
  Why has JISC decided to change to something
  different?

3
Why Federated Access Management?

• Moves closer to the single sign-on ideal - users
  need not remember so many passwords
• Aligns with international convergence on
  Shibboleth/SAML compliant technology- wider
  market for suppliers
• Avoids the need to maintain a central Athens-type
  database- by JISC/Eduserv and by participating
  libraries
• Open Source and Open Standards based- so tools
  can be developed by participants and shared
• Supports internal applications, collaborative
  inter-institutional sharing of resources, and
  virtual organisations

4
Is that all?

• Is that all?

5
Is that all!?!?

• Improved security for resources, so publishers
  happy - they also dont have to pay a licence
  fee (as they do for Athens), nor maintain campus
  IP address ranges
• Because the access is role-based rather than
  identity-based there is improved privacy for
  users
• Supports the trend towards a devolved /
  distributed model for access management
• Authentication by the end-users institution
• Authorisation by the resource owner
• Suited to the demands for more mobile access
  from home, travelling, or working at other
  institutions or libraries

6
So what is Shibboleth?

• OK, sounds convincing, but what is Shibboleth?

7
What is Shibboleth?

• Actually, Shibboleth is just an enabling
  technology that lets us do Federated Access
  Management
• but just to satisfy your curiosity
• An initiative (of Internet2) to develop an
  architecture and policy framework supporting the
  sharing between domains of secured web
  resources and services
• A project delivering an open source
  implementation of the architecture and framework
• Deliverables
• Software for Identity Providers (universities,
  libraries)
• Software for Service Providers (publishers and
  universities, libraries)
• Policy models for Federations (scalable trust)
• and they have a nice logo!

8
What are the costs and benefits?

• What are the costs and benefits for our library
  of migrating to Federated Access Management?

9
Costs/Benefits of FAM?

• Costs
• Institutions directory must be in good shape and
  set up to support an Identity Provider (IdP)
• Shibboleth (or compatible) middleware needs
  installing and maintaining
• Benefits
• Reduced overheads in password support
• No difference in on-campus and off-campus access
• More flexible access control e.g. different
  categories of users to different levels of access
  (or none) to a resource

10
Any other capabilities?

• Are there things Shibboleth can do that Athens
  cannot?
• sorry! I meant Federated Access
  Management!What extra things can we do with it?

11
The Other Capabilities of FAM?

• As well as acting as an Identity Provider, your
  institution would be able to set up its
  repository, e-learning or any other service as a
  Service Provider
• as LSE has done for Exam Papers and other
  members only collections
• This will facilitate sharing of resources within
  the academic community
• you can provide controlled access to users from
  other institutions, without needing to administer
  usernames/passwords for them
• as LSE and Columbia (NY) did for a collaborative
  Anthropology teaching project (DART)
• The fine-tuning of access control possible (using
  directory attributes) can be used to restrict
  confidential or sensitive data to those whose
  roles allow this

12
(the LSE Exam Papers collection secured with
Shibboleth)
13
So how do we get Shibbolised?

• What will our library need to have in place and
  do in order to migrate to Shibboleth? What
  infrastructure is required?

14
What infrastructure is required?

• Within your Library / Institution
• IdentityProvider (IdP) site Required Enterprise
  Infrastructure
• Authentication service (e.g. Yale-CAS, Pubcookie,
  or just webserver authentication)
• Attribute repository (directory)
• Shibboleth-compliant IdP service (e.g.
  Shibboleth, Guanxi or AthensIM software)
• At your Publishers / Aggregators / e-Resource
  Providers
• ServiceProvider (SP) site - Required Enterprise
  Infrastructure
• Webserver (Apache or IIS)
• Shibboleth-compliant SP service (e.g. Shibboleth,
  Guanxi or AthensIM software)
• Logic to make Authorisation decisions based on
  user attributes collected by SP service (as
  simple or complex as the service / resources
  being provided)

15
Shibboleth IdP architecture
GET YOUR LOCAL TECHIE TO DEAL WITH THIS BIT
16
Is there help out there?

• What help and support will be available to our
  library as we set about installing and migrating
  to Federated Access Management?

17
What support is there?

• JISC information resources at http//www.jisc.ac.
  uk/federation
• Including material produced by the extensive
  programme ofCore Middleware and Early Adopters
  projects
• The UK Federation has guidance for institutions
  and publishers wanting to join at
  http//www.ukfederation.org.uk
• JISC Regional Support Centres, CILIP, CPD25,
  UCISA, SCONUL and other organisations are running
  information events
• Netskills is producing practical training courses
  for technical staff
• Use JISC-ACCESS-MANAGEMENT_at_jiscmail.ac.uk to
  contact the JISC Support Team

18
What resources are Shibbolised?

• I understand that quite a lot of publishers have
  already joined the UK Federation
• But not all e-resources are going to be
  accessible via Shibboleth overnight. Will that
  be a problem for us?
• shouldnt we wait for another year or so, until
  theyve all converted from Athens?

19
Ah! Theres a Cunning Plan!
The Athens-Federation Gateways
20
And the Athens Administrator?

• We have an Athens Administrator. What happens to
  that role after migrating to Shibboleth?

21
Athens Administrator role?

• Initially to manage the changeover from classic
  Athens to either Shibbolised resources, or via
  the Gateways, and continue to maintain other ad
  hoc access methods where neither of these options
  is available
• As things settle down, there will be the need to
  maintain the links in your librarys list of
  e-resources
• Closer liaison with your own IT people (who
  manage your institutional directories) may be
  needed

22
Whats a Federation?

• and what exactly does one of these Federations
  do?

23
What is a Federation?

• A group of organisations with a common purpose
  (e.g. education and research) who trust each
  other
• Not a subscription-purchasing consortium!
• but could be related to one or more of those
• Federation members
• sign up to a set of rules, including minimum
  standards for Identity Management practices
• May have legal status
• Needs the trust of suppliers
• Runs the Where Are You From (WAYF) service

24
What does Shibboleth access look like?

• So what does access to an e-resource using
  Shibboleth look like to the end user?

25
Demonstration What does FAM look like to an
end-user?

• Elsevier Science Direct an early-adopting
  publisher
• dealing with a global customer base
• needs-to-know only whether user is from a
  licensed institution
• http//www.sciencedirect.com/ (and use
  Athens/Other Institution Login)
• LSE Projects wiki a highly-restricted
  institutional resource
• with users spread across 10 HE institutions
  (current project partners)
• needs to know personal identity and other user
  attributes
• https//gabriel.lse.ac.uk/twiki/bin/view/Projects/
  AboutJohnPaschoud
• (and then Edit this page)
• Shibboleth Wiki a global discussion space
• https//spaces.internet2.edu/display/SHIB/WebHome
  (and use Log In)

26
Well Shibboleth can look like this
And where they are from
27
Or, Shibboleth works invisibly behind the library
portal
28
Shibboleth behind the library portal
29
Shibboleth behind the library portal
If users prefer the route through the library
portal, e-resource usage statistics should become
more representative
30
What do we tell our users?

• What should we tell our staff and student library
  users about the change to Shibboleth?

31
What to tell your users?

• As little as possible!
• There is no Athens-type username and password to
  distribute (and remind of when forgotten or lost)
• One strand of the change management will be to
  remove references to Athens passwords from user
  guides etc
• there should be no need to substitute Shibboleth
  in Athens place
• During changeover, decreasing reliance will be
  made on Athens passwords
• some users may need reassuring the library has
  not lost access to a super-database called
  Athens!
• LSE now tells users that your LSE Login is the
  default access for everything
• and provides help with the diminishing number of
  exceptions

32
From LSEs Electronic Library FAQs
Many LSE electronic resources can also be
accessed off-campus via your LSE login (network
username and password).
33
LSE for You provides diminishing passwords
34
How did the LSE do it?

• You were the first installation of Shibboleth in
  the UK. How did the LSE Library manage the change
  to Shibboleth?

35
How did the LSE do it?

• Installing the infrastructure was surprisingly
  easy
• (once we had the first working version of the
  software!)
• We chose a cautious changeover from Athens
  access, with careful quality assurance testing of
  each resource link
• We were at the bleeding edge, with over 150
  resource collections being accessed by classic
  Athens, Shibboleth, the Athens Gateway and
  EZproxy, and about 20 by all sorts of ad hoc
  methods
• The methods used for these tests, a progress bar
  and a table of the Shibbolised status of those
  resources can be found on the Shibboleth_at_LSE
  website

36
Shibboleth_at_LSE Home
37
Shibboleth_at_LSE Shibbolisation Progress
38
Shibboleth_at_LSE Table of e-Resources
39
JISC Conf title slide
The End
Access Management for Libraries
Joint Information Systems Committee
Supporting education and research
40
Links, Questions and Conclusions

• JISC FAM Transition www.jisc.ac.uk/federation.ht
  ml
• UK Federation www.ukfederation.org.uk
• Shibboleth shibboleth.internet2.edu
• Shibboleth_at_LSE www.angel.ac.uk/ShibbolethAtLSE/
• Other questions?
• Other issues for libraries?
• youll think of them later? J.Paschoud_at_LSE.ac.uk
  or JISC-ACCESS-MANAGEMENT_at_jiscmail.ac.uk