Shibboleth

1
Shibboleth
Joint Information Systems Committee
Supporting education and research
2
The JISCs Shibboleth Programme

• Terry Morrow
• JISC Consultant

3
Summary

• Shibboleth
• what is it?
• why do we need it?
• how does it work?
• Federations
• Athens
• The UKs Core Middleware Programme
• Publishers and other suppliers
• The Wider Picture
• The Future

4
Shibboleth what is it?

• An architecture developed by the Internet2
  middleware community
• NOT an authentication scheme (relies on home site
  infrastructure to do this)
• NOT an authorisation scheme (leaves this to the
  resource owner)
• BUT an open, standards-based, protocol for
  securely transferring attributes between home
  site and resource site
• Based on SAML (an OASIS standard)
• Term Shibboleth also used to refer to
• the project that has managed the development of
  the architecture and code
• the code package, running on a variety of
  systems, that implements the architecture an
  open source reference implementation is provided
• Internet2 Shibboleth web pages
• http//shibboleth.internet2.edu/
• Excellent introductory material on SWITCHaai
  website
• http//www.switch.ch/aai/

5
Shibboleth origin (Judges 121-6)
Gileadites
Ephraimites
Say Shibboleth
Shibboleth
Go on your way, my friend
Sibboleth
Say Shibboleth
Youre dead!( 42,000 others)
6
Shibboleth why do we need it?

• Rationalises an increasingly complex web of
  usernames, passwords, IP addresses, proxy servers
  etc etc
• A single solution controlling access to
  resources, both internal and remote
• Eliminates need for separate identifiers/passwords
  for each protected resource
• Provides greater security by relying on locally
  managed usernames/passwords
• Allows for secure, flexible, anonymous access to
  resources
• Institution individual user can control
  information released to service provider
• Location independent works just as well on
  campus and for distance learners
• Encourages increased take-up of expensively
  licensed materials
• Allows for greater flexibility in controlling
  access
• Eg restricting access to departments, courses to
  particular groups
• Allows for ad-hoc groups to share material in a
  secure manner

7
Shibboleth - how it works (thanks to SWITCH)
8
(No Transcript)
9
(No Transcript)
10
Federations trust and responsibility

• Organisations with a common purpose (eg education
  and research) who trust each other
• Federations
• Tend to be country- and sector-based
• Members (organisations, suppliers) sign contracts
  to agree to a set of rules
• Have legal status
• Production higher education federations
• USA InCommon - http//www.incommonfederation.org
  /
• Switzerland SWITCHaai - http//www.switch.ch/aai
  /
• Finland HAKA - http//www.csc.fi/suomi/funet/mid
  dleware/english/index.phtml
• UK test federation SDSS - http//sdss.ac.uk/

11
About Athens

• Athens developed by CHEST team at University of
  Bath
• over 10 years old
• solution to problem of multiple identities
  accessing multiple remote services
• centralised authentication authorisation
• Technology plus service infrastructure
• Help desk, local administrators etc
• Very successful very widely adopted in the UK
• 500 HE/FE institutions over 2 million usernames
  registered
• Ahead of its time
• Most service providers have provided an Athens
  compliant access mechanism
• Mandatory for recent supplier contracts with JISC
• Approximately 200 licensed resources controlled
  via Athens

12
Athens limitations

• Requires management of separate Athens accounts
• Users must obtain separate Athens username
  password (Classic Athens)
• Have to remember Athens username/password only
  used for remote services
• Recent development (AthensDA) works more like
  Shibboleth (local ids used)
• Little take-up of Athens outside UK
• though used in other sectors in the UK - eg
  Health service
• Service providers have to licence Athens - cost
• Not well suited to increasingly complex
  authorisation scenarios
• Meanwhile, other countries starting to adopt
  SAML/Shibboleth based technologies

13
Middleware
14
Middleware

• Definition systems and software that connect
  people with resources
• Core Middleware - central services essential to
  middleware as a whole.
• Authentication
• Authorisation
• Directory services
• Identifiers

15
JISCs Core Middleware Programme

• Programme
• Commenced April 2004 two components
• Technology Development
• Infrastructure
• Aims
• better understanding of middleware potential and
  application within HE and FE
• build a working Shibboleth infrastructure
• support take-up and use of Shibboleth within HE
  and FE
• ensure join-up across JISC development in
  relation to middleware
• Details at
• http//www.jisc.ac.uk/programme_middleware.html

16
Technology Development
17
(No Transcript)
18
Technology Development

• Core Middleware Technology Development Programme
  
• April 2004 March 2007
• Programme has funded 15 different projects (3.5
  million)
• Supports investigations into several key areas
• Internal (intra-institutional) applications
• Access to external, third-party resources
• Inter-institutional use
• stable, long-term resource sharing between
  defined groups e.g. shared e-learning scenarios
• ad hoc collaborations, potentially dynamic in
  nature (virtual organisations or VOs)

19
Technologies

• Some of the technologies investigated
• PERMIS (Privilege and Role Management
  Infrastructure Standards)
• RADIUS (Wireless Networking and Roaming)
• SHIBBOLETH
• 15 Projects include eg
• PERMIS/Shibboleth integration
• Integrating Shibboleth with a VLE
• Inter-institutional management of e-Learning
  (Clinical Teaching)
• Supported By
• SDSS (Shibboleth Development Support Services)
  - Edinburgh University
• Studies of Institutional Roles
• Expert reports (e.g. Single Sign-on)

20
Technology Development - Outputs

• Projects produce
• Test bed implementations demonstrators.
• Reports on the implementation and deployment
  experiences.
• Evaluation reports
• Recommendations

21
Infrastructure
22
Infrastructure Programme

• Aim - establish a working UK Shibboleth
  infrastructure
• Government Comprehensive Spending Review funding
• Additional funding to JISCs main annual budget
• Approx 3.4m from Apr 2004 to Mar 2006
• Main work areas
• Funding for organisations willing to be early
  Shibboleth adopters
• Creating a service to assist the early adopters
• Making Data Centre services (MIMAS and EDINA)
  Shibboleth compliant
• Establishing a national UK federation
• Creating Athens/Shibboleth gateways
• Liaising with suppliers publishers, subscription
  agents etc

23
Early Adopters

• Early Adopter Programme runs from March 2005
  December 2006
• First round of institutional Adopters
  (introducing Shibboleth at a university etc)
• 12 projects 18 institutions
• Funding up to 50,000 available per institution
• Second round
• 8 more projects funded

24
Early Adopters

• First round - 12 Institutional early adopter
  projects (18 institutions)
• April 05 March 06

• St Georges Hospital Med Sch (ADAMS)
• Cardiff (ASMIMA)
• Liverpool (Cheshire Project)
• Nottingham Trent (East Midlands deployment)
• Leeds (GILEAD)
• Liverpool (LSIP)

• Bristol (Metaleth)
• UK Data Archive (SAFARI)
• Newcastle (SAPIR)
• ShibboLEAP (consortium of 7 London University
  colleges)
• Exeter (Project SWISh)
• Nottingham (UNISA)

25
(No Transcript)
26
(No Transcript)
27
Early Adopters second round

• Second round - 8 projects
• November 05 October 06
• King's College London (SERAPIS)
• Glasgow University Early Adoption of Shibboleth
  (GLASS)
• Northumbria Learning (Sur-Pas)
• Reid Kerr (FEAR)
• Thames Valley University (Nabatea)
• University of Bolton (Shielab)
• University of Swansea (SHORE)
• Wakefield College (WALRUS)

28
(No Transcript)
29
Middleware Assisted Take-Up Service (MATU)

• Dedicated support service for early adopters
• Scoping future requirements for institutions
  adopting Shibboleth
• Support services include
• Comprehensive website
• Documentation
• Help desk
• Onsite support
• Training events
• Links to, and information about, software
• See http//www.matu.ac.uk

30
(No Transcript)
31
Early adopter experiences

• Early days for any structured set of lessons to
  have emerged
• Some early comments
• wide range of technical skills needed
• lack of good, simple, documentation
• lack of tools for analysing error logs
• good communication excellent cooperation with
  library staff have greatly eased the project

32
Publishers and other suppliers

• The following are all believed to be
  Shibboleth-enabling their services
• OCLC
• EBSCO
• Elsevier Science Direct
• JSTOR
• Thomson/Gale (currently looking for test sites)
• Exlibris
• EZProxy
• ProQuest
• Internet2 maintain a status list (not always up
  to date)
• http//shibboleth.internet2.edu/seas.html
• Internet2 discussion list (closed) on supplier
  issues shib-enable
• Related lists for specific suppliers (eg
  Elsevier, Ovid)

33
(No Transcript)
34
(No Transcript)
35
The Wider Picture

• Countries with established Shibboleth federations
• US (InCommon), Switzerland (SWITCHaai), Finland
  (HAKA)
• Countries actively investigating Shibboleth (or
  using compatible technologies)
• Netherlands, Spain, Germany, Norway, Belgium,
  Denmark, Australia
• US Federal Government also investigating
  Shibboleth
• Inter-federation working subject of international
  Cotswolds Meeting, UK
• Held in Upper Slaughter, Gloucestershire October
  04
• Sponsored by JISC - included reps from DEST and
  AARNet
• Issues now being taken forward by REFEDS group
• REFEDS Research Education Federations
• JISC an active member
• UK school sector - BECTA have announced adoption
  of Shibboleth
• Will liaise with JISC to ensure interoperability

36
Next steps

• Conclude contract negotiations with UKERNA
• UKERNA expected to be the operator for the UKs
  new AAI regime
• UKERNA will establish UK higher/further education
  federation by middle 2006
• Commence publicity campaign aimed at
• Identity providers (universities etc)
• Service providers (publishers, database suppliers
  etc)
• Encourage institutions to review migration
  options, set timescales
• Expectation is that migration will take more than
  2 years
• JISC cant force migration only encourage and
  support
• Athens operated by Eduserv (independent of JISC)
• Athens may offer alternatives (but not subsidised
  by JISC)

37
Challenges

• Suppliers (eg publishers) need to be persuaded to
  adopt the technology
• International pressure is building
• Some (eg Elsevier, Ovid) already taking the
  initiative
• Cultural, organisational change
• Removing administrative burdens from libraries
• Information services and libraries need to work
  together
• Persuading institutions to move from Athens to
  Shibboleth
• resistance to change
• short term cost for long term gain enterprise
  directories issues
• early adopter experiences will encourage other
  institutions
• strong interest in second call for early adopters
  18 bids
• Educating the community on the advantages of a
  Shibboleth regime
• examples more flexible subscription models fine
  control of courseware access

38
Conclusions

• A very large project
• will affect most staff students in the majority
  of UKs universities and colleges
• though most users should be unaware of it
• May present significant local challenges
• System depends on clean, up-to-date, compatible
  local directory services
• A good solution for todays distributed, mobile,
  collaborating, research and teaching communities
• An excellent mechanism for controlling remote
  access to course materials

39
Further Information

• JISC web pages http//www.jisc.ac.uk/programme_
  middleware.html
• Internet2 http//shibboleth.internet2.edu

Terry Morrow JISC Consultant t.morrow_at_jisc.ac.uk