Shibboleth

Presented by Alan Robiette from JISC

Presentation as pdf

We’ll get on to exactly what Shibboleth is later, but lets just start by saying it is a method for authentication/authorisation.

Currently the closest we have to a nationwide authentication/authorisation system is Athens. This has been developed and recently seen Single Sign On and Devolved Authentication. Also done proof of concept on alternative ways of authentication/authorisation – e.g. digital certificates.

However, now facing new challenges. Need to look at not just institutions to publisher authentication, but also cross-institutional working, ‘virtual organisations’ with complex authorisation needs (driven by growth in e-research, GRID etc.)

Also external developments – emergence of new standards e.g. SAML

So – next generation AAA infrastrucutre must support scenarios such as:

Internal (intra-institutional) applications
Management of access to 3rd party digital library-type resources
Inter-institutional use – e.g. shared e-learning scenarios
Inter-institutional use – ad hoc sharing of resources

We are now seeing Virtual Organisations emerging – where people distributed across the world want to work together and share resources.

There is also a link-up with UKERNA location-independent networking project – authenticated guest access to a network. Being called ‘eduroam’ – implications of running a RADIUS infrastructure on participating campuses.

Finally, there is work going on with Internet2 and the NMI-EDIT programme – this is run by the US National Science Foundation, and is looking at development of middleware, and is taking a joint approach with JISC with some of the work in this area.

Some Principles:
Authentication is the responsibility of the user’s home site
Authorisation is the responsibility of the resource owner

So – what is Shibboleth?
An architecture developed by the Internet2 middleware community.
It is NOT an authentication scheme – expects the home institution to do this
It is NOT an authorisation scheme – expects this to be done by the resource owners
It is an architecture, and open source implementation

How does it work? Need a diagram for this, and still isn’t incredibly clear, but some key points:
WAYF – Where Are You From? This is a key part of the architecture – it is only by this that you can tell where they are going to authenticate (home institution).
ARP – attribute release policy – only gives out the information needed at any point for authorisation – for example, don’t need to give out your name if all the resource needs to know that you come from a specific campus.

Shibboleth is getting good international acceptance (US, Australia, Finland, Switzerland, France – and UK of course)
Basic software now well tested – around 30 US universities working with it seriously, plus several content vendors – Swiss national HE system deployment
Satisfies the main requirements ‘out of the box’ – digital library, shared e-learning and internal use scenarios – doesn’t yet do the VO stuff very well.

However – still not very user friendly, lacks management tools, demanding to installa nd run, might require outsourced or packaged service for smaller institutions. Also still a relatively unsophisticated authorisation model – single attribute authority (who manage the ARP mentioned above), decision engine not very sophisticated – this is currently being addresses in JISC development projects.

So – what needs to be done?
Implement Shibboleth on JISC services – provide critical mass of shibboleth-enabled resources
Gain experience on campuses – in a variety of institutions
Build the national components – which are relatively few
‘Charm offensive’ with publishers

JISC is providing an ‘assisted take-up service’ – contract announcement is imminent, and expected to be available this month (March 2005). This should provide documentation, tools and support.

Some projects are being funded to get institutions to trial Shibboleth on their campuses. JISC are looking for outcomes by Summer 2006 – this coincides with a break in the Eduserve/Athens service contract.

In the short-term, Athens and Shibboleth will coexist – no current plan to remove Athens. In fact Athens is being developed to work in a Shibboleth environment. A two way gateway is being developed so that Athens campuses can reach Shibboleth resources and vice versa.

Campuses will need to review strategy – Shibboleth, Athens DA and EduRoam all pose similar questions. Need to have robust Identity Management solution which sits at the heart of any of these technologies.

In the longer term – currently speculate that:
Some institutions (perhaps especially smaller ones) may want to stay with Athens. As may small publishers.
OR – if Shibboleth becomes pervasive, support or tailoring for particular situations may be the answer
JISC will need to keep national service requirements under review
No question of forcing institutions to migrate on any specific timescale

Shibboleth

Presented by Alan Robiette from JISC

Presentation as pdf

We’ll get on to exactly what Shibboleth is later, but lets just start by saying it is a method for authentication/authorisation.

Currently the closest we have to a nationwide authentication/authorisation system is Athens. This has been developed and recently seen Single Sign On and Devolved Authentication. Also done proof of concept on alternative ways of authentication/authorisation – e.g. digital certificates.

However, now facing new challenges. Need to look at not just institutions to publisher authentication, but also cross-institutional working, ‘virtual organisations’ with complex authorisation needs (driven by growth in e-research, GRID etc.)

Also external developments – emergence of new standards e.g. SAML

So – next generation AAA infrastrucutre must support scenarios such as:

Internal (intra-institutional) applications
Management of access to 3rd party digital library-type resources
Inter-institutional use – e.g. shared e-learning scenarios
Inter-institutional use – ad hoc sharing of resources

We are now seeing Virtual Organisations emerging – where people distributed across the world want to work together and share resources.

There is also a link-up with UKERNA location-independent networking project – authenticated guest access to a network. Being called ‘eduroam’ – implications of running a RADIUS infrastructure on participating campuses.

Finally, there is work going on with Internet2 and the NMI-EDIT programme – this is run by the US National Science Foundation, and is looking at development of middleware, and is taking a joint approach with JISC with some of the work in this area.

Some Principles:
Authentication is the responsibility of the user’s home site
Authorisation is the responsibility of the resource owner

So – what is Shibboleth?
An architecture developed by the Internet2 middleware community.
It is NOT an authentication scheme – expects the home institution to do this
It is NOT an authorisation scheme – expects this to be done by the resource owners
It is an architecture, and open source implementation

How does it work? Need a diagram for this, and still isn’t incredibly clear, but some key points:
WAYF – Where Are You From? This is a key part of the architecture – it is only by this that you can tell where they are going to authenticate (home institution).
ARP – attribute release policy – only gives out the information needed at any point for authorisation – for example, don’t need to give out your name if all the resource needs to know that you come from a specific campus.

Shibboleth is getting good international acceptance (US, Australia, Finland, Switzerland, France – and UK of course)
Basic software now well tested – around 30 US universities working with it seriously, plus several content vendors – Swiss national HE system deployment
Satisfies the main requirements ‘out of the box’ – digital library, shared e-learning and internal use scenarios – doesn’t yet do the VO stuff very well.

However – still not very user friendly, lacks management tools, demanding to installa nd run, might require outsourced or packaged service for smaller institutions. Also still a relatively unsophisticated authorisation model – single attribute authority (who manage the ARP mentioned above), decision engine not very sophisticated – this is currently being addresses in JISC development projects.

So – what needs to be done?
Implement Shibboleth on JISC services – provide critical mass of shibboleth-enabled resources
Gain experience on campuses – in a variety of institutions
Build the national components – which are relatively few
‘Charm offensive’ with publishers

JISC is providing an ‘assisted take-up service’ – contract announcement is imminent, and expected to be available this month (March 2005). This should provide documentation, tools and support.

Some projects are being funded to get institutions to trial Shibboleth on their campuses. JISC are looking for outcomes by Summer 2006 – this coincides with a break in the Eduserve/Athens service contract.

In the short-term, Athens and Shibboleth will coexist – no current plan to remove Athens. In fact Athens is being developed to work in a Shibboleth environment. A two way gateway is being developed so that Athens campuses can reach Shibboleth resources and vice versa.

Campuses will need to review strategy – Shibboleth, Athens DA and EduRoam all pose similar questions. Need to have robust Identity Management solution which sits at the heart of any of these technologies.

In the longer term – currently speculate that:
Some institutions (perhaps especially smaller ones) may want to stay with Athens. As may small publishers.
OR – if Shibboleth becomes pervasive, support or tailoring for particular situations may be the answer
JISC will need to keep national service requirements under review
No question of forcing institutions to migrate on any specific timescale

Reflections on UCISA conference

Just been talking to Matthew about capturing stuff from the conference, and saying that some of the most valuable stuff comes out of discussion after the talks – so I thought we could try and get some of this down as we fly home…

Should also say that the presentations are online

Collaboration and Competition in HE

Are we competing in a collaborative environment or collaborating in a competitive environment?

HE is moving from the former to the latter – Roger McClure from the Scottish funding body made the distinction, and it seems as if Scottish HE has grasped this much more readily than English HE – also think about the success of the IU that David Farquhar talked about.

Also, in England at least, the aim seems unclear from a government level – are they really aiming for a open market, or will they bail out anyone who looks like going under. We had quite a good chat about this, comparing it to other similar commercial environments – e.g. Post Office – they are supposed to compete, but can’t increase the cost of postage. Is HE headed the same way.

How we become competetive as HE providers also came up a few times – should we specialise? Are we clear how we (as organisations) make our money, and where we should concentrate effort. The last talk also touched on this, with examples of how airlines collaborate to survive, but are also in competition – sometimes your closest competitor has the most in common with you.

I was struck by a comment from Howard Newby that at the moment it was theoretically possible for students to easily transfer credit between institutions, and take courses in different places – but the institutional processes get in the way. Look at the Gas and Electricity market where people come to your door to get you to change suppliers, you sign, and they do it all for you – why aren’t we providing this kind of service? Should we be more aggressive in recruiting continuously (i.e. not just a single UG intake in a year, but ‘why not swap to RHUL’ – thousands of customers are returning to BT every month etc.)

Howard Newby also emphasised that universities have to capitalise on their strengths – can they continue to offer a broad range of courses across disciplines at an appropriate standard? Are we going to see more specialist institutions? Should RHUL become more specialist? And what will it mean to be a university in that environment?

Technology is changing faster than you think

Several times I’ve been struck by how quickly things are changing. Why are our students worrying about storage on our network, when they can pick up a 120Gb drive that fits in a rucksack for less than £100? Why aren’t we exploiting this more?

The younger students coming through our doors now are immersed in this – they don’t even think that it might not be there – they’ve never known a world without mobiles, PCs, the Internet.

Reflecting on what has changed in the last 20-30 years and thinking what the implications of that rate of change continuing (or even increasing) for the remainder of my working life. But also, as we were reminded this morning, we cope with this incredibly well in general – although I’ve only owned a mobile phone for that last 5 years, I haven’t found it in anyway difficult to adapt – when technology works, you don’t even think about it.

Leadership and Vision

This probably relates to the first point of competition, and where we go as an organisation – but we need both leadership and vision. We need to know where we are going, and what we are trying to acheive.

If we can’t continue to do everything, we need to decide what we stop doing, and what the consequences of this will be.

Something that came up several times was that we are ‘risk averse’ both as a profession, but also (I think) as organisations. This coincided nicely with the presentation on Risk Assessment – so perhaps we need to be less risk averse, but at the same time understand the risks we are taking.

OK – that’s it for now, perhaps some more later.

Reflections on UCISA conference

Just been talking to Matthew about capturing stuff from the conference, and saying that some of the most valuable stuff comes out of discussion after the talks – so I thought we could try and get some of this down as we fly home…

Should also say that the presentations are online

Collaboration and Competition in HE

Are we competing in a collaborative environment or collaborating in a competitive environment?

HE is moving from the former to the latter – Roger McClure from the Scottish funding body made the distinction, and it seems as if Scottish HE has grasped this much more readily than English HE – also think about the success of the IU that David Farquhar talked about.

Also, in England at least, the aim seems unclear from a government level – are they really aiming for a open market, or will they bail out anyone who looks like going under. We had quite a good chat about this, comparing it to other similar commercial environments – e.g. Post Office – they are supposed to compete, but can’t increase the cost of postage. Is HE headed the same way.

How we become competetive as HE providers also came up a few times – should we specialise? Are we clear how we (as organisations) make our money, and where we should concentrate effort. The last talk also touched on this, with examples of how airlines collaborate to survive, but are also in competition – sometimes your closest competitor has the most in common with you.

I was struck by a comment from Howard Newby that at the moment it was theoretically possible for students to easily transfer credit between institutions, and take courses in different places – but the institutional processes get in the way. Look at the Gas and Electricity market where people come to your door to get you to change suppliers, you sign, and they do it all for you – why aren’t we providing this kind of service? Should we be more aggressive in recruiting continuously (i.e. not just a single UG intake in a year, but ‘why not swap to RHUL’ – thousands of customers are returning to BT every month etc.)

Howard Newby also emphasised that universities have to capitalise on their strengths – can they continue to offer a broad range of courses across disciplines at an appropriate standard? Are we going to see more specialist institutions? Should RHUL become more specialist? And what will it mean to be a university in that environment?

Technology is changing faster than you think

Several times I’ve been struck by how quickly things are changing. Why are our students worrying about storage on our network, when they can pick up a 120Gb drive that fits in a rucksack for less than £100? Why aren’t we exploiting this more?

The younger students coming through our doors now are immersed in this – they don’t even think that it might not be there – they’ve never known a world without mobiles, PCs, the Internet.

Reflecting on what has changed in the last 20-30 years and thinking what the implications of that rate of change continuing (or even increasing) for the remainder of my working life. But also, as we were reminded this morning, we cope with this incredibly well in general – although I’ve only owned a mobile phone for that last 5 years, I haven’t found it in anyway difficult to adapt – when technology works, you don’t even think about it.

Leadership and Vision

This probably relates to the first point of competition, and where we go as an organisation – but we need both leadership and vision. We need to know where we are going, and what we are trying to acheive.

If we can’t continue to do everything, we need to decide what we stop doing, and what the consequences of this will be.

Something that came up several times was that we are ‘risk averse’ both as a profession, but also (I think) as organisations. This coincided nicely with the presentation on Risk Assessment – so perhaps we need to be less risk averse, but at the same time understand the risks we are taking.

OK – that’s it for now, perhaps some more later.

Information Security Toolkit

Something that JISC has been developing – this being presented by Christine Cooper from LSE.

Presentation in pdf

Apparently BS7799 is the key standard in the area of Information Security. There are questions about how appropriate it is to the HE sector. When JISC first looked at this, they felt that the content of the standard was good, but that it may not be worth going for formal certification.

The toolkit https://www.ucisa.ac.uk/acuk/infosecurity is a translation of BS7799 for HE with best practice for the sector.

The toolkit is a structure/framework containing generic information security elements and specimen policies, which you can incorporate into local policies. It can be used as a template which you simply adapt for local use, or as a guide which you use to create your own policy.

Obviously creating the policy is only one part of this – you have to actually apply the policy for it it to be worthwhile!

Now just going over the detail of using the toolkit – all looks pretty straightforward – fit the procedures or policies that you already have into the framework outlined in the toolkit and also identify gaps, and start looking at how you fill these.

Need to remember – Information Security doesn’t just mean Information Technology – but all Information in the organisation. Also remember that not all Information Technology is provided by a central service – there will be local things happening in departments etc. Needs to be a pervasive attitude in the organisation.

A glance of the future

Talk by Gary Bridge from Cisco.

Presentation as pdf

Some interesting comparisons here – in 1959, 1Mb of storage cost $10,000 – now 120Gb costs under $100.

If this type of increase in storage continues, in 20 years you will be able to buy terabytes of space on a small disk device. I’m afraid I haven’t got the figure he quotes, but he has said that the kind of size he is talking about could hold 315 copies of every song ever recorded.

The really important thing here is that this is not a ‘by 2100’ prediction – the timescales he is talking mean this is going to happen in my working life.

Moving on to communication – in 1896 the fastest way of communcating across distances was by telegraphy – at 20-75 words per minute. With typing, we go up to around 150 words per minute.

Just as a an aside, he has just said that when typewriters were first introduced, only men used them, because it was seen as a technical/mechanical task!

With speech we go to 125-180 per minute

and – sorry to leave you hanging, but at this point I had to leave the talk to sort a problem back at base, so I’m afraid that we’ll never find out what the future of communication is – a shame, as it was shaping up to be an interesting talk.

Normal service will be resumed for the next talk…

Cooperation vs Competition

Some comments from Howard Newby – chair of HEFCE

Drivers for change – social inclusion, economic competitiveness and regional agenda

Found it quite hard to concentrate on this talk. I think basically he is saying that the HE sector is moving into a competitive environment and this is going to lead to questions about competition and collaboration, how the funding council works in the competitive environment (will it help out HE institutions which are not so successful? How does it best manage the public interest?)

Roger McClure – Chief Exec of the Scottish Higher Education Funding Council now making some comments

Interesting that he was asked to talk about ‘competing in a collaborative environment’, but he feels we should really talk about the reverse – collaborating in a competitive environment. This seems indicative of the change in attitude that is necessary in the HE sector.

In the future learning will be different…

Talk by Peter O’Sullivan from IBM

What will the future learner look like? – apparently:
Very motivated
Driven by interaction and trust
Time sensitive
Global Disposition (Think and Act) – don’t understand this
Information savvy (resistant to overload)
Technophilic – don’t think this is quite right – they don’t ‘love’ the technology – they just accept it
Established brand, individuality
Virtual and physical (Cyber children)
Diverse
Comparison Shoppers

24% of urban tweens globally use the internet as primary communication
21% find the Internet the easiest way to make new friends (this rises to 44% in China)

OK – so this is a picture, but I think it saying that they will in some way like or love using the technology. This doesn’t quite ring true to me – it is important to realise, that they don’t see this as a choice they are making – they just do it. We need to get ourselves into this mindset. Think about things that you use naturally – e.g. telephone – but do you regard yourself as someone who ‘loves’ the telephone? I don’t – it just doesn’t occur to me that there is a different way of doing this, in the way it would have to my grandparents.

I think it also paints a picture of a particular type of student. Although some may be true, I don’t think we are going to see a change in 18 year old undergraduates suddenly becoming a lot more motivated than they are at the moment. However, perhaps the truth is that this section of students will become less important to the HE market?

So – the future shape of e-learning – seeing some common themes coming up here –
Collaborative learning
Learner empowerment
Embedded Learning
Enabled via a blended approach

Learner starts to be at the centre of the process

Shame I can’t reproduce the slide up at the moment – an interesting breakdown of the IBM working environment ‘desktop’ – looks like a kind of portal, bringing together different aspects of a project/job. Interesting to compare this to e-learning delivery.

IBM have developed a 4 tier learning model:
Learn from collocation
Learn from collaboration
Learn from interaction
Learn from information

This seems a very interesting way of breaking down the structure of how we learn. What PO says then is that this means the lesson planners (which could well be these self-motivated students) control the delivery – looking at which of the 4 tiers suits a particular learning objective…

PO is just showing us some little visionary examples of the future of e-learning. Some of it rings true, and some of it not, but the general vision is embedding learning into life – using technology.

PO now talking about something called the ‘IBM Learning Alignment Model’ (some stuff here http://www-1.ibm.com/industries/education/ doc/content/bin/LAExecutiveBrief11-24.pdf)

PO now name checking various projects – Merlot, Sakai, University of Phoenix online, eArmyU. Also mentioned Middlesex University as having a vision related to the use of IT.

Emphasising you can’t be successful if you are completely IT driven (e.g. UKeU)

PO now talking about the need of Industrial Strength information and communications technology – this comes back to recent discussions locally about needing a robust network and IT infrastructure as a pre-requisite of e-learning. Also identifying the need for full lifecycle content management.

PO now saying we have to recognise the context for us is global – covering different levels of education, and all other aspects of life.