{"id":410,"date":"2005-03-11T20:55:46","date_gmt":"2005-03-12T03:55:46","guid":{"rendered":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/?p=410"},"modified":"2005-03-11T20:55:46","modified_gmt":"2005-03-12T03:55:46","slug":"shibboleth","status":"publish","type":"post","link":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/2005\/03\/shibboleth\/","title":{"rendered":"Shibboleth"},"content":{"rendered":"<p>Presented by Alan Robiette from JISC<\/p>\n<p><a href=\"http:\/\/www.ucisa.ac.uk\/events\/2005\/conference\/papers\/presentations\/jisc%20alan%20robiette.pdf\">Presentation as pdf<\/a><\/p>\n<p>We&#8217;ll get on to exactly what Shibboleth is later, but lets just start by saying it is a method for authentication\/authorisation.<\/p>\n<p>Currently the closest we have to a nationwide authentication\/authorisation system is Athens. This has been developed and recently seen Single Sign On and Devolved Authentication. Also done proof of concept on alternative ways of authentication\/authorisation &#8211; e.g. digital certificates.<\/p>\n<p>However, now facing new challenges. Need to look at not just institutions to publisher authentication, but also cross-institutional working, &#8216;virtual organisations&#8217; with complex authorisation needs (driven by growth in e-research, GRID etc.)<\/p>\n<p>Also external developments &#8211; emergence of new standards e.g. SAML<\/p>\n<p>So &#8211; next generation AAA infrastrucutre must support scenarios such as:<\/p>\n<p>Internal (intra-institutional) applications<br \/>\nManagement of access to 3rd party digital library-type resources<br \/>\nInter-institutional use &#8211; e.g. shared e-learning scenarios<br \/>\nInter-institutional use &#8211; ad hoc sharing of resources<\/p>\n<p>We are now seeing Virtual Organisations emerging &#8211; where people distributed across the world want to work together and share resources.<\/p>\n<p>There is also a link-up with UKERNA location-independent networking project &#8211; authenticated guest access to a network. Being called &#8216;eduroam&#8217; &#8211; implications of running a RADIUS infrastructure on participating campuses.<\/p>\n<p>Finally, there is work going on with Internet2 and the NMI-EDIT programme &#8211; this is run by the US National Science Foundation, and is looking at development of middleware, and is taking a joint approach with JISC with some of the work in this area.<\/p>\n<p>Some Principles:<br \/>\nAuthentication is the responsibility of the user&#8217;s home site<br \/>\nAuthorisation is the responsibility of the resource owner<\/p>\n<p>So &#8211; what is Shibboleth?<br \/>\nAn architecture developed by the Internet2 middleware community.<br \/>\nIt is NOT an authentication scheme &#8211; expects the home institution to do this<br \/>\nIt is NOT an authorisation scheme &#8211; expects this to be done by the resource owners<br \/>\nIt is an architecture, and open source implementation<\/p>\n<p>How does it work? Need a diagram for this, and still isn&#8217;t incredibly clear, but some key points:<br \/>\nWAYF &#8211; Where Are You From? This is a key part of the architecture &#8211; it is only by this that you can tell where they are going to authenticate (home institution).<br \/>\nARP &#8211; attribute release policy &#8211; only gives out the information needed at any point for authorisation &#8211; for example, don&#8217;t need to give out your name if all the resource needs to know that you come from a specific campus.<\/p>\n<p>Shibboleth is getting good international acceptance (US, Australia, Finland, Switzerland, France &#8211; and UK of course)<br \/>\nBasic software now well tested &#8211; around 30 US universities working with it seriously, plus several content vendors &#8211; Swiss national HE system deployment<br \/>\nSatisfies the main requirements &#8216;out of the box&#8217; &#8211; digital library, shared e-learning and internal use scenarios &#8211; doesn&#8217;t yet do the VO stuff very well.<\/p>\n<p>However &#8211; still not very user friendly, lacks management tools, demanding to installa nd run, might require outsourced or packaged service for smaller institutions. Also still a relatively unsophisticated authorisation model &#8211; single attribute authority (who manage the ARP mentioned above), decision engine not very sophisticated &#8211; this is currently being addresses in JISC development projects.<\/p>\n<p>So &#8211; what needs to be done?<br \/>\nImplement Shibboleth on JISC services &#8211; provide critical mass of shibboleth-enabled resources<br \/>\nGain experience on campuses &#8211; in a variety of institutions<br \/>\nBuild the national components &#8211; which are relatively few<br \/>\n&#8216;Charm offensive&#8217; with publishers<\/p>\n<p>JISC is providing an &#8216;assisted take-up service&#8217; &#8211; contract announcement is imminent, and expected to be available this month (March 2005). This should provide documentation, tools and support.<\/p>\n<p>Some projects are being funded to get institutions to trial Shibboleth on their campuses.  JISC are looking for outcomes by Summer 2006 &#8211; this coincides with a break in the Eduserve\/Athens service contract.<\/p>\n<p>In the short-term, Athens and Shibboleth will coexist &#8211; no current plan to remove Athens. In fact Athens is being developed to work in a Shibboleth environment. A two way gateway is being developed so that Athens campuses can reach Shibboleth resources and vice versa.<\/p>\n<p>Campuses will need to review strategy &#8211; Shibboleth, Athens DA and EduRoam all pose similar questions. Need to have robust Identity Management solution which sits at the heart of any of these technologies.<\/p>\n<p>In the longer term &#8211; currently speculate that:<br \/>\nSome institutions (perhaps especially smaller ones) may want to stay with Athens. As may small publishers.<br \/>\nOR &#8211; if Shibboleth becomes pervasive, support or tailoring for particular situations may be the answer<br \/>\nJISC will need to keep national service requirements under review<br \/>\nNo question of forcing institutions to migrate on any specific timescale<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Presented by Alan Robiette from JISC Presentation as pdf We&#8217;ll get on to exactly what Shibboleth is later, but lets just start by saying it is a method for authentication\/authorisation. Currently the closest we have to a nationwide authentication\/authorisation system is Athens. This has been developed and recently seen Single Sign On and Devolved Authentication. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-410","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/posts\/410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/comments?post=410"}],"version-history":[{"count":0,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/posts\/410\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/media?parent=410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/categories?post=410"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.meanboyfriend.com\/overdue_ideas\/wp-json\/wp\/v2\/tags?post=410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}