Shibboleth - iamsect.ncl.ac.ukiamsect.ncl.ac.uk/dissemination/york/York 4th May 2005.pdf · Shibboleth More commonly associated with secure authentication and authorisation systems

http://iamsect.ncl.ac.uk/

Shibboleth


Shibboleth

More commonly associated with secure authentication and authorisation systems.

(also, believed to be the first password)


Who are we?• IAMSECT project

• http://iamsect.ncl.ac.uk/• Interinstitutional Authorisation Management to Support eLearning

with reference to Clinical Teaching

• Collaboration between Durham, Northumbria and Newcastle

• Using BlackBoard and Zope

• JISC ‘Core Middleware’ (£7 million overall)


What we’re doing

• Shibbolethenabling Blackboardbased VLE

• Shibbolethenabling Zopebased VLE

• Creating managerial and technical documentation

• Dissemination and awareness events


Shibboleth

• What is it?

• What can I do with it?

• How does it help me?

• What happens next?

• What do I need to do?...


What is Shibboleth?• Distributed Authentication and

Authorisation

• authentication identifies who you are

• authorisation what you are allowed to do

• (in the past, these have usually been combined)

• Standardsbased (SAML)

• Should save time and effort


Core Concepts

• A user is authenticated at “home”

• Home knows who and what a user is

• Service providers make access decision based on what a user is

• Service providers should only know the minimum about a user

What is Shibboleth?


Exampleexternalresource


External resource ‘bruno’ at Durham



where areyou from?


‘WAYF’ Server



where areyou from?

user selectsidentity provider


Authenticated at Newcastle

Jon DowlandJon Dowland

(for a service at Durham)



where areyou from?

user selectsidentity provider

Authentication(LDAP, Active Directory, etc.)

happens at Newcastle



Success!


What happened there?• The Newcastle user wanted to view a

resource at an external site (Durham)

• The external site is using Shibboleth, and is in a Federation that Newcastle is also in

• Due to prior arrangements, Durham can trust Newcastle users at their site

• Newcastle knows who their students are

• Durham does not need to know


Whole process simplified

1User User

accessesaccessesprotectedprotectedresourceresource

3

User directed User directed to to theirtheir

institution forinstitution forauthenticationauthentication

Credentials Credentials and and agreedagreed informationinformation

passed backpassed back

2


Rather a lot of work?

• However, user is now loggedin to other Shibboleth services serviced by the same federation

• Many of the redirects will be transparent to the user


Some definitions

• Federations are used to group together service providers and institutes who can agree to the same rules

• more a social construct than a technical one

• Examples: SDSS, Athens, inQueue, inCommon


Some definitions 2

• Agreed Information = Attributes

• descriptive information about a user

• can technically be anything

• likely to be heavily influenced by privacy policies

Credentials Credentials and and agreedagreed informationinformation

passed backpassed back


Electronic Journal Access

• Access to MetaLIB portals

• Finergrained access & personalisation

• e.g. just final year engineers have access

• e.g. EDINA BIOSIS ejournal service

What can I do with it?


Athens (1996)

• Admired Internationally

• Single identifier, multiple signon

• UK Education and Health

• Secure

• Centralised

UserAthens

Service


Athens (2005)

• Migrating to Shibboleth

• ShibbolethAthens gateway

• Middleware Assisted Take Up service (MATU)

• for early adopters of Shibboleth


Athens ServicesADITUSAMADEUSAMICO libraryAPU Library ProxyAxiomBANKSCOPEBIDS CAB AbstractsBIDS IBSS ServiceBIDS Silver Platter INSPEC serviceBIDS SilverPlatter PsycINFO ServiceBLISSBMJ JournalsBioMed CentralBlackwell-Synergy.comBritish Standards OnlineBusiness Ratio ReportsButterworths Accountancy DirectButterworths All England DirectButterworths Banking Law DirectButterworths Businesscompliancedirect.coButterworths CaseSearchButterworths Civil Procedure OnlineButterworths Commercial Property LawButterworths Corporate FinanceButterworths Corporate Law DirectButterworths Crime OnlineButterworths EBL Direct EssentialsButterworths EBL Direct PremiumButterworths EOR DirectButterworths EU DirectButterworths Employment OnlineButterworths Family and Child DirectButterworths Financial Regulations ServiButterworths Forms and Precedents DirectButterworths HSE DirectButterworths Halsbury's Laws of ...Butterworths Human Rights DirectButterworths IRS Employment ReviewButterworths Immigration and Asylum LawButterworths Insolvency Law DirectButterworths Intellectual Property ...Butterworths International TaxButterworths Law DirectButterworths Law Reports DirectButterworths Legal UpdaterButterworths Legislation DirectButterworths Licensing DirectButterworths Local Government DirectButterworths PI OnlineButterworths PensionsProButterworths Property Tax DirectButterworths Scotland DirectButterworths Scots Law DirectButterworths Sergeant Sims Stamp Duty

Butterworths Stair MemorialButterworths Stone's Justices ManualButterworths Tax DirectButterworths Tax Planning ServiceButterworths Trusts and Estates DirectButterworths UK & International GAAPplusButterworths US Banking Editions OnlineCHEST Associated Site ContactsCHEST Further Education Site ContactsCHEST Higher Education Site ContactsCHEST Ireland Site ContactsCSA AqualineCSA Artbibliographies ModernCSA Internet Database ServiceCSA Linguistics & Language BehaviourCSA e-psycheCartalinxCensus Dissemination UnitCensus Geography Data Unit (UKBORDERS)Census Interaction Data ServiceCensus Learning ResourcesCensus Microdata Unit at the CCSRCensus Registration ServiceChadwyck-Healey KnowEuropeChadwyck-Healey KnowUK DatabaseChadwyck-Healey LION for collegesChadwyck-Healey Literature OnlineChadwyck-Healey PCI Full Text DatabaseChildlink.co.ukCity University Virtual LibraryCochrane LibraryComputer AbstractsCreative ClubCrossFire Service (PLUSABGM)CrossFire self-teach modules (MIMAS-XFT)Dialog DataStarDialog Education@SiteDialog@SiteEBSCOhost EJSEBSCOhost databasesEDINA AGDEXEDINA BIOSISEDINA BIOSIS Previews 1969 - 1984EDINA CAB AbstractsEDINA CompendexEDINA DigimapEDINA EconLitEDINA INSPECEDINA Index to The Times, 1790 - 1980EDINA MLAEDINA PAISEDINA UPDATEEEBOEIU Citydata

EIU CountrydataEIU Marketindicators & ForecastsESDS InternationalESDU DataESRI NTF ConvertersEducation Image GalleryEducation Media OnLineEducation Media OnLine medical-restrictElectronic Surgeons in Training EducatioEmerald FulltextEmerald Management ReviewsEncyclopaedia BritannicaEngineering Village 2Extenza e-Publishing ServiceFAMEGale Group InfoTracISI JCR Science EditionISI JCR Social Sciences EditionISI Web of KnowledgeIdrisiIngenta Full Text JournalsIngenta SelectInt. Civil Engineering AbstractsIrish Reports and DigestIsle of Man GIS dataJASPERJUSTIS Celex and OJCJUSTIS Daily CasesJUSTIS ECJ ProceedingsJUSTIS Family LawJUSTIS HermesJUSTIS Human RightsJUSTIS Industrial CasesJUSTIS Law Reports (eLR)JUSTIS Law Reports DigestJUSTIS Lloyd's Law ReportsJUSTIS Mental Health Law ReportsJUSTIS Official Journal CJUSTIS Prison Law ReportsJUSTIS UK Statutes and SIsJUSTIS Weekly LawJobs admin stuffJustCiteKeynoteKumarandClark.comLexisNexisMD ConsultMETAPRESSMIMAS ISI BIOSIS PreviewsMIMAS ISI Chemistry ServerMIMAS ISI Current Contents ConnectMIMAS ISI Derwent Innovations IndexMIMAS InfoterraMIMAS Landmap

MIMAS Landmap MediterraneanMIMAS LitLinkMIRA Virtual Automotive Info CentreMartindale & Stockleys Drug InteractionsMintel ReportsMulberryNeLH Evidence-Based on CallNeLH Journal of Medical ScreeningNetLibraryNewsBank InfoWebOCLC FirstSearch ServiceOSIRISOvid OnlineOxford English Dictionary OnlineOxford Reference OnlinePapyrus software for DOSPapyrus software for the MacParlianetPerfect AnalysisPrimal Pictures Basic Anatomy (NHS)Primal Pictures anatomy.tvProQuestProQuest Reference AsiaRCS Affiliates AreaRCS Discussion ForaRCS Library Electronic JournalsRCS Members AreaRefWorksReuters Business Insight UnlimitedSCOTBIS: Members AreaSCRAN Web SiteScienceDirectSentient DISCOVERSilverPlatter Arc2Snapshots International: Market ResearchStatistical Accounts of ScotlandSwetsWiseSynsoft HYDRA and HYDRA ONLINETRILTTaylor and Francis eBook SubscriptionsTechnical Indexes Info4EducationTechnical Indexes Info4HealthEstatesThe Academic LibraryThe Times Law ReportsUK JSTOR Mirror ServiceWILSONWEBWestlaw UKWiley InterScienceWriteNoteXpertHRZETOC - BL Electronic Table of ContentseSTEP administrators resourceimages.MDxreferplus


Username management

• Should be greatly reduced

• should be done by institutional IT services

• Access to wider variety of resources

• Athens are ‘Shibbolethenabling’ services, using their gateway

• JISC doing same thing with EDINA, MIMAS and other services

How does it help me?


Shibboleth Futures• Shibboleth is a disruptive technology

• Authentication, privacy barrier removed

• Online “reputation based” systems could kill journals?

• Services bought in from outside e.g. webmail for students

• Niche services flourish

What happens next?


Summary

• Shibboleth will help service providers and service users

• Lots of momentum

• Standardsbased, open

• eduserv (Athens) and JISC committed to process


Recap...

• What is it?

• What can I do with it?

• How does it help me?

• What happens next?

• What do I need to do?...


Shopping List

• WebISO service (single sign on)

• preferably institutional

• Identify Attributes

• easy ones; affiliation, course,

• where to find these attributes?

• hard ones; EduPerson principle name

Documents

Shibboleth - iamsect.ncl.ac.ukiamsect.ncl.ac.uk/dissemination/york/York 4th May 2005.pdf · Shibboleth More commonly associated with secure authentication and authorisation systems