Embed Size (px)
Citation preview
Shibboleth at Penn State
Renee ShueyAcademic Services and Emerging Technologies Information Technology ServicesJune 29, 2005
Some terms
● Authenticate– Determine that someone is who they say they are
● Authorize– Determine that someone has the privileges or attricbutes
necessary to perform some function of gain access to information
● Federate– Take action across institutional realms
● Directory– Middleware service that describes people in your institution
Outline● Problem statement
● Solution space – Shibboleth and Federations
● Description of Shibboleth
● Uses of Shibboleth at Penn State - Today
● Uses of Shibboleth at Penn State - Future
● What's it take to do all of this?
What's the problem?
● We're serving lots of people (120,000)
● Those people want access to web-based information resources
● Rising legal, ethical, and economic development concerns about legal consumption and distribution of digital information
● Continued concerns about privacy, growing concerns about privacy
Communications
Learning Materials
Student LifeResearch Materials
Stuff
Communications
Learning Materials
Student LifeResearch Materials
Stuff
Communications
Learning Materials
Student LifeResearch Materials
Stuff
Communications
Learning Materials
Student LifeResearch Materials
Stuff
Communications
Learning Materials
Student LifeResearch Materials
Stuff
Communications
Learning Materials
Stuff
Research MaterialsStudent Life
What's a possible solution?
● Shibboleth– Let's us use our existing infrastructures,
processes, identities– Preserves anonymity, provides tools for
managing privacy– We can provide pathways for
appropriate/legal consumption and distribution of digital materials
What's a possible solution?● Federations
– Provides an infrastructure of trust (“trust fabric”)
– Associations of enterprises come together to exchange information about their users and resources in order to enable collaborations and transactions
– Built on the premise of “Enroll,authenticate and attribute locally...Act federally.”
– Two well known federations in higher education in the U.S. are InQueue and InCommon
Shibboleth – What is it?
Shibboleth – What is it?
• An Internet2 middleware product designed to provide federated access management between Web-based resources
• Allows you to authenticate locally and access Web resources from other institutions or sites
• Can be used to make complex, directory-based authorization decisions
• Preserves privacy of individual from remote site
Shibboleth Architecture R
eso
urc
e
WAYFI
dentity Provider
Service ProviderWeb Site
1
ACS
32
HS
5
6
7
User DB
Credentials
4
AR
Handle
Handle
8
Handle
9AA Attri
butes
10
Res
ou
rce
Man
ag
er
Attribute
s
© SWITCH
ShibbolethHigh Level Architecture
• Service Provider site (SP) and (Identity Provider) IdP site collaborate to provide a privacy-preserving “context” for Shibboleth users
• Identity Provider authenticates user, asserts Attributes (using the Directory)
• Service Provider requests attributes about user directly from Identity Provider site
• Service Provider makes an Access Control Decision
• Users (and Identity Providers) can control what attributes are released
• Federations provide common Policy and Trust (more later)
Shibboleth at Penn State Today● WebAssign
– Access to course materials at another university
– NC State, WebAssign, Penn State Dept. of Physics
● Napster Experiment– Access to digital repositories
● LionShare – Work in Progress – Authenticated peer-to-peer file sharing
WebAssign
• Summer 2002● ~ 20 students, 2 weeks, 1 course
• Fall 2002● ~200 students● 3 courses
• Spring 2003● ~1800 students● Successful login: 63,026 ● All physics courses at UP location can use
Shibboleth
• Fall 2003 - Production!
WebAssign
WebAssign questions
0
5
10
15
20
25
30
35
Date
Qu
es
tio
ns
● Before Shib:– 1st 2 weeks, 30
questions/day
– Most questions about login
● After Shib– Down to 1-2
questions/day
– Non Shib sections still at 15 questions/day
Napster Experiment
●Technical challenge
● Enable residence hall students access to web based music resource in less than 40 days
● Initial community size ~18,000
● 24 campus locations throughout PA
● Roll-out to all of Penn State following semester● Community size ~100,000
Napster Experiment● Using Shibboleth allowed/allows us to:
● authenticate locally to the near universally-adopted Penn State Access Account
● query attributes of individual and determine eligibility
● present Napster with a role and unique identifier, without exposing the identity of the individual
● hand–off transaction to Napster where individual sets up Napster account
● execute the terms and conditions of the contract AND preserve the individual's ability to maintain the Napster relationship after eligibility changes
LionShare
● A federated peer-to-peer file search application
● Users can identify each other and restrict sharing
● Leverages Internet2's InCommon federation and Shibboleth middleware for trust
● Authorization is attribute-based:
● Ex: “Share syllabus.pdf with any student at Penn State in English 202A section 15.”
Shibboleth at Penn State Tomorrow● Office of Student Aid/AES *
● Worldwide University Network *
● Turnitin
● Thomson Publishing
● CIC Learning Technologies Liaisons
● Merging of Medical Center, Law School, and Campus libraries
● Library vendors
– Elsevier, OCLC, JSTOR, and many more
Shibboleth at Penn State - FutureOffice of Student Aid AES/PHEAA
● AES = American Educational ServicesPHEAA = PA Higher Education Assistance Agency
● Motivation was to create a more seamless, less cumbersome [loan application] process than what now exists – being transported from one database to another and needing to authenticate multiple times
● Decision to use Shibboleth as solution was driven by “compromise”
Shibboleth at Penn State - FutureOffice of Student Aid AES/PHEAA (continued)
● AES/PHEAA will assume the liability of using the PSU login as identity confirmation in order to access and sign a loan promissory note (legal document) (Current dollar value on this process is 350 – 400 million dollars)
● Penn State will need to sign a legal agreement with AES/PHEAA verifying this commitment of “trust” – lawyers have been consulted on both sides
● Future use will allow user to use the PSU logon to be transported to multiple databases (AES/PHEAA, Federal Dept of Ed ) – enhancing simplicity and ease of accessing student data in multiple databases
Shibboleth at Penn State - FutureWorldwide Universities Network
●“An international alliance of leading higher-education institutions”
● Bergen, Bristol, UC - San Diego, U.Illinois (UC), Leeds, Manchester, Nanjing, Oslo, Penn State, Sheffield, Southampton, Utrecht, University of Washington, Wisconsin–Madison, York, Zhejiang
● http://www.wun.ac.uk/
Worldwide Universities NetworkInternational Joint Course Development and Delivery
in GIS
●Challenge: Geographic information science involves multiple disciplines and many professions, including geography, information science, computer science, and various application areas from business to defense to environmental resource management to energy utilities to local government planning offices. 1,000,000 users worldwide, 15% annual growth; urgent need for education and training at all levels.
●No one academic discipline or institution prepared to offer a comprehensive curriculum. Field too diverse and diffuse.
WUN (continued)
Solution: consortia of distance education providers (encouraged by WUN) who are willing (trust) and able (Internet2 MACE) to share students. Sharing students is a more ambitious and powerful vision than sharing content (i.e., learning objects and repositories). Shib makes sharing students viable. NSF/JISC-funded DialogPLUS project fosters cooperation among geographers, educationalists, and computer scientists at Leeds, Southampton, Penn State, and Santa Barbara.
WUN PilotBeginning April 2005, five students in Penn State's Master of GIS program enrolled in GEOG 497k: GIS for Analysis of Health, developed and offer by faculty members at Southampton. Because Shib is not in place, and Southampton was not prepared to create accounts to Penn State students, had to re-create course in Penn State's CMS.
Beginning October 2005 (hopefully!), students in Southampton's and Leeds' joint Master of Science in GIS program will enroll in Penn State course GEOG 485: GIS Programming and Customization. If Shib is implemented successfully, will not need to create redundant course implementation or duplicative student accounts.
Shibboleth Leverages....
● Processes, procedures and policies for distributing and managing digital identities– Signature Stations, AD-20, enforcement tools,
etc. -> identity management● An eduPerson compliant enterprise directory● Authentication method(s)● Acceptance of the identifier● Strategies for protecting the identifier
Shibboleth speeds/feeds at PSU
● 7 Shibboleth servers– 2 for WebAssign– 5 for Napster
● Load balance using SLB● Software
– Shibboleth 1.1● Hardware
– IBM Blade HS20 proc 2.4GHz mem 2.5GB
Useful URLs/pointers
● http://www.nmi-edit.org● http://shibboleth.internet2.edu● Subscribe to shib mailing lists● http://www.incommonfederation.org/● http://lionshare.its.psu.edu● Emerging issues/technologies/recipes
– http://middleware.internet2.edu/signet/– SAML 2.0: http://www.oasis-open.org/
