Using Shibboleth to Connect:Applications for the

Clearinghouse and Other gFederated Applications

Brendan BellinaIdentity Services Architect

Manager, Enterprise Middleware Identity ManagementUniversity of Southern California

Copyright Brendan Bellina, 2010. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is bymaterials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

4/24/2010 AACRAO 2010 Annual Meeting 2

Agenda• Overview of Shibboleth• How Shibboleth is used at USC• Definition of “Federation”• Overview of the InCommon Federation• Shibboleth @ USC use cases• Shibboleth @ USC use cases

– Apple iTunes U– Google Apps for Education– National Student Clearinghouse Student

Self-Service

4/24/2010 AACRAO 2010 Annual Meeting 3

What is Shibboleth?• Web Single-Sign-On software

– Developed by Higher-Ed (2001 – ongoing)• Internet2, NSF Middleware Initiative

– Non-proprietary – standards based (SAML:– Non-proprietary – standards based (SAML: Security Assertion Markup Language)

– Privacy preserving attribute delivery– Local authentication– Global authorization– Widely adopted and free

4/24/2010 AACRAO 2010 Annual Meeting 4

- User credentials are not distributed

- No user management at service provider

- Identity is protected

4/24/2010 AACRAO 2010 Annual Meeting 5

- Standards based

- Built for Federation

Webinar with Nate Klingenstein, hosted by Unicon:

http://www.unicon.net/node/1282

4/24/2010 AACRAO 2010 Annual Meeting 6

About USC• Private university est. 1880 in Los Angeles• 19 academic units• 35,000 students• 21,100 employees (faculty, staff student

workers)• 229,000 alumni• 6,600 regularly enrolled international students

Source: http://www.usc.edu/about/ataglance/

4/24/2010 AACRAO 2010 Annual Meeting 7

How Shibboleth is used at USC

• Single-Sign-On for– centrally managed web applications– department hosted web applicationsdepartment hosted web applications– sponsored federated web applications

• Encouraged for use with all web applications

• USC is a member of the InCommon Federation

4/24/2010 AACRAO 2010 Annual Meeting 8

How Shibboleth is Implemented at USC

• Single Shibboleth 2.x Identity Provider (IdP)• Identity Provider uses USC Global Directory

Service as identity and attribute store• Identity Provider uses MIT Kerberos as

credential store (for authentication)• IdP supported by central IT Enterprise

Middleware Identity Management (part of Information Security)4/24/2010 AACRAO 2010 Annual Meeting 9

Notable Successes• University Portal• Blackboard• Online Grading

System• iTunes U

• Online Schedule of Classes

• iVIP Guest/Affiliate System

• Orientation Reser ations

4/24/2010 AACRAO 2010 Annual Meeting 10

• Confluence Wiki• MovableType Blog• Google Apps• Microsoft DreamSpark

Reservations• Dspace Digital

Repository• Online Whitepages• National Student

Clearinghouse

What is a “Federation”• Federations – definition

– Dictionary.com - a federated body formed by a number of nations, states, societies, unions, etc., each retaining control of its own internal affairs.

– InCommon.org - a federation is an association of organizations that come together to exchange information, as appropriate, about their users and resources in order to enable collaborations and transactions.

4/24/2010 AACRAO 2010 Annual Meeting 11

Does Shibboleth require that an institution be in a Federation in order to access federated (ie, externally hosted) services?

Does a service provider have to be a member of a Federation in order for their service to beof a Federation in order for their service to be compatible with a Shibboleth Identity Provider?

4/24/2010 AACRAO 2010 Annual Meeting 12

No and no. But there are advantages for both the Institution and the Service Provider to being in a Federation.

4/24/2010 AACRAO 2010 Annual Meeting 13

Federated Model

User@Institution A

Research ProjectsShared CoursesStudent Loan Service

Governance for operational

standards and practices

Legal Agreement

User@Institution B

= Credentialing / Authentication = Authorization = User Credential

Physics HomeworkService

Library Provider

and Protections

Trusted Metadata

Technical Interoperability

What is InCommon?• A SAML-based Federation that

includes:– 200+ higher education participants– Six government and nonprofit laboratories, research

centers and agencies (including NIH TeraGrid andcenters, and agencies (including NIH, TeraGrid, and NSF)

– 51 sponsored partners– Two county K-12 school districts (as part of a pilot)– More than 4 million higher education users– Members agree to rules and practices that allow for

interoperability– http://www.incommonfederation.org

Value of InCommon• Governance by a representative Steering Committee

– Formulates policy, operational standards and practices, establishes a common set of attributes and definitions.

• Legal Agreement– Basic responsibilities, official signatory and establishment of

trust, conflict and dispute resolution, basic protections

• Trust “Notary”• Trust Notary– InCommon verifies the identity of organizations and their delegated

officers

• Trusted Metadata– InCommon verifies and aggregates security information for each

participant’s servers, systems, and support contacts

• Technical Interoperability (Technical Advisory Committee)– InCommon defines shared attributes (eduPerson), standards

(SAML), software (Shibboleth)

USC Shibboleth Use Cases

4/24/2010 AACRAO 2010 Annual Meeting 17

Apple iTunes U

• Background– Started effort in 2006 by USC Technology

Enhanced Learning– Hosting protected content accessible by os g p o ec ed co e access b e by

USC students based on course enrollment– No support by Apple for using Shibboleth

at that time– Did not want enrollment data to leave the

University

4/24/2010 AACRAO 2010 Annual Meeting 18

4/24/2010 AACRAO 2010 Annual Meeting 19

Key Characteristics• The Shibboleth Service Provider was an

application installed at USC that:– Aggregated data about the user– Created a credential compatible with iTunes U

Transmitted the credential securely to Apple– Transmitted the credential securely to Apple iTunes U

• Using a “shim” application to be the service provider allows Shibboleth SSO to be extended to non-Shibbolized resources

4/24/2010 AACRAO 2010 Annual Meeting 20

Use Case Take Away

A Shibboleth Service Provider “shim” may be used to front-end a non-Shibboleth compatible service. p

4/24/2010 AACRAO 2010 Annual Meeting 21

Google Apps forEducation

• Background– Started investigating in Summer 2007– Implemented January 2008 as an opt-in

service for studentsservice for students– For web apps, Google supports the SAML

2.0 standard– For non-web apps (GoogleTalk, IMAP &

POP access to Gmail) requires a password accessible to Google

4/24/2010 AACRAO 2010 Annual Meeting 22

Accessing Google Web Apps• Shibboleth 2.x supports the SAML 2.0

standard• Shibboleth is interoperable with other

products that support the SAML standard• Shibboleth 2.x IdP can interoperate with

the Google Service Provider because they both support the SAML standard.

• USC IdP interacts with Google directly

4/24/2010 AACRAO 2010 Annual Meeting 23

Use Case Take Aways

A Shibboleth IdP can interoperate with a SAML-compliant service provider.

What is required is that services support the SAML standard.

4/24/2010 AACRAO 2010 Annual Meeting 24

National Student Clearinghouse

- Allows Student access to enrollment verification activities via the Web:- Print enrollment certificates- View enrollment history- Check enrollment verifications that the

Clearinghouse has provided to student service providers on their behalf

- View student loan deferments- Link to real-time information on their student

loans25

National Student Clearinghouse

• Background– NSC phased out their initial SSS service,

terminating it July 31, 2009.g y– NSC engaged in a Shibboleth pilot to

support SSS with Stanford and the University of Washington.

– NSC joined the InCommon Federation

4/24/2010 AACRAO 2010 Annual Meeting 26

Benefits of Using Shibboleth and InCommon with Student Self-Service

• Eliminate necessity of students registering with NSC using SSN

• Make Student Self-Service available to students who do not have an SSN or choose not to provide the SSN

• Ease of use with Integrated Single-Sign On with OASIS (USC Online Student Information System Service), USC Portal, and other services

27

Work, Time, Resources• June 2009, following the Stanford pilot, USC agreed to

become the first school to use Shibboleth for NSC SSS.• Service sponsored by University Registrar. • Added University ID to existing NSC weekly data feed

from Student Information System• Shibboleth Identity Provider configuration to releaseShibboleth Identity Provider configuration to release

student University ID and USC OPEID to NSC at student login

• NSC link updated in OASIS• Under 40 hours of technical work• Implemented July 30. First school to implement in

production using Shibboleth 2.x.

28

NSC SSS Documentation• Internet2 NSC Pilot documentation

– https://spaces.internet2.edu/display/InCCollaborate/National+Student+Clearinghouse+Pilot

• USC Setup documentation– https://spaces.internet2.edu/display/InCCollaborate/U

SC-NSC+SetupSC NSC Setup• National Student Clearinghouse Student Self-Service

documentation:– SSS Developer’s Implementation Guide– SSS Shibboleth Profile Form

• NCES Global Locator (for OPEID lookup)– http://nces.ed.gov/globallocator/

29

Use Case Take Away

Membership in a common Federation by both the home institution and service provider simplifies integration and can p p gshorten time to implement.

4/24/2010 AACRAO 2010 Annual Meeting 30

Summary• Shibboleth can be used to provide SSO

functionality for:– Non Shibbolized web apps using a shim– SAML compliant web applications– Shibbolized applicationsShibbolized applications

• Membership in a Federation, such as InCommon, is not mandatory, but can offer significant benefits and simplify integration.

4/24/2010 AACRAO 2010 Annual Meeting 31

Additional Resources- USC GDS website: http://www.usc.edu/gds- Additional Presentations by the author:

http://its.usc.edu/~bbellina- Shibboleth Project: http://shibboleth.internet2.edu- More on iTunes U at USC from the developer:

http://www.nasiperetz.net/?p=13

4/24/2010 AACRAO 2010 Annual Meeting 32

- Google Apps At USC: http://google.usc.edu/- Google Apps At USC Support:

http://www.usc.edu/its/google/

- Brendan Bellina: bbellina@usc.edu

Thanks!

4/24/2010 AACRAO 2010 Annual Meeting 33