Case Study: Shibboleth in Swiss Higher EducationCase Study: Shibboleth in Swiss Higher Education...

2005 © SWITCH

Case Study:Shibboleth in

Swiss Higher Education

Thomas Lenggenhager <lenggenhager@switch.ch>

Ueli Kienholz <kienholz@switch.ch>

2005 © SWITCH 2Case Study, Thomas Lenggenhager & Ueli Kienholz

Project Timeline

2001 2002 2003 2004 2005 2006

ImplementationPilot Operation

Study, Planning

Study

ArchitectureEvaluation‡ Shibboleth

2005 © SWITCH 3Case Study, Thomas Lenggenhager & Ueli Kienholz

University A

Library B

University C

Without AAI

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

AuthorizationUser Administration

AuthenticationResource Credentials

ß Tedious user registrationat all resources

ß Unreliable and outdateduser data at resources

ß Different login processes

ß Many different passwords

ß Many resources notprotected due todifficulties

ß Often IP-basedauthorization

ß Costly implementation ofinter-institutional access

e-Journals

2005 © SWITCH 4Case Study, Thomas Lenggenhager & Ueli Kienholz

University A

Library B

University C

AAI

With AAI

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

AuthorizationUser Administration

AuthenticationResource Credentials

ß No user registration anduser data maintenance atresource needed

ß Single login process forthe users

ß Many new resourcesavailable for the users

ß Enlarged usercommunities for resources

ß Authorization independentof location

ß Efficient implementation ofinter-institutional access

e-Journals

2005 © SWITCH 5Case Study, Thomas Lenggenhager & Ueli Kienholz

SWITCHaai Building Blocks

IdentityProviders

(Home Orgs)

Service Providers

(Resources)

OrganisationalFramework

Interoperation

CentralServices

Finances

2005 © SWITCH 6Case Study, Thomas Lenggenhager & Ueli Kienholz

Organisational Framework

SWITCH acts as SWITCHaai Federation Service Provider

Federation membership based on signed service agreements

Organisation

2005 © SWITCH 7Case Study, Thomas Lenggenhager & Ueli Kienholz

Requires agreement on technical details like

ß Standards

ß SAML 1.1

ß Software versions used

ß Shibboleth 1.1 for Identity ProvidersShibboleth 1.2.1 for Service Providers

ß Accepted Certification Authorities

ß SWITCHpki and Thawte, Trustcenter, VeriSign

ß Attributes possible to exchange

ß Attribute specification – swissEduPerson Interoperation

Interoperation

2005 © SWITCH 8Case Study, Thomas Lenggenhager & Ueli Kienholz

Criteria for attribute specification

ß Start small extend as required

ß Common understanding on interpretation

ß Already widely used

Attribute usage by applications

ß Use minimal set really requiredß It is a data protection principle

Interoperation

Interoperation: Attributes

2005 © SWITCH 9Case Study, Thomas Lenggenhager & Ueli Kienholz

Identity Provider Integration

AAI-enabled Identity Provider

UserDirectory

AuthenticationSystem

AAI

Currently in use in SWITCHaai:

• Authentication Systems

• OpenLDAP with CAS or Pubcookie

• Kerberos AuthN with Active Directory

• Windows AuthN with IIS

• User Directory

• OpenLDAP

• Active Directory

IdentityProviders

2005 © SWITCH 10Case Study, Thomas Lenggenhager & Ueli Kienholz

Identity Providers in SWITCHaai

Operational AAI Identity Provider

ETH Zürich

UniversitätZürich

VirtualHomeOrg

SWITCH

Université de Genève

110’000 Swiss Higher Ed usershave an AAI-Account (= 50% of all)

Zürcher HochschuleWinterthur

AAI Identity Provider getting readyUniversity Hospital

Zürich

UniversitätLuzernUniversité de

Fribourg

Prototype running

Universität Bern

Université deLausanne

Service Agreement

IdentityProviders

2005 © SWITCH 11Case Study, Thomas Lenggenhager & Ueli Kienholz

Virtual Home Organization – VHO

Integrate End Users without Identity Providerß Resource Owner creates @VHO “AAI-enabled” accounts for

users without an Identity Provider

ß A VHO account is only usable for that resource managed by theResource Owner

Federation Member

IdentityProvider

ResourceOwner

End UserAdmin

Some end userswithout

Identity Provider

VHO Service @SWITCH User Dir

VHO PolicyIdentityProviders

2005 © SWITCH 12Case Study, Thomas Lenggenhager & Ueli Kienholz

SWITCHaai Building Blocks

IdentityProviders

(Home Orgs)

Service Providers

(Resources)

OrganisationalFramework

Interoperation

CentralServices

Finances

2005 © SWITCH 13Case Study, Thomas Lenggenhager & Ueli Kienholz

Types of Service Providers

e-learning libraries

other web applications

DOITDOIT

VITELSVITELS

Vista@SVCVista@SVC

AD Learn & CoAD Learn & Co

Vconf-ReservationVconf-Reservation

SMS-GatewaySMS-Gateway

EZproxyEZproxy

commercial

ScienceDirectScienceDirectWebCT@ETHZWebCT@ETHZ

OLATOLAT

MoodleMoodleBSCWBSCW

BlackboardBlackboard

SwissLexSwissLex

IS-AcademiaIS-AcademiaJobs@BWIJobs@BWI

ILIASILIAS

TWikiTWiki

eShopseShops

ServiceProviders

……

2005 © SWITCH 14Case Study, Thomas Lenggenhager & Ueli Kienholz

Service Provider Example: DOIT

ETHZUniZH

SWITCH

UniL

AAI Identity Provider

UniGE

UniBE

VHO

AAI Service Provider

DOIT: Dermatology Online with Interactive Technology

500 AAI Users

Access RuleIdP = UniZH | UniBE | UniLaffiliation = studentstudyBranch = medicinestudyLevel = 15

ServiceProviders

2005 © SWITCH 15Case Study, Thomas Lenggenhager & Ueli Kienholz

Service Provider Example: OLAT

ETHZUniZH

SWITCH

UniL

AAI Identity Provider

UniGE

UniBE

VHO

AAI Service Provider

OLAT: Online Learning an Training (open source e-learning platform of the University of Zurich)

5000 AAI Users75 Courses

ServiceProviders

2005 © SWITCH 16Case Study, Thomas Lenggenhager & Ueli Kienholz

Integration of „Blackboxes“

ß Authentication/AuthorizationGateway

ß Portal Functionalities (optional)

ß User Management (optional)

ß Adaptors toBlackbox Applications:ß WebCT Vista

ß WebCT CE

ß …

AAIportal

Shibboleth

ApplicationSignOnA1

...

A2

ServiceProviders

API

2005 © SWITCH 17Case Study, Thomas Lenggenhager & Ueli Kienholz

Central AAI-Services

q Strategy & Marketing

q International Contacts

q Support, Consulting, Training

q Providing Federation-specific Files and Configuration Guides

q Operating WAYF

q Test Counterparts (Identity Provider and Service Provider)

q Jump Start Service

CentralServices

2005 © SWITCH 18Case Study, Thomas Lenggenhager & Ueli Kienholz

Funding

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

funding / costs

pilot project project operationalservice

funded by SWITCH& Universities funded by federal grants funded by tariffs

Finances

2005 © SWITCH 19Case Study, Thomas Lenggenhager & Ueli Kienholz

Outlook

ß Projects with federal grants

ß Non-web service providers, e.g. Grid

ß ECTS (Study)

ß AAA (Study)

ß Federation Partners

2005 © SWITCH 20Case Study, Thomas Lenggenhager & Ueli Kienholz

Further Information

ß SWITCHaai Websitehttp://www.switch.ch/aai

ß Shibbolethhttp://shibboleth.internet2.edu/

ß Shibboleth Demohttp://www.switch.ch/aai/demo

ß Attribute Specificationhttp://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf

2005 © SWITCH 21Case Study, Thomas Lenggenhager & Ueli Kienholz

Questions ?

Q & A

http://www.switch.ch/aai

aai@switch.ch