Shibboleth and CU

Carol KasselDigital Knowledge Ventures (DKV)

James BurgerNational Science Digital Library (NSDL)

Table of contents

What is Shibboleth?How is it being used at CU?What’s Carol’s involvement? Jim’s involvement?How could Shibboleth be used?What are the advantages to using it (SP)?What are the advantages to using it (IdP)?

What is Shibboleth?

“Shibboleth, a project of Internet2/MACE, is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. In addition, Shibboleth will develop a policy framework that will allow inter-operation within the higher education community.”In English: Shibboleth allows users from different institutions or groups to obtain access to protected content anywhere on the Web. Users log in locally and their privacy is maintained.Shibboleth is “middleware,” software that facilitates communication between or among servers.

“Shibboleth” (Judges 12)

How is it being used at CU?

National Science Digital Library (NSDL) – an interinstitutional project being developed in part by EPICDART (Digital Anthropology Resources for Teaching) – in development jointly by LSE and CU (including EPIC)Artstor – some CU involvementCERO – developed by DKV; Shib-enabling by EPICThat’s it…for now!

Shibboleth pieces

“Service provider” (SP, or “target”) – the site that users want to access“Identity provider” (IdP, or “origin”) – the place where users need to log in; the holder of user data“Where are you from?” page (WAYF) – the place where users identify themselves so that they can log in appropriatelyAttributes – info about the user that gets released from the IdP to the SP, according to policies on both ends

columbia.edu/~jb701/shib

What’s Carol’s involvement?

Columbia Educational Resources Online (CERO) needed to serve three audiences: CU affiliates with valid UNI/password Non-CU users with valid username/password Users at subscribing institutions with valid IP

address

“CU affiliates” included not just on-campus users but off-campus users, too, esp. alumniNew site to be built for alumni: Learning@Columbia, with links to CERO

Why we used Shibboleth

Problem 1: How could we allow access to seminars via UNI login and still handle existing audiences?Problem 2: How could we maintain security of UNI system in all transactions?Problem 3: How could we make login process smooth and seamless?Problem 4: How could we require login once and keep users logged in for duration of browser session?Answer: Shibboleth!

Shibboleth setup for CERO

Shib-enabled login process

Details of general relevance

CU IdP existed for NSDL, but needed customization for CERONew IdP created for alternate reg system; can be used for other purposes (hence DKV/CU Press co-branding)CERO now running on alternate web server – no load balancing, no systems supportIP address auth still supported (outside Shib)

Key players on CERO project

Walter Hoehn (EPIC, now University of Memphis): expertise in ShibbolethNoah Levitt (EPIC): creator of alternate reg system, no previous Shibboleth experienceAndrew Johnston, Steve McGrath (AcIS): WIND developers, managers of Tomcat, no previous Shibboleth experienceCarol Kassel (DKV): project manager, no previous Shibboleth experience

Success!

Deployed November 2003Very little downtime; very few technical problemsPromotion to alumni in Feb 2004: excellent response rate, no major issues

JB’s NSDL Mission

Introduce the Middle School Community to the NSDL in hopes that they make use of the resources currently available at NSDL.org

Implement Shibboleth Origin sites in pilot middle schools (or at least “sell” the idea)

How could Shibboleth be used?

Move away from IP address auth to Shib for subscribing institutions who have that capability – i.e., set up CIAO, Earthscape, Gutenberg<e>, CAHO as Service ProvidersInvolves deploying Shibboleth on main web servers, esp. for CIAOUse Shib to provide more resources for CU alumni while supporting existing audiencesShib-enable new web resources when they are developed

Potential Obstacles

Lack of Shibbolized Targets: Without a selection of targets for the Shibbolized Origins to connect with, there is little incentive for middle schools to participate (the good ol’ Catch-22 scenario with essence of Chicken & Egg for flavor).

Variety of existing infrastructure and expertise: Assumption - because the middle schools vary so greatly in technical capabilities, guiding them through the process will be anything but formulaic, so there will be a large amount of on-on one consultation.

Origins are more difficult to set up than Targets (trying to figure out why, but a few people have told me this).

What are the advantages (SP)?

Much more secure than IP address authAllows off-campus users to access without additional user/pw creationCU committed to Shib development; CU usage of Shib sets a good exampleAs more institutions set up IdPs, they will begin demanding this technology

The Shib Advantage (for origins)1/3

Privacy: Users release to the targets only the information that they (or a guardian) authorizes.

Remote Access: Users can login to resources in campus or remotely, via the WAYF.

Streamlined Access: Users assign their attributes to the ARP rather than submitting them to each individual resource (saves time and ensures accuracy/consistency). Additionally, users do not have to maintain a record of several different logins/passwords for several different resources.

The Shib Advantage (for origins) 2/3

Simplified administration: Origins sites use their existing identity directories.

Direct Access to the most relevant information: because of the ARP assumptions can be made about the relevancy of specific materials and user needs.

The Shib Advantage (for origins) 3/3

Providing market data is not just altruistic: Because publishers will receive more detailed data from their users, instead of relying on generic access attributes, they will be able to perform better market research, which, in turn helps the educators by providing better, more tailored projects.

Onward!