110 likes | 550 Views
Nathan Dors, Technology Manager University of Washington CAMP Shibboleth June 25-27, 2007 Intra-campus Web SSO Management Topics for Deployed Campuses Topics Background Governance Business Policies Business Practices Central SP Strategy Departmental SP Strategy Background
E N D
Nathan Dors, Technology Manager University of Washington CAMP Shibboleth June 25-27, 2007 Intra-campus Web SSOManagement Topics for Deployed Campuses
Topics • Background • Governance • Business Policies • Business Practices • Central SP Strategy • Departmental SP Strategy
Background • Legacy intra-campus Web SSO service • Pubcookie 3.3.2d; two login flavors • Uses UW NetID, Kerberos, SecurID services • Over 1,000 registered legacy service providers • UW Shibboleth Identity Provider system • Production deployment in 2005 • Over 20 Central / Departmental Shibboleth service providers • Current InCommon member • InCommon SP sponsor (ProtectNetwork, Cdigix, Refworks)
Yesterday’s Scores • Stage 1 Scores from Self-Assessment Checklist • Policy Steps, 1/7 (14%) • Business Practices 5/6 (83%)
Web SSO Governance • Questions raised by self-assessment • Who governs the Web SSO service? • Who governs other authentication services? • Who governs application integration? • Who governs UW NetID credential? • And what specifically do they govern?
Privacy and Security Terms of Use Obligations Liabilities Records Retention & Access What apps must use the service Capabilities (e.g. 2-factor, reauth, logout) Policies (e.g. 8hr SSO duration) Usability Application design Web SSO Governance
UW Shib IdP Business Policies • CA trust policy: UW CA, InCommon CA • Default ARP for *.washington.edu • eduPersonAffiliation • eduPersonPrincipalName • eduPersonScopedAffiliation • UW DNS name contacts can register new SPs
UW Shib IdP Business Practices • Self-service registration for UW DNS name contacts • Pre-approved status for Central system admins • But SP lifecycles currently unmanaged • Allow use on central web-hosting environments • e.g. faculty.washington.edu, staff.washington.edu,students.washington.edu? • “Quarter of interest” changes 1st Thursday before quarter start
Central Service Provider Strategy • No strategy, just highly responsive tactics with partners • Central/Partner successes • DRAM, CreateHope, WebAssign, Cdigix, E-academy.com, Confluence, iTunesU (Fall ‘07) • Innovation and Discovery • UW NetID sign-up: Cascadia CC, SCCA • NSF Fastlane inter-federation interop work • Shib interop with Microsoft CardSpace • Google Apps (vs Microsoft Windows Live)
Departmental Service Provider Strategy • Create a Web SSO service roadmap • Legacy vs Shibboleth vs Windows Authentication • Create local deploy, migrate guides • Extract knowledge from local Shib team • Set install bar: system admins should be able to install/activate SP in under 1.75 hours • Offer Install Fest(s) thru UW Computer Training • For Customer Support staff • For SP “frequent flyers” • For interested admins… seed a community. • And trust that Attribute Delivery is the carrot