1 / 13

Shibboleth at Columbia Update

Shibboleth at Columbia Update. David Millman R&D July ’05 dsm@columbia.edu. Shibboleth. Motivation & history Architecture Examples Policy issues Future. Shibboleth. Definition.

gage-macias
Download Presentation

Shibboleth at Columbia Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth at Columbia Update David Millman R&D July ’05 dsm@columbia.edu

  2. Shibboleth • Motivation & history • Architecture • Examples • Policy issues • Future

  3. Shibboleth Definition Language usage indicative of one's regional and/or social origins used to identify members of one's own or of another group. Borrowed from Biblical Hebrew; refers to the story in the Book of Judges 12:5-6 in which shibboleth was used by the Gileadites as a password to identify the Ephraimites by their dialectal pronunciation. www.csa.com/hottopics/ebonics/gloss.php

  4. Motivation • National Science Digital Library (nsdl.org, NSF grant to EPIC) • ca. 200 separate awards—collections, services, targeted research, curating aggregators • 3 “core integration” awards—UCAR (Univ Corp for Atmospheric Research, Boulder), Columbia, Cornell • Columbia Role • relations with the publishing industry • distributed, flexible, private access management

  5. Origin within Standards • Internet2 consortium (internet2.edu) • high-performance networking • middleware • video & computation • Shib is an application of the Security Assertion Markup Language (SAML) from oasis-open.org web standards organization (cf. W3C, IETF) — same as used by the Liberty Alliance • Original work at Columbia on 3rd-party access management (cf. DLib Magazine ’98) • University, library privacy concerns

  6. Architecture • Multiple, distributed Service Providers (SP) • applications • accept the agreed set of user attributes • Multiple, distributed Identity Providers (IdP) • localized login • assert proof of identity (authentication) for members of their respective communities without disclosing individual identity • transmit standard, widely agreed user attributes (“directory” information) • Shared service for users to choose their local identity provider (WAYF— “where are you from?”)

  7. Architecture 9 Service User Browser 1 2 3 5 WAYF 4 6 Local Identity Infrastructure 7 8

  8. Architecture . . . from SWITCH—Swiss Education & Research Network

  9. Local Examples • Database of Recorded American Music (DRAM) • http://www.columbia.edu/cgi-bin/cul/resolve?clio5020426 • federation: Internet2 inQueue • Columbia Educational Resources Online (CERO) • http://cero.columbia.edu/0711/web/sect_1/0711_s1_fr.html • federation: edu-fed.org (Columbia invention) • Digital Anthropology Resources for Teaching (DART) • https://dart.columbia.edu/secure/gandhi-timeline/sect_5/timeline.html • federation: edu-fed • National Science Digital Library (NSDL) • https://nsdl.org/Authentication • federation: nsdl • ARTstor • federation: Internet2 inQueue • (more reliable demo page: http://www.columbia.edu/~dsm/200507shib/ )

  10. Issues • Technical • wayf scalability • PKI adoption (digital certificates, etc) • Policy • any bi-lateral doesn’t take advantage of the built-in scalability of the shibboleth architecture • Federation • represents agreement on procedures—a legal framework • encourages standards for directory information (eduPerson, course membership) • controlling issuance of certificates to participants—gateway function • Examples • edu-fed.org (LSE/CU) • inQueue (Internet2 test) • inCommon (Internet2 production)

  11. Federation Implications • may clarify internal agreements about identity management & policy at local institution • information offered to the federation is the same for all members—is that acceptable, without trusting each new member bilaterally? • international questions

  12. Future—next steps • other SAML-based frameworks (longer term) • directory/attribute standards (stable in some cases—but still per-institution issues) • application re-architecting (esp NSDL at the moment) • federal/international certification authorities (medium term—pilots in progress)

  13. Questions?

More Related