170 likes | 314 Views
JISC Metaleth Project. Athens, Shibboleth and the University of Bristol 29 th January 2007. Outline. What changes to access management are JISC proposing? What is Shibboleth? What will these changes mean For end-users? For UoB staff? What are the timescales? What are the UoB plans?.
E N D
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29th January 2007
Outline • What changes to access management are JISC proposing? • What is Shibboleth? • What will these changes mean • For end-users? • For UoB staff? • What are the timescales? • What are the UoB plans?
What is happening? • JISC is aiming to improve theway in which users access resources throughout the UK educational sector • Goal: to allow users to access internal and external resources seamlessly using a single, institutionally controlled identity • Reduce substantially (if not eliminate altogether) current problems in which users are required to maintain multiple passwords for multiple resources in multiple domains
What is happening? (2) • JISC support for Athens will cease • Athens will be available as a paid-for service • New JISC strategy based on Shibboleth technology, a new standards-based approach in this area
Why the move from Athens? • Relies on separate credentials • Forgotten or written down (a security issue) • Shibboleth uses local credentials • Demand for more sophisticated systems for enabling access to materials and resources • Shibboleth’s flexible design provides a good basis for meeting these demands.
What is Shibboleth? • Federated access management framework • Federation of Identity Providers (IdPs) and Service Providers (SPs) • No central identity service • SPs talk to user’s IdP • Authorisation decisions based on IdP-provided information • Federation provides trust fabric • Allows SPs and IdPs to trust each other
What is Shibboleth? (2) • Acknowledgement: • Taken from SWITCH AAI
What is Shibboleth? (3) • For web services only • Integrated with localauthentication • Single Sign OnCAS in UoB case • Location independent • Won’t necessarily provide UoB IP address to those services that use IP addresses to make authorisation decisions
What changes will there be for end-users? • Single Sign On extended • To UoB resources protected by CAS SSO • To third-party resources protected by Athens or Shibboleth • Users will have to negotiate new WAYF step • Techniques to reduce the impact of this
What changes will there be for UoB staff? • No more separate Athens identity management • Users will login to UoB SSO when visiting external protected resources • In time, no separate account management for non-UoB users • e.g. external Blackboard users
What changes will there be for UoB staff? (2) • UoB will have to run (or outsource) a Shibboleth IdP • Linked to LDAP and CAS SSO • One for the techies • Attribute exchange with resource providers will have to be managed • Again, one for the techies
What support is there? • JISC-provided UK AccessManagement Federation forEducation and Research • UoB experience from JISC-funded pilot project • Metaleth (Metalib + Shibboleth) • A Shibboleth to Athens gateway • Provided by Eduserv
What is the time frame? • JISC asking institutions to recognise this change within their IT strategies for the next two years • Athens contract with JISC renewed until July 2008 • Will run in parallel to the UK access management federation and the Athens/Shibboleth gateway • From July 2008, JISC will support access management through the UK access management federation • Athens will become a paid-for service
What are the next steps we need to take? • UoB currently evaluating alternate approaches • Run the Shibboleth infrastructure ourselves • Identity provision, Attribute Authority • Outsource to Eduserv
What are the next steps we need to take? (2) • Project starts in April • Goal: replace Athens at UoB for the Autumn • Tasks: • A production Shibboleth IdP • Transfer of current Athens-protected resources • Shibboleth directly or via Athens/Shibboleth gateway • Policy decisions to be taken regarding attribute release and privacy • Managing the change-over for end-users • Documentation, awareness raising
Further Information • JISC Access Management • http://www.jisc.ac.uk/whatwedo/themes/access_management.aspx • UK Access Management Federation for Education and Research • http://www.ukfederation.org.uk/ • Shibboleth • http://shibboleth.internet2.edu/
Questions? • Jasper.Tredgold@bris.ac.uk