220 likes | 379 Views
Shibboleth and CU. Carol Kassel Digital Knowledge Ventures (DKV) James Burger National Science Digital Library (NSDL). Table of contents. What is Shibboleth? How is it being used at CU? What’s Carol’s involvement? Jim’s involvement? How could Shibboleth be used?
E N D
Shibboleth and CU Carol Kassel Digital Knowledge Ventures (DKV) James Burger National Science Digital Library (NSDL)
Table of contents • What is Shibboleth? • How is it being used at CU? • What’s Carol’s involvement? Jim’s involvement? • How could Shibboleth be used? • What are the advantages to using it (SP)? • What are the advantages to using it (IdP)?
What is Shibboleth? • “Shibboleth, a project of Internet2/MACE, is developing architectures, policy structures, practical technologies, and an open source implementation to support inter-institutional sharing of web resources subject to access controls. In addition, Shibboleth will develop a policy framework that will allow inter-operation within the higher education community.” • In English: Shibboleth allows users from different institutions or groups to obtain access to protected content anywhere on the Web. Users log in locally and their privacy is maintained. • Shibboleth is “middleware,” software that facilitates communication between or among servers.
How is it being used at CU? • National Science Digital Library (NSDL) – an interinstitutional project being developed in part by EPIC • DART (Digital Anthropology Resources for Teaching) – in development jointly by LSE and CU (including EPIC) • Artstor – some CU involvement • CERO – developed by DKV; Shib-enabling by EPIC • That’s it…for now!
Shibboleth pieces • “Service provider” (SP, or “target”) – the site that users want to access • “Identity provider” (IdP, or “origin”) – the place where users need to log in; the holder of user data • “Where are you from?” page (WAYF) – the place where users identify themselves so that they can log in appropriately • Attributes – info about the user that gets released from the IdP to the SP, according to policies on both ends
What’s Carol’s involvement? • Columbia Educational Resources Online (CERO) needed to serve three audiences: • CU affiliates with valid UNI/password • Non-CU users with valid username/password • Users at subscribing institutions with valid IP address • “CU affiliates” included not just on-campus users but off-campus users, too, esp. alumni • New site to be built for alumni: Learning@Columbia, with links to CERO
Why we used Shibboleth • Problem 1: How could we allow access to seminars via UNI login and still handle existing audiences? • Problem 2: How could we maintain security of UNI system in all transactions? • Problem 3: How could we make login process smooth and seamless? • Problem 4: How could we require login once and keep users logged in for duration of browser session? • Answer: Shibboleth!
Details of general relevance • CU IdP existed for NSDL, but needed customization for CERO • New IdP created for alternate reg system; can be used for other purposes (hence DKV/CU Press co-branding) • CERO now running on alternate web server – no load balancing, no systems support • IP address auth still supported (outside Shib)
Key players on CERO project • Walter Hoehn (EPIC, now University of Memphis): expertise in Shibboleth • Noah Levitt (EPIC): creator of alternate reg system, no previous Shibboleth experience • Andrew Johnston, Steve McGrath (AcIS): WIND developers, managers of Tomcat, no previous Shibboleth experience • Carol Kassel (DKV): project manager, no previous Shibboleth experience
Success! • Deployed November 2003 • Very little downtime; very few technical problems • Promotion to alumni in Feb 2004: excellent response rate, no major issues
JB’s NSDL Mission • Introduce the Middle School Community to the NSDL in hopes that they make use of the resources currently available at NSDL.org • Implement Shibboleth Origin sites in pilot middle schools (or at least “sell” the idea)
How could Shibboleth be used? • Move away from IP address auth to Shib for subscribing institutions who have that capability – i.e., set up CIAO, Earthscape, Gutenberg<e>, CAHO as Service Providers • Involves deploying Shibboleth on main web servers, esp. for CIAO • Use Shib to provide more resources for CU alumni while supporting existing audiences • Shib-enable new web resources when they are developed
Potential Obstacles • Lack of Shibbolized Targets: Without a selection of targets for the Shibbolized Origins to connect with, there is little incentive for middle schools to participate (the good ol’ Catch-22 scenario with essence of Chicken & Egg for flavor). • Variety of existing infrastructure and expertise: Assumption - because the middle schools vary so greatly in technical capabilities, guiding them through the process will be anything but formulaic, so there will be a large amount of on-on one consultation. • Origins are more difficult to set up than Targets (trying to figure out why, but a few people have told me this).
What are the advantages (SP)? • Much more secure than IP address auth • Allows off-campus users to access without additional user/pw creation • CU committed to Shib development; CU usage of Shib sets a good example • As more institutions set up IdPs, they will begin demanding this technology
The Shib Advantage (for origins)1/3 • Privacy: Users release to the targets only the information that they (or a guardian) authorizes. • Remote Access: Users can login to resources in campus or remotely, via the WAYF. • Streamlined Access: Users assign their attributes to the ARP rather than submitting them to each individual resource (saves time and ensures accuracy/consistency). Additionally, users do not have to maintain a record of several different logins/passwords for several different resources.
The Shib Advantage (for origins) 2/3 • Simplified administration: Origins sites use their existing identity directories. • Direct Access to the most relevant information: because of the ARP assumptions can be made about the relevancy of specific materials and user needs.
The Shib Advantage (for origins) 3/3 • Providing market data is not just altruistic: Because publishers will receive more detailed data from their users, instead of relying on generic access attributes, they will be able to perform better market research, which, in turn helps the educators by providing better, more tailored projects.