Presentation is loading. Please wait.

Presentation is loading. Please wait.

ALPSP Effective Customer Authentication 15-Jul-2004 1 The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library.

Published byVirgil Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "ALPSP Effective Customer Authentication 15-Jul-2004 1 The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library."— Presentation transcript:

1 ALPSP Effective Customer Authentication 15-Jul-2004 1 The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library

2 ALPSP Effective Customer Authentication 15-Jul-2004 2 What this is (and isn’t) Not an argument that “Shibboleth is better than Athens”… …which would be no more useful than arguing that “VHS is better than Betamax” (or that DVDs are better than videotape?) …but an outline of JISC’s strategic development plans for authentication… …and why we need to change

3 ALPSP Effective Customer Authentication 15-Jul-2004 3 JISC as a customer base All UK post-16 education –Around 500 HE and FE institutions Over 2 million current usernames Athens service to institutions is paid for via single ‘top-sliced’ JISC contract with EduServ Around 200 licensed resources

4 ALPSP Effective Customer Authentication 15-Jul-2004 4 Then, Now, Next Currently, most using the original ‘big-database’ Athens service –Each institution doing own user admin (often manually) Improved in the short-term by progression to AthensDA –Which requires competent, automated user identity-management by institutions –…and not many are capable of this, yet –…which is the same/only major obstacle to (more) immediate progression to Shibboleth

5 ALPSP Effective Customer Authentication 15-Jul-2004 5 Why Now: JISC Strategy Middleware appears under Aim One: “To develop solutions that help the UK education and research communities to keep their activities world class through the use of ICT.” (1.4 a middleware service) Meets Key Performance Indicator: “Develop a common, integrated information and communications environment.”

6 ALPSP Effective Customer Authentication 15-Jul-2004 6 Powell, A, July 2003 (from UKOLN website) JISC Common Information Environment

7 ALPSP Effective Customer Authentication 15-Jul-2004 7 Middleware is Everywhere Information Environment. eLearning Technical Framework. GRID Middleware / VRE. Common Information Environment: JISC, Becta, Culture Online, DfES, eGovernment Unit, eScience Core Programme, MLA, The National Archives, NeLH, UKOLN.

8 ALPSP Effective Customer Authentication 15-Jul-2004 8 What is Core Middleware? Core Middleware can be defined as the central services that are essential to middleware as a whole. These are: authentication, authorisation, directory services, identifiers.

9 ALPSP Effective Customer Authentication 15-Jul-2004 9 So why change? Athens technology today currently uses its own, proprietary protocols Software owned, maintained and developed by EduServ (a not-for-profit UK company) Little international take-up as yet Current Athens design lacks the flexibility of more recent approaches Not well adapted to inter-institutional scenarios, e.g. virtual organisations

10 ALPSP Effective Customer Authentication 15-Jul-2004 10 Key requirements A next-generation AM infrastructure must support the following scenarios: Internal (intra-institutional) applications as well as use between organisations Management of access to third-party digital library- type resources (as now) Inter-institutional use – stable, long-term resource sharing between defined groups (e.g. shared e- learning scenarios) Inter-institutional use – ad hoc collaborations, potentially dynamic in nature (virtual organisations or VOs)

11 ALPSP Effective Customer Authentication 15-Jul-2004 11 Powell, A, July 2003 (from UKOLN website) JISC Common Information Environment

12 ALPSP Effective Customer Authentication 15-Jul-2004 12 Solving the right problem Not trying to sustain a single purpose infrastructure for access management Building a sustainable, integrated infrastructure that includes improved access management as one important service Acknowledging that we operate in a global information resources market

13 ALPSP Effective Customer Authentication 15-Jul-2004 13 So… what is Shibboleth? An architecture developed by the Internet2 middleware community NOT an authentication scheme (relies on home site infrastructure to do this) NOT an authorisation scheme (leaves this to the resource owner) BUT an open, standards-based protocol for securely transferring attributes between home site and resource site Also provided as an open-source reference software implementation

14 ALPSP Effective Customer Authentication 15-Jul-2004 14 Attribute-based Authorisation Identity-based approach (current) –The identity of a prospective user is passed to the controlled resource and is used to determine (perhaps with requests for additional attributes about the user) whether to permit access –This approach requires the user to trust the target to protect privacy Attribute-based approach (future) –Attributes are exchanged about a prospective user until the controlled resource has sufficient information to make a decision –This approach does not compromise user privacy –Resource owners can base access permissions on certified attributes that confirm compliance with their licences granted to institutions/libraries

15 ALPSP Effective Customer Authentication 15-Jul-2004 15 Why this route? Clearly identified NEED for new service from community Good international take-up of Shibboleth Shibboleth trials successful (AAA Programme) – proven to meet requirements Interest from Publishers worldwide Open standards

16 ALPSP Effective Customer Authentication 15-Jul-2004 16 Shibboleth status Likely to coexist well with Liberty Alliance and may work within the WS framework from Microsoft Growing development interest in several countries, providing resource manager tools, digital rights management, etc Used by several federations today – NSDL, InQueue, SWITCH and several more soon (JISC, Australia, etc)

17 ALPSP Effective Customer Authentication 15-Jul-2004 17 Shibboleth-Enabled Applications and Services ArtSTOR Blackboard CSA Darwin Streaming Server eAcademy EBSCO Publishing Elsevier ScienceDirect ExLibris - SFX EZProxy Fedora Gale Higher Markets JSTOR Napster NSDL OCLC Ovid Technologies Inc. Proquest Information and LearningProquest Information and Learning SYMPA TWiki Web Assign WebCT Zope4Edu

18 ALPSP Effective Customer Authentication 15-Jul-2004 18 Current ‘top’ academic publishers for UK HE ACM ALPSP Blackwell Publishing Cambridge University Press Elsevier Kluwer Academic Publishers Oxford University Press Springer Verlag Wiley ProQuest CSA Gale Thomson ISI for Web of Knowledge Source: Nesli2, July 2004

19 ALPSP Effective Customer Authentication 15-Jul-2004 19 Key Concerns Practical trials of the Shibboleth technology Policy Development Support for wireless development Roles / attribute management (PERMIS) Needs of researchers Needs of FE Virtual Organisations

20 ALPSP Effective Customer Authentication 15-Jul-2004 20 How JISC will support this Development of new tools by projects ‘Shibbolised’ JISC resources Core Infrastructure development (including policy development) Public discussion event Early Adopters calls for both institutions and resource owners Assisted Take-up services for origin (institution) and target (resource) sites

21 ALPSP Effective Customer Authentication 15-Jul-2004 21 What JISC is doing now: Technology Development 16 funded projects April 2004 – March 2007 Investigating the development of middleware technology within key areas: –grid development, –PERMIS development, –portals development, –inter-institutional collaboration, –Shibboleth in non-University environments.

22 ALPSP Effective Customer Authentication 15-Jul-2004 22 What JISC is doing now: Infrastructure Building working Shibboleth Infrastructure within the UK ‘Shibbolising’ JISC resources –EDINA, MIMAS and others Central services: –WAYF, target support, origin support, policy development Early Adopters calls Shibboleth - Athens gateway

23 ALPSP Effective Customer Authentication 15-Jul-2004 23 Middleware Development: Timescale Timescales of Athens contract, development and Core Middleware Development.

24 ALPSP Effective Customer Authentication 15-Jul-2004 24 Questions? Links: Shibboleth: http://shibboleth.internet2.eduhttp://shibboleth.internet2.edu Shibboleth-enabled applications & services: http://shibboleth.internet2.edu/seas.html http://shibboleth.internet2.edu/seas.html JISC strategy: http://www.jisc.ac.uk/index.cfm?name=about_strategic http://www.jisc.ac.uk/index.cfm?name=about_strategic Contact: John Paschoud: j.paschoud@LSE.ac.uk

25 ALPSP Effective Customer Authentication 15-Jul-2004 25 Shibboleth Architecture (still photo, no moving parts)

26 ALPSP Effective Customer Authentication 15-Jul-2004 26 Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

27 ALPSP Effective Customer Authentication 15-Jul-2004 27 Technical Components Origin Site – Required Enterprise Infrastructure –Authentication –Attribute Repository Origin Site – Shib Components –Handle Server –Attribute Authority Target Site - Required Enterprise Infrastructure –Web Server (Apache or IIS) Target Site – Shib Components –SHIRE –SHAR –WAYF –Resource Manager

Download ppt "ALPSP Effective Customer Authentication 15-Jul-2004 1 The (now… then…) next of Authentication: Shibboleth John Paschoud SECURe Project, LSE Library."

Similar presentations

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.

Athens and Shibboleth ® : the choices Phil Leahy Athens Product Manager.
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.

Supporting education and research Core Middleware Development Nicole Harris, Programme Manager, JISC Middleware Team.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.

Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.

Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.
Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,

Joint Information Systems Committee Connecting People to Resources Federated Access Management within the UK Nicole Harris Senior Services Transition Manager,
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Connecting People to Resources The UK Access Management Federation Nicole Harris Programme Manager.
Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.

Joint Information Systems Committee 19/05/2015 | | Slide 1 Voyage of the UK JISC Federation: Shibbolising the UK’s Research, Higher and Further Education.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Similar presentations

Ads by Google