Intra-campus Web SSO Management Topics for Deployed Campuses Nathan Dors, Technology Manager University of Washington CAMP Shibboleth June 25-27, 2007
Topics Background Governance Business Policies Business Practices Central SP Strategy Departmental SP Strategy
Background Legacy intra-campus Web SSO service –Pubcookie 3.3.2d; two login flavors –Uses UW NetID, Kerberos, SecurID services –Over 1,000 registered legacy service providers UW Shibboleth Identity Provider system –Production deployment in 2005 –Over 20 Central / Departmental Shibboleth service providers –Current InCommon member –InCommon SP sponsor (ProtectNetwork, Cdigix, Refworks)
Yesterday’s Scores Stage 1 Scores from Self-Assessment Checklist –Policy Steps, 1/7 (14%) –Business Practices 5/6 (83%)
Web SSO Governance Questions raised by self-assessment –Who governs the Web SSO service? –Who governs other authentication services? –Who governs application integration? –Who governs UW NetID credential? –And what specifically do they govern?
Web SSO Governance Privacy and Security Terms of Use Obligations Liabilities Records Retention & Access What apps must use the service Capabilities (e.g. 2- factor, reauth, logout) Policies (e.g. 8hr SSO duration) Usability Application design
UW Shib IdP Business Policies CA trust policy: UW CA, InCommon CA Default ARP for *.washington.edu –eduPersonAffiliation –eduPersonPrincipalName –eduPersonScopedAffiliation UW DNS name contacts can register new SPs
UW Shib IdP Business Practices Self-service registration for UW DNS name contacts –Pre-approved status for Central system admins –But SP lifecycles currently unmanaged Allow use on central web-hosting environments –e.g. faculty.washington.edu, staff.washington.edu, students.washington.edu? “Quarter of interest” changes 1st Thursday before quarter start
Central Service Provider Strategy No strategy, just highly responsive tactics with partners Central/Partner successes –DRAM, CreateHope, WebAssign, Cdigix, E-academy.com, Confluence, iTunesU (Fall ‘07) Innovation and Discovery –UW NetID sign-up: Cascadia CC, SCCA –NSF Fastlane inter-federation interop work –Shib interop with Microsoft CardSpace –Google Apps (vs Microsoft Windows Live)
Departmental Service Provider Strategy Create a Web SSO service roadmap –Legacy vs Shibboleth vs Windows Authentication Create local deploy, migrate guides –Extract knowledge from local Shib team –Set install bar: system admins should be able to install/activate SP in under 1.75 hours Offer Install Fest(s) thru UW Computer Training –For Customer Support staff –For SP “frequent flyers” –For interested admins… seed a community. And trust that Attribute Delivery is the carrot
End (Klara … you’re up.)