1. Shibboleth Access Management System Walter Hoehn & David Millman, Columbia University

2. Introduction  Why the web needs identity?  Access Control  Customization  Collaboration  Challenges  Privacy concerns/obligations  Hundreds of passwords vs. Passport  Protocol limitations

3. Shibboleth Overview  Federated Identity Management  Flexible attribute profiles  Privacy controls  Works with existing browser technology  Standards-based

4. Shibboleth Overview (cont.)  Origins (Identity Providers)  Manages user identity data  Authenticates users  Administers attribute release policies  Provides user attributes  Targets (Resource Providers)  Administers access control policies  Administers attribute acceptance policies  Requests attributes  Provides digital resources/services

6. Demo NSDL.org

7. Who is working on Shibboleth?  Internet2 (UCAID)  Columbia University  Brown University  The Ohio State University  The University of Washington  MIT

8. Who is using Shibboleth?  17 Identity Providers (15 US Universities, 1UK University, Swiss Education and Research Network)  4 Content vendors (JSTOR, OCLC, EBSCO, ProQuest)  2 course management systems (Blackboard, WebCT)  1 online grading system (WebAssign)  1 inter-library loan vendor (Innovative Interfaces)

9. Advances since the last All-Projects meeting  Security  PKI-based signature verification  SAML 1.1 support  Performance  Improved caching mechanisms  Target can request specific attributes  Privacy  Attribute Release Policy language and engine

10. Advances since the last All-Projects meeting (cont.)  Integration  Attribute Resolution Engine (runtime configuration, metadirectory functionality)  Support for international characters in assertions  Stateless handle mechanism, which allows for fault-tolerant configurations  Support for using SSL Client Auth to authN to the origin  Expanded Platform Support  Origin – All JDK 1.4 compatible platforms  Target - Linux, Solaris, Windows / apache, IIS

11. Use Case: Accessibility  A government agency creates a web site containing video footage of historically important NASA space flights  The web site’s interface must be adaptable for users with disabilities -A user with low vision prefers custom colors, font face, and font size. -A user with hand tremors might prefer bigger links and buttons.

12. Use Case: Accessibility (cont.)  Appropriate content can be selected or search priorities can be pre-set for accessible resources -A user who is deaf may want only videos with closed captioning -A user who is blind may want images with text descriptions and videos with audio descriptions to be ranked highly in search results

13. Use Case: Accessibility (cont.)  A Solution  Agency installs a Shibboleth-enabled web service  The user’s identity provider transmits accessibility metadata to the web site (IMS Learner Information Profile) via Shibboleth  Web site assigns style sheets based on accessibility metadata  Web site search service uses accessibility metadata in ranking algorithms Contact: Madeleine_Rothberg@wgbh.orgMadeleine_Rothberg@wgbh.org

14. Use Case: Subscription-based content  An online aggregator of scholarly medical publications sells subscriptions to a university library  Eligible users should be able to access the content regardless of location  The aggregator wants the flexibility to offer license agreements to subsets of a University community  The library wants to maintain the privacy of its patrons and the security of their personal data

15. Use Case: Subscription-based content (cont.)  A Solution  Aggregator installs a Shibboleth-enabled web service  The University’s IT department deploys a shibboleth origin in conjunction with their central directory service  The University transmits eduPerson entitlement attribute data via Shibboleth

16. Use Case: Web site contains curriculum aids for middle school science  The site includes curriculum aids; such as photographs, videos, maps, report topics, etc. that are available freely available for students to download  The site also includes lesson plans, discussion questions, and tests that accompany the freely available materials. These materials should only be available to educators.

17. Use Case: Web site contains curriculum aids for middle school science (cont.)  A Solution  Site installs a Shibboleth-enabled web service  The user’s identity provider transmits information related to teacher credentialing  Requirements are different  Not a user settable preference (as in accessibility use case)  Not provided by existing university infrastructure (as in subscription use case)

18. Target Installation  Prerequisites  SSL-enabled web server  Supported platform  Relationship with an identity provider or federation  Install pluggable Shibboleth module  Configure site metadata  Configure attribute acceptance policies  Configure access control rules

19. Target Installation (cont.)  Current required skill set  Service platform competency (OS, web server, application environment)  SSL  XML  X509/PKI  Shibboleth federation model  Closing the gap  Identify appropriate staff  Better software packaging/streamlined installation

20. Research/Directions for the future  Access Management for N-tier applications  Attribute Release Policies  Interfaces  Resource Description Metadata  Authorization services (XACML)  Integration with other SAML-based identity services (Liberty)