Preparing Your Institution for Shibboleth

Preparing Your Institution for Shibboleth

ShibboLEAP: a production model for institutional Shibboleth adoption John Paschoud and Simon McLeish LSE Library Projects Team London School of Economics & Political Science, UK (and thanks to Nicole Harris for JISC programmes updates) 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 1 JISC Core Middleware Infrastructure Programme UK Govt Spending Review grant (3.4 million across two years) to achieve specific aim of working federated access management infrastructure Focused activities:

Shibbolising of JISC resources held at MIMAS and EDINA (national data centres) Funding for a support service MATU at Eduserv Early Adopter funding to help institutions implement required technologies (two calls, 26 institutions) Regional Early Adopters to explore e-Learning collaborations with federated access Funding for initial development of full federated service UKERNA Communications and outreach programme e.g. letters sent to all HE institutions

Completes July 2006 Full federated access management services to be in place by September 2006 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 2 JISC Core Middleware Transition Plan Moving from a working infrastructure to a full production federation (i.e. with critical mass of users) for HE, FE and Schools sector through joint Becta initiative (HE and FE: 641 institutions in the UK) Integration of current work plans within JISC Development and JISC Services

Main workpackages: Continued support for current Athens contract (until July 2008) Funding for the Athens/Shibboleth gateways Allowing Athens authenticated users to access shibboleth protected resources (Athens as super-Identity Provider) Allowing institutionally authenticated (via shibboleth) users to access Athens protected resources (Athens as super-Resource Provider) Funding for JISC federation @ UKERNA Communications and outreach plan National and International liaison plan 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 3 JISC Core Middleware Timescale (Jan 2005 vn) Jul-03 Jul-04 Jul-05 Jul-06

Jul-07 Jul-08 Athens Service Athens Development Contract Neg Potential Service CM: Development Embedding CM: Infrastructure Early Adopters and Assisted Take-up Potential Service Timescales of Athens contract, development and Core Middleware Development & Infrastructure 26-Apr-06

Internet2 Spring Member Meeting, Arlington VA 4 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA JISC Core Middleware timeline (Mar 2006 vn) 5 The ShibboLEAP Project April 05 April 06; approx 250K JISC funding as Early Adopters of Shibboleth (no acronym just a badly-chosen email subject-line that stuck) 6 other University of London Colleges, assisted by LSE with technical expertise & project management

Already associated because they were participating in the (national) SHERPA pilot of Eprints as institutional repository (LEAP = London Eprints Access Project) The SHERPA-LEAP consortium Birkbeck College Imperial College Kings College London London School of Economics & Political Science Royal Holloway College School of Oriental & African Studies University College London 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 6

ShibboLEAP partners a diverse collection of institutions - all on our doorstep! Some have lots of undergraduates studying diverse subjects Some are focused on small range of subjects Some concentrate on postgraduate studies and research Some focus on continuing education All have well-regarded research programmes Most already had LDAP directories of users Some used project to replace existing directories Most common software: Active Directory None had eduPerson object class installed Size and formality of IT department varied widely (~5 - ~35 network/internet techies) but quite a useful lot to get the UK Shibboleth ball rolling!

Total population of LSE =~ 10,000 Total population of consortium =~ 150,000+ 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 7 Project objectives Enable full Shib IdP for all users at each of the 7 partners Using their existing directory & other infrastructure services where possible whatever they are (THE TRICKY BIT!) Access via Shibboleth to external resources which is: secure: limited to those people that are truly entitled to access the resource accountable: through Shibboleth log files and institutional systems abusers can be tracked and dealt with up-to-date: leavers are quickly and accurately prevented from further access while newcomers are granted access straight away

Enable Eprints software as a Shib SP As fully as possible within the project budget & timescale Contributed back to OSS development of Eprints Produce a documented production process for Shib implementation by others 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 8 Role-based access in an open archive Institutional Repository (Open as in Open Archives Initiative - based on Eprints or another harvestable repository server like DSpace, etc) Who is permitted to do what: deposit papers (your own academics)

add & edit metadata (library staff who know what metadata is) authorise publication (1 or 2 administrators) Some (at least) of these roles should be derivable from existing directory attributes ePSA = [email protected] ePSA = [email protected] AND ou = library ePE = EprintsAdmin 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 9 [example of SOAS IR org-browse] 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 10 [example of LSE IR dat-browse]

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 11 Project management Herding cats??? Regular Library and IT service staff involved at each site Two posts funded part-time by project High-level buy-in (service directors) Some cooperation; Some competition Focussed Project Management Board governance Defined tasks for each planned meeting throughout project

Easy-to-measure (although bogus) primary objective Shib access to Eprints repository works so everything else will! Few critical inter-dependencies So low risk of failure EDS and agency, used with permission 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 12 Key milestones Month Activity

Deliverable due Apr-05 Identify key staff and technical resources. 1st Project Team meeting (approve Project Plan). Project Plan Jul-05 2nd Project Team meeting (approve Eprints dev spec; approve Shib-Origin architectures). Eprints Shib-Target spec. Shib-Origin architecture plans. Oct-05 3rd Project Team meeting (review Project Plan progress; demo of Alpha release & Shib-Origins). Interim progress report.

Jan-06 4th Project Team meeting (demo of production release). Apr-06 Final Project Team meeting (sign off project; agree exit plans). 26-Apr-06 Project Completion Report. Published case study article(s). Internet2 Spring Member Meeting, Arlington VA 13 Who Needs to be Involved? Network account techies

Athens administrator (in UK) Directory admin techies Firewall and security techies Library IT staff and librarians who know your electronic resources Managers for the above! 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 14

Where are you now? What is your institutional directory? Who in the institution owns it (and how can you be their friend)? How is it updated? How do you arrange to change it? Or should you be considering a new directory solution? Does it contain all the information likely to be needed for resources protected with Shibboleth? How do you currently handle user account management? Are user credentials secure enough for single-sign-on use outside the institution? Do you already use a Web ISO solution such as pubcookie? Where will you install the Shibboleth Identity Provider? On what type of machine? How are you planning to connect it to the institutional directory?

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 15 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 16 Case Study 1: Small Research Institute Approach Used in-house cookie authentication system as backend, and Novell eDirectory as institutional directory Updates performed on live directory server with no problems Difficulties encountered Trivial configuration errors simple to fix (when found...)

Every thing is nice and informal, changes to the directory got done quickly on the live service, kit installed and setup without anyone looking over my shoulder, no need for meetings, committees etc. But... From a professional systems point of view some testing on a dev system would have been a good idea. Things turned out OK though so shouldn't complain. 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 17 Case Study 2: Large Undergraduate College Approach Used mod_auth_ldap for authentication, IPlanet LDAP server as institutional directory (but separate test server with limited number of accounts used for initial IdP installation) Institutional wildcard certificate used to certify Shib communications Difficulties encountered Difficulty installing IdP; resolved by moving from RH Fedora to RHE3

Large team makes it easy to find relevant experience for solving installation problems But... Bureaucracy makes life harder 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 18 From Project to Production Most institutions set up first Shib IdP in project context Limited (but rapidly growing) number of resources available via Shibboleth (the Shib-to-Athens Gateway is particularly useful for this) but we dont want it to inhibit proper adoption of Shib by vendors! Few will want to take a big bang approach and replace all existing, workingwell-enough authentication regimes with Shibboleth at one go

Prioritise resources need to balance usefulness against ease of changeover May require contacting publishers, which can help persuade them to implement Shib if not doing it yet Consider new installation of IdP for production Ideal for teaching mainstream IT staff to understand Shib & be able to support it See Shib for Sysadmins package 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 19 [[email protected] SysAdmins resources page] 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 20

Communication with Users Renewing documentation probably needs to be done anyway ...so take the opportunity to think about how electronic resources / security issues / authentication issues are presented Do you want to mention Shibboleth by name? (Most users should never really see it in action...unless it goes wrong) At LSE, lengthy description of Athens authorisation system was replaced by simple paragraph about use of network credentials to access most resources with information on how to find documentation for other resources 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA

21 [LSEforYou Library passwords result page] 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 22 (JISC) Institutional Participation planning 26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 23 ShibboLEAP Project: www.angel.ac.uk/ShibboLEAP/ Shibboleth @ LSE resources: www.angel.ac.uk/ShibbolethAtLSE/ JISC Middleware programmes: www.jisc.ac.uk/programme_middleware.html JISC Middleware documents: www.jisc.ac.uk/middleware_documents.html UK federation developments: www.jisc.ac.uk/federation.html [email protected]

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 24

Recently Viewed Presentations

  • Neutralizations to h in Mösiehuali

    Neutralizations to h in Mösiehuali

    One way to assess it is to consider what it would take to teach a robot to do the same. There are a host of more-basic skills that must be mastered, that are recruited into the skill of driving. We...
  • Motor Vehicle Safety & Seatbelts in the Department

    Motor Vehicle Safety & Seatbelts in the Department

    Rodney Murray Sgt, U.S. Army Ayden, NC Installations & Environment / AT&L As of: Safety, Occupational Health, Fire Protection In Progress Review (IPR) Observations: Overall Program Safety, Occupational Health, Fire Protection In Progress Review (IPR) Observations: Specific Programs Safety, Occupational...
  • Advanced Accounting by Hoyle et al, 6th Edition

    Advanced Accounting by Hoyle et al, 6th Edition

    Initial investments in equity securities are recorded at cost and subsequently adjusted to fair value if fair value is readily determinable; otherwise, the investment remains at cost. • Equity securities held for sale in the short term are classified as...
  • Principal Modality (1): CT Radiological Category: Gastrointestinal Principal

    Principal Modality (1): CT Radiological Category: Gastrointestinal Principal

    UC may demonstrate a shortened colon with loss of haustrations, and in Crohn's disease, fistula formation, scarring with a resultant "string sign," and abscesses may be seen. The isolated involvement of the descending colon with only free fluid, especially in...
  • ccna.sayujzworld.com

    ccna.sayujzworld.com

    NetAcad Maintenance. SMARTnet. Free Service - Available to all qualified academies. Covers approved NetAcad software listed in the Image and Hardware Support Document. Provides
  • Lunchseminarium International Centre 2012-04-17 Internationell praktik International Centre

    Lunchseminarium International Centre 2012-04-17 Internationell praktik International Centre

    Exempel på stiftelser utanför GU Iris Jonzén-Sundblom och Greta Jonzéns stiftelse för framåtsträvande kvinnor (48 miljoner) Stiftelsen Telefondirektören H.T Cedergrens uppfostringsfond inkl.
  • SUR 122 OBSTETRICAL & GYNECOLOGICAL SURGERY OB-GYN Surgery

    SUR 122 OBSTETRICAL & GYNECOLOGICAL SURGERY OB-GYN Surgery

    Gravida - how many times a woman has been pregnant. Parity - number of times a woman has given birth . Position - relationship between presenting infant part & pelvis of mother . Presentation - fetal part overlying pelvic inlet....
  • Gcse Physical Education

    Gcse Physical Education

    GCSE PHYSICAL EDUCATION EASTER REVISION COURSE ... Somatotypes This is the technical name for body type, also referred to as body build or physique Scoring body types Measurements are taken and a score is given out of seven. # Endomorph...