Cant, Claptrap and Collectivist Shibboleths the ShibboLEAP Project

1
Cant, Claptrap and Collectivist
Shibboleth(s)(the ShibboLEAP Project)

• John PaschoudLSE Library Projects Team
• London School of Economics Political Science,
  UK
• Project Manager, ShibboLEAP

2
What is (a) shibboleth? (Biblical)

• A word which was made the criterion by which to
  distinguish the Ephraimites from the Gileadites.
  The Ephraimites, not being able to pronounce
  sh, called the word sibboleth. See --Judges
  xii.
• Hence, the criterion, test, or watchword of a
  party a party cry or pet phrase.
• Webster's Revised Unabridged Dictionary (1913)

Judges, ch12, v5-6 (New American Standard) The
Gileadites captured the fords of the Jordan
opposite Ephraim. And it happened when any of
the fugitives of Ephraim said, "Let me cross
over," the men of Gilead would say to him, "Are
you an Ephraimite?" If he said, "No," then they
would say to him, "Say now, 'Shibboleth.' " But
he said, "Sibboleth," for he could not pronounce
it correctly. Then they seized him and slew him
at the fords of the Jordan. Thus there fell at
that time 42,000 of Ephraim.
3
Who are Shibboleth?
http//goshibbolethgo.com
4
What are shibboleths? (Political)
The greatest needs of the Collectivist movement
in England appear to me The diffusion of
economic and political knowledge of a real kind -
as opposed to Collectivist shibboleths, and the
cant and claptrap of political campaigning. Sidne
y Webb memorandum to LSE Trustees meeting on
8th Feb 1894 LSE Archives/1/1
5
Hmmm.

• Actually, doing Shibboleth collectively might be
  quite a good way to make it easier, for a lot of
  people / institutions
• Where can we find a bunch of them, with something
  in common?
• and wed have to think of some excuse for
  something to access, because there arent many
  Shibbolized publisher resources yet, and the
  Shib-Athens Gateway doesnt work yet
• What about Institutional Repositories (Shibbo
  LEAP)?
• Dont be silly! You cant do Access Management
  with them! Theyre meant to be open! (Didnt
  you read all that OAI stuff from Stevan Harnad I
  sent you?)
• Well, maybe we can get the money before anyone at
  JISC figures that out.

6
JISC Core Middleware Infrastructure Programme

• UK Govt Spending Review grant (3.4 million
  across two years) to achieve specific aim of
  working federated access management
  infrastructure
• Focused activities
• Shibbolising of JISC resources held at MIMAS and
  EDINA (national data centres)
• Funding for a support service MATU at Eduserv
• Early Adopter funding to help institutions
  implement required technologies (two calls, 26
  institutions)
• Regional Early Adopters to explore e-Learning
  collaborations with federated access
• Funding for initial development of full federated
  service UKERNA
• Communications and outreach programme e.g.
  letters sent to all HE institutions
• Completes July 2006
• Full federated access management services to be
  in place by September 2006

7
JISC Core Middleware Timescale (Jan 2005 vn)
Timescales of Athens contract, development and
Core Middleware Development Infrastructure
8
JISC Core Middleware timeline (Mar 2006 vn)
9
The ShibboLEAP Project

• April 05 April 06 approx 250K JISC funding as
  Early Adopters of Shibboleth
• (no acronym just a badly-chosen email
  subject-line that stuck)
• 6 other University of London Colleges, assisted
  by LSE with technical expertise project
  management
• Already associated because they were
  participating in the (national) SHERPA pilot of
  Eprints as institutional repository
• (LEAP London Eprints Access Project)
• The SHERPA-LEAP consortium
• Birkbeck College
• Imperial College
• Kings College London
• London School of Economics Political Science
• Royal Holloway College
• School of Oriental African Studies
• University College London

10
example of SOAS IR org-browse
11
example of LSE IR dat-browse
12
ShibboLEAP partners

• a diverse collection of institutions - all on
  our doorstep!
• Some have lots of undergraduates studying diverse
  subjects
• Some are focused on small range of subjects
• Some concentrate on postgraduate studies and
  research
• Some focus on continuing education
• All have well-regarded research programmes
• Most already had LDAP directories of users
• Some used project to replace existing directories
• Most common software Active Directory
• None had eduPerson object class installed
• Size and formality of IT department varied widely
  (5 - 35 network/internet techies)
• but quite a useful lot to get the UK Shibboleth
  ball rolling!
• Total population of LSE 10,000
• Total population of consortium 150,000
• (Total Shibboleth-enabled population of
  Switzerland, at that time 140,000)

13
Project objectives

• Enable full Shib IdP for all users at each of the
  7 partners
• Using their existing directory other
  infrastructure services where possible
• whatever they are (THE TRICKY BIT!)

14
Existing infrastructure can be messy
http//www.angel.ac.uk/SECURe/deliverables/documen
tation/
15
Project objectives

• Enable full Shib IdP for all users at each of the
  7 partners
• Using their existing directory other
  infrastructure services where possible
• whatever they are (THE TRICKY BIT!)
• Access via Shibboleth to external resources which
  is
• secure limited to those people that are truly
  entitled to access the resource
• accountable through Shibboleth log files and
  institutional systems abusers can be tracked and
  dealt with
• up-to-date leavers are quickly and accurately
  prevented from further access while newcomers are
  granted access straight away
• Enable Eprints software as a Shib SP
• As fully as possible within the project budget
  timescale
• Contributed back to OSS development of Eprints
• Produce a documented production process for Shib
  implementation by others
• and maybe also a model for other peer-support
  implementations?

16
Role-based access in an open archive
Institutional Repository

• (Open as in Open Archives Initiative - based
  on Eprints or another harvestable repository
  server like DSpace, etc)(We also have a
  Shibbolized DSpace)
• Who is permitted to do what
• deposit papers (your own academics)
• add edit metadata (library staff who know what
  metadata is)
• authorise publication (1 or 2 administrators)
• Some (at least) of these roles should be
  derivable from existing directory attributes
• ePSA staff_at_lse.ac.uk
• ePSA staff_at_lse.ac.uk AND ou library
• ePE EprintsAdmin

17
Shibbolizing Eprints

• AuthN (easy!)
• to eliminate yet-another-password for users
• User identity/privacy is not an issue
• eduPersonPrincipalName (e.g. paschoud_at_lse.ac.uk)
  can be used to link to personal account within
  Eprints
• AuthZ
• How deeply embedded in code is the permissions
  structure?
• How much of this can we (do we want to) represent
  as generic attributes in an institutional
  Enterprise Directory? (probably LibStaff,
  AcStaff as scoped affiliations)
• so some will (probably) remain internal (but
  could be represented as eduPersonEntitlements)
• Anyway, we must do this as install-time options,
  because different institutions will make
  different choices

18
Shibbolizing Eprints ( many other applications?)
In shibboleth.xml (SP config) ltSessions
..handlerURLeprints.soas.ac.ukgt
ltSessionInitiator .. wayfURLhttps//shibIdP.soa
s.ac.uk/Shibboleth/HSgt (repeated for each
institution-specific server, to eliminate WAYF
step for end-users)
19
Project management

• Herding cats???
• Regular Library and IT service staff involved at
  each site
• Two posts funded part-time by project
• High-level buy-in (service directors)
• Some cooperation Some competition
• Focussed Project Management Board governance
• Defined tasks for each planned meeting
  throughout project
• Easy-to-measure (although bogus) primary
  objective
• Shib access to Eprints repository works
• so everything else will!
• Few critical inter-dependencies
• So low risk of failure

20
Key milestones
21
Lessons learned Who Needs to be Involved?

• Network account techies
• Athens administrator (in UK)
• Directory admin techies
• Firewall and security techies
• Library IT staff and librarians who know your
  electronic resources
• Managers for the above!

22
Lessons learned Where are you Starting From?

• What is your institutional directory?
• Who in the institution owns it (and how can you
  be their friend)?
• How is it updated?
• How do you arrange to change it?
• Or should you be considering a new directory
  solution?
• Does it contain all the information likely to be
  needed for resources protected with Shibboleth?
• How do you currently handle user account
  management?
• Are user credentials secure enough for
  single-sign-on use outside the institution?
• Do you already use a Web ISO solution such as
  pubcookie?
• Where will you install the Shibboleth Identity
  Provider?
• On what type of machine?
• How are you planning to connect it to the
  institutional directory?

23
(No Transcript)
24
Case Study 1 Small Research Institute

• Approach
• Used in-house cookie authentication system as
  backend, and Novell eDirectory as institutional
  directory
• Updates performed on live directory server with
  no problems
• Difficulties encountered
• Trivial configuration errors simple to fix (when
  found...)
• Every thing is nice and informal, changes to
  the directory got done quickly on the live
  service, kit installed and setup without anyone
  looking over my shoulder, no need for meetings,
  committees etc.
• But...
• From a professional systems point of view some
  testing on a dev system would have been a good
  idea. Things turned out OK though so shouldn't
  complain.

25
Case Study 2 Large Undergraduate College

• Approach
• Used mod_auth_ldap for authentication, IPlanet
  LDAP server as institutional directory (but
  separate test server with limited number of
  accounts used for initial IdP installation)
• Institutional wildcard certificate used to
  certify Shib communications
• Difficulties encountered
• Difficulty installing IdP resolved by moving
  from RH Fedora to RHE3
• Large team makes it easy to find relevant
  experience for solving installation problems
• But...
• Bureaucracy makes life harder

26
From Project to Production

• Most institutions set up first Shib IdP in
  project context
• Limited (but rapidly growing) number of resources
  available via Shibboleth
• (the Shib-to-Athens Gateway is particularly
  useful for this)
• but we dont want it to inhibit proper
  adoption of Shib by vendors!
• Few will want to take a big bang approach and
  replace all existing, working-well-enough
  authentication regimes with Shibboleth at one go
• Prioritise resources need to balance usefulness
  against ease of changeover
• May require contacting publishers, which can help
  persuade them to implement Shib if not doing it
  yet
• Consider new installation of IdP for production
• Ideal for teaching mainstream IT staff to
  understand Shib be able to support it
• See Shib for Sysadmins package

27
Shib_at_LSE SysAdmins resources page
28
Where are THEY now?

• Most of the partners in ShibboLEAP are now
  working together on
• The Identity Project
• - a comprehensive audit of Identity Management
  across UK FHE, using partners to create and
  test a re-usable model for detailed institutional
  audits of Identity Management
• (the bits that the IT Director knows about and
  what s/he doesnt know about!)
• Only two of the original partners (LSE and UCL)
  are currently registered as production Shibboleth
  IdPs in the SDSS Federation
• (so maybe this was slightly too early adoption,
  for some, in relation to the overall JISC
  transition timetable?)

29
ShibboLEAP Project www.angel.ac.uk/ShibboLEAP/Sh
ibboleth _at_ LSE resources www.angel.ac.uk/Shibbole
thAtLSE/JISC Middleware programmes
www.jisc.ac.uk/programme_middleware.htmlJISC
Middleware documents www.jisc.ac.uk/middleware_do
cuments.htmlUK federation developments
www.jisc.ac.uk/federation.htmlThe Identity
Project www.identity-project.orgJ.Paschoud_at_LSE.
ac.uk