ShibboLEAP: a production model for institutional Shibboleth adoption

1
ShibboLEAP a production model for institutional
Shibboleth adoption

• John Paschoud and Simon McLeishLSE Library
  Projects Team
• London School of Economics Political Science,
  UK
• (and thanks to Nicole Harris for JISC programmes
  updates)

2
JISC Core Middleware Infrastructure Programme

• UK Govt Spending Review grant (3.4 million
  across two years) to achieve specific aim of
  working federated access management
  infrastructure
• Focused activities
• Shibbolising of JISC resources held at MIMAS and
  EDINA (national data centres)
• Funding for a support service MATU at Eduserv
• Early Adopter funding to help institutions
  implement required technologies (two calls, 26
  institutions)
• Regional Early Adopters to explore e-Learning
  collaborations with federated access
• Funding for initial development of full federated
  service UKERNA
• Communications and outreach programme e.g.
  letters sent to all HE institutions
• Completes July 2006
• Full federated access management services to be
  in place by September 2006

3
JISC Core Middleware Transition Plan

• Moving from a working infrastructure to a full
  production federation (i.e. with critical mass of
  users) for HE, FE and Schools sector through
  joint Becta initiative (HE and FE 641
  institutions in the UK)
• Integration of current work plans within JISC
  Development and JISC Services
• Main workpackages
• Continued support for current Athens contract
  (until July 2008)
• Funding for the Athens/Shibboleth gateways
• Allowing Athens authenticated users to access
  shibboleth protected resources (Athens as
  super-Identity Provider)
• Allowing institutionally authenticated (via
  shibboleth) users to access Athens protected
  resources (Athens as super-Resource Provider)
• Funding for JISC federation _at_ UKERNA
• Communications and outreach plan
• National and International liaison plan

4
JISC Core Middleware Timescale (Jan 2005 vn)
Timescales of Athens contract, development and
Core Middleware Development Infrastructure
5
JISC Core Middleware timeline (Mar 2006 vn)
6
The ShibboLEAP Project

• April 05 April 06 approx 250K JISC funding as
  Early Adopters of Shibboleth
• (no acronym just a badly-chosen email
  subject-line that stuck)
• 6 other University of London Colleges, assisted
  by LSE with technical expertise project
  management
• Already associated because they were
  participating in the (national) SHERPA pilot of
  Eprints as institutional repository
• (LEAP London Eprints Access Project)
• The SHERPA-LEAP consortium
• Birkbeck College
• Imperial College
• Kings College London
• London School of Economics Political Science
• Royal Holloway College
• School of Oriental African Studies
• University College London

7
ShibboLEAP partners

• a diverse collection of institutions - all on
  our doorstep!
• Some have lots of undergraduates studying diverse
  subjects
• Some are focused on small range of subjects
• Some concentrate on postgraduate studies and
  research
• Some focus on continuing education
• All have well-regarded research programmes
• Most already had LDAP directories of users
• Some used project to replace existing directories
• Most common software Active Directory
• None had eduPerson object class installed
• Size and formality of IT department varied widely
  (5 - 35 network/internet techies)
• but quite a useful lot to get the UK Shibboleth
  ball rolling!
• Total population of LSE 10,000
• Total population of consortium 150,000

8
Project objectives

• Enable full Shib IdP for all users at each of the
  7 partners
• Using their existing directory other
  infrastructure services where possible
• whatever they are (THE TRICKY BIT!)
• Access via Shibboleth to external resources which
  is
• secure limited to those people that are truly
  entitled to access the resource
• accountable through Shibboleth log files and
  institutional systems abusers can be tracked and
  dealt with
• up-to-date leavers are quickly and accurately
  prevented from further access while newcomers are
  granted access straight away
• Enable Eprints software as a Shib SP
• As fully as possible within the project budget
  timescale
• Contributed back to OSS development of Eprints
• Produce a documented production process for Shib
  implementation by others

9
Role-based access in an open archive
Institutional Repository

• (Open as in Open Archives Initiative - based
  on Eprints or another harvestable repository
  server like DSpace, etc)
• Who is permitted to do what
• deposit papers (your own academics)
• add edit metadata (library staff who know what
  metadata is)
• authorise publication (1 or 2 administrators)
• Some (at least) of these roles should be
  derivable from existing directory attributes
• ePSA staff_at_lse.ac.uk
• ePSA staff_at_lse.ac.uk AND ou library
• ePE EprintsAdmin

10
example of SOAS IR org-browse
11
example of LSE IR dat-browse
12
Project management

• Herding cats???
• Regular Library and IT service staff involved at
  each site
• Two posts funded part-time by project
• High-level buy-in (service directors)
• Some cooperation Some competition
• Focussed Project Management Board governance
• Defined tasks for each planned meeting
  throughout project
• Easy-to-measure (although bogus) primary
  objective
• Shib access to Eprints repository works
• so everything else will!
• Few critical inter-dependencies
• So low risk of failure

13
Key milestones
14
Who Needs to be Involved?

• Network account techies
• Athens administrator (in UK)
• Directory admin techies
• Firewall and security techies
• Library IT staff and librarians who know your
  electronic resources
• Managers for the above!

15
Where are you now?

• What is your institutional directory?
• Who in the institution owns it (and how can you
  be their friend)?
• How is it updated?
• How do you arrange to change it?
• Or should you be considering a new directory
  solution?
• Does it contain all the information likely to be
  needed for resources protected with Shibboleth?
• How do you currently handle user account
  management?
• Are user credentials secure enough for
  single-sign-on use outside the institution?
• Do you already use a Web ISO solution such as
  pubcookie?
• Where will you install the Shibboleth Identity
  Provider?
• On what type of machine?
• How are you planning to connect it to the
  institutional directory?

16
(No Transcript)
17
Case Study 1 Small Research Institute

• Approach
• Used in-house cookie authentication system as
  backend, and Novell eDirectory as institutional
  directory
• Updates performed on live directory server with
  no problems
• Difficulties encountered
• Trivial configuration errors simple to fix (when
  found...)
• Every thing is nice and informal, changes to
  the directory got done quickly on the live
  service, kit installed and setup without anyone
  looking over my shoulder, no need for meetings,
  committees etc.
• But...
• From a professional systems point of view some
  testing on a dev system would have been a good
  idea. Things turned out OK though so shouldn't
  complain.

18
Case Study 2 Large Undergraduate College

• Approach
• Used mod_auth_ldap for authentication, IPlanet
  LDAP server as institutional directory (but
  separate test server with limited number of
  accounts used for initial IdP installation)
• Institutional wildcard certificate used to
  certify Shib communications
• Difficulties encountered
• Difficulty installing IdP resolved by moving
  from RH Fedora to RHE3
• Large team makes it easy to find relevant
  experience for solving installation problems
• But...
• Bureaucracy makes life harder

19
From Project to Production

• Most institutions set up first Shib IdP in
  project context
• Limited (but rapidly growing) number of resources
  available via Shibboleth
• (the Shib-to-Athens Gateway is particularly
  useful for this)
• but we dont want it to inhibit proper
  adoption of Shib by vendors!
• Few will want to take a big bang approach and
  replace all existing, working-well-enough
  authentication regimes with Shibboleth at one go
• Prioritise resources need to balance usefulness
  against ease of changeover
• May require contacting publishers, which can help
  persuade them to implement Shib if not doing it
  yet
• Consider new installation of IdP for production
• Ideal for teaching mainstream IT staff to
  understand Shib be able to support it
• See Shib for Sysadmins package

20
Shib_at_LSE SysAdmins resources page
21
Communication with Users

• Renewing documentation probably needs to be done
  anyway
• ...so take the opportunity to think about how
  electronic resources / security issues /
  authentication issues are presented
• Do you want to mention Shibboleth by name?
• (Most users should never really see it in
  action...unless it goes wrong)
• At LSE, lengthy description of Athens
  authorisation system was replaced by simple
  paragraph about use of network credentials to
  access most resources with information on how to
  find documentation for other resources

22
LSEforYou Library passwords result page
23
(JISC) Institutional Participation planning
24
ShibboLEAP Project www.angel.ac.uk/ShibboLEAP/Sh
ibboleth _at_ LSE resources www.angel.ac.uk/Shibbole
thAtLSE/JISC Middleware programmes
www.jisc.ac.uk/programme_middleware.htmlJISC
Middleware documents www.jisc.ac.uk/middleware_do
cuments.htmlUK federation developments
www.jisc.ac.uk/federation.htmlJ.Paschoud_at_LSE.ac.
uk