MATU: Middleware Assisted Take Up Service For JISC Funded Early Adopters

1
MATU Middleware Assisted Take Up ServiceFor
JISC Funded Early Adopters

• Steve Edwards - MATU - Windermere 14 15
  November 2005

2
Where We Are From - Eduserv

• Eduserv is a not-for-profit IT services group
• born from services developed within universities
• The Eduserv Foundation
• funds initiatives supporting application of IT in
  education
• Over 10 years experience delivering Access
  Management
• Athens
• Contracted by the JISC to provide the MATU
  service
• assist HE FE with early adoption of Shibboleth

3
MATU Objectives

• Middleware Assisted Take Up Service
• A JISC sponsored Eduserv Service
• Support JISC Core Middleware Project Early
  Adopters
• Provide a central repository
• information
• advice
• training

4
The Problem Shibboleth Addresses

• Users accessing many different systems
• proliferation of credentials
• one pair of credentials per resource
• forgotten passwords
• Security Integrity compromised
• abc123 issue
• passwords sent in the clear and shared
• proprietary systems locked in
• no organisational control centre

5
What Shibboleth is NOT

• NOT an all-in-one identity management solution
• one of many components
• NOT an authentication or a SSO system
• need to plug one in (CAS, pubcookie, )
• NOT an Attribute Store
• need to plug one in (Directory, Database, )
• NOT a fixed specification
• ongoing evolution

6
Internet2

• Collection of over 200 U.S. Universities involved
  in a wide variety of initiatives
• advanced network applications
• research and higher education
• creating tomorrows Internet
• Wide variety of
• Groups
• Working, Specialist Interest, Advisory,
• Initiatives

7
Internet2 - Middleware Initiative

• Initiatives
• Shibboleth
• eduPerson
• both of which are under umbrella of MACE
• Others MACE activities
• Grouper
• Middleware End-To-End Diagnostics Advisory Group
• Signet

8
Internet2 - Shibboleth

• Share secured online services
• Control access to restricted digital content
• Leverages campus identity and access management
  infrastructures
• authenticate individual users
• sends information about users to resource site
• enables resource provider to make authorisation
  decisions
• Common SSO layer over existing systems

9
What is a Federation

• Group of organizations sharing set of agreed
  policies, rules for access to online resources
• enable the members to establish trust and shared
  understanding of language or terminology
• provide a structure / legal framework that
  enables authentication and authorization
• Supporting technologies
• Shibboleth
• SAML

10
SWITCHaai - Switzerland

• Useful demo

SWITCHaai - http//www.switch.ch/aai/
11
SWITCHaai - Process Demo
12
Adoption History - World Wide

• Europe
• SWITCH - AAI - Switzerland
• Authentication Authorization Infrastructure
• 8 universities, gt 110k users
• integrated user directories into AAI
• e-learning shared resources
• gt 10k users on a regular basis
• HAKA - Finland
• Identity Federation of Universities

13
Adoption History - World Wide

• USA
• widespread adoption by educational and commercial
  organisations
• Australia
• MAMS
• Meta Access Management System
• Macquarie - lead University

14
Adoption History - UK

• Started with Core Middleware Programme
• started July 2004 / first trial November 2004
• strategic initiative
• A subset - Early Adopters
• over 20 H.E. institutions
• includes e-Learning strand
• interim reports available

15
Adoption History - UK

• Bodington
• open source Virtual Learning Environment /
  Learning Management System
• supports teaching and learning across entire
  range of learning institutions
• UK and worldwide
• Guanxi Project
• UHI - University of Highlands and Islands
• institutional collaborations
• e-learning e-delivery

16
UK Federations

• Athens UK Shibboleth Federation
• production federation
• SDSS project at EDINA
• building development Shibboleth federation
  academic online resources
• put in place essential technical components
• provide environment to assist other projects
• JISC
• Core Middleware Infrastructure Programme
• SWISh, Gilead,

17
JISC - Shibboleth

• The Joint Information Systems Committee
• UK HE / FE support organisation
• JISC - Middleware Adoption
• funding a major initiative - 4 years
• access to internally and externally produced
  resources is a one step process for users
• development of next generation access management
  system based on Shibboleth
• UK Federation

18
MATU Support - Ethos / Approach

• "One Stop Shop"
• Informed
• Authoritative
• Impartial
• Avoid dilution of message and advice
• Long term individual relationships
• Mutual support cyclical
• we also need assistance feedback
• returned to early adopters community

19
MATU People

• Service Manager - Richard Dunning
• operations and project specialist
• Service Analyst - Richard Annett
• formerly DSP and AthensDA support
• Trainer - Steve Edwards
• consulting development J2EE, XML, Web Services
• International activities IBM, BEA,
• Others involved include
• James Mulhern
• project director, head of R D
• David Orrell
• technical architect heavily involved in the
  middleware arena nationally internationally

20
MATU Service

• A Comprehensive Website
• FAQS, Guidance, Installation guides, business
  cases, downloads
• Software downloads
• Internet2 software
• Eduserv software
• Other software e.g. Guanxi
• Service desk
• Telephone and Email support
• Access to some of the leading experts on Access
  Management and Shibboleth
• Test infrastructure
• Training
• Seminars / Workshops
• Conferences

21
MATU Assisted Projects

• Twenty projects in total comprising of
• Over 20 early adopter projects
• 16 institutions
• 9 e-learning strand early adopter projects
• 11 institutions
• 15-18 new projects to be announcedmid-November
  2005

22
(No Transcript)
23
Workshops Events

• October
• Introduction to Shibboleth v1.3 - IdP SP
• November
• JISC Conference
• December
• Introduction to Shibboleth v1.3 - IdP SP
• October workshop repeated for new project intake
• January
• Deploying Shibboleth v1.3 IdP
• Deploying Shibboleth v1.3 SP
• LDAP - Lightweight Directory Access Protocol
• February
• Federations and the Law

24
Current Activities

• Getting to know the projects
• aims give early adopters confidence
• get early adopters to outline their projects
• form relationships
• help with problem solving at an early stage
• One-to-one meetings with project owners include
• University of Essex (Chimera)
• London School of Economics
• University of Essex (UK Data Archive (SAFARI))
• Liverpool University
• University of Nottingham
• University of Bristol
• University of Exeter
• University of Cardiff
• University of Staffordshire

25
Shibboleth / Athens Interoperability

• Eduserv's JISC contract for Access Management
  services to UK HE FE, commits us to delivering
  full Shibboleth Athens interoperability
• Athens Federation
• providing a governance framework for Athens
  registered organisations and online resources
• Athens Identity Manager (AthensIM)
• fully supported and standalone Shibboleth
  Identity Provider (origin) software
• Shibboleth to Athens Gateway
• providing Shibboleth-enabled organisations access
  to Athens-enabled resources

26
Prerequisites

• Users IDs and credentials
• Database
• Directory
• Flat files
• A web-based Single Sign-On System
• e.g.
• Pubcookie
• Yale CAS
• Bespoke
• Network Server Infrastructure
• Skilled People

27
Getting Started?

• MATU Support
• Think carefully about how you are going to use
  Shibboleth
• who and where are your users
• what are you looking to access / share / protect
• what Federation is best for you
• Make sure you know who you and your stakeholders
  are!
• Identity Provider
• Service Provider
• both!
• Align your Access Management to your IT strategy
• and adapt
• Align your Attribute Release Policy with
  Institutional DP Privacy
• Ensure you have all the necessary building blocks
• A populated Information Store
• A Web SSO system
• Plan how you are going to deliver and resource
  your new service
• Decide what software is best for you

28
Advice to Projects

• Plan
• especially access to institutional data
• Keep it simple
• limit the use of user attributes
• at least initially
• Try, test, prototype
• but avoid live kit
• Put the necessary prerequisites in place
• Weigh up privacy v. personalisation
• Do not go it alone

29
And Now?

• MATU is here to support early adopters in using
  Shibboleth
• We want to
• talk to them
• understand their requirements
• to ensure a smoother start
• to assist with minimising problems

30
Contact Us

• Contact the MATU team at
• support_at_matu.ac.uk
• Postal address
• Eduserv MATU Queen Anne House11 Charlotte
  StreetBath BA1 2NEPhone 01225
  474373Fax 01225 474332
• Website
• www.matu.ac.uk