Transcript production model institutional Shibboleth adoption John Paschoud and Simon McLeish

ShibboLEAP: a production model for
institutional Shibboleth adoption
John Paschoud and Simon McLeish
LSE Library Projects Team
London School of Economics & Political Science, UK
(and thanks to Nicole Harris for JISC programmes updates)
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
1
JISC Core Middleware Infrastructure Programme
•
UK Gov’t ‘Spending Review’ grant (£3.4 million across two years) to achieve specific aim of
‘working federated access management infrastructure’
•
Focused activities:
–
Shibbolising of JISC resources held at MIMAS and EDINA (national data centres)
–
Funding for a support service – MATU at Eduserv
–
Early Adopter funding to help institutions implement required technologies (two calls, 26
institutions)
–
Regional Early Adopters to explore e-Learning collaborations with federated access
–
Funding for initial development of full federated service – UKERNA
–
Communications and outreach programme – e.g. letters sent to all HE institutions
•
Completes July 2006
•
Full federated access management services to be in place by September 2006
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
2
JISC Core Middleware Transition Plan
•
Moving from a ‘working’ infrastructure to a full production federation (i.e. with critical
mass of users) for HE, FE and Schools sector through joint Becta initiative
(HE and FE: 641 institutions in the UK)
•
Integration of current work plans within JISC Development and JISC Services
•
Main workpackages:
– Continued support for current Athens contract (until July 2008)
– Funding for the Athens/Shibboleth gateways
• Allowing Athens authenticated users to access shibboleth protected resources (Athens
as super-Identity Provider)
• Allowing institutionally authenticated (via shibboleth) users to access Athens protected
resources (Athens as super-Resource Provider)
– Funding for JISC federation @ UKERNA
– Communications and outreach plan
– National and International liaison plan
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
3
JISC Core Middleware Timescale (Jan 2005 vn)
Jul-03
Jul-04
Jul-05
Jul-06
Jul-07
Jul-08
Athens Service
Contract Neg
Potential Service
Athens Development
CM: Development
Embedding
CM: Infrastructure
Early Adopters and Assisted Take-up
Potential Service
Timescales of Athens contract, development
and Core Middleware Development &
Infrastructure
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
4
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
JISC Core Middleware timeline (Mar 2006 vn)
5
The ShibboLEAP Project
•
•
•
•
•
•
April 05 – April 06; approx £250K JISC funding as ‘Early Adopters’ of Shibboleth
(no acronym – just a badly-chosen email subject-line that stuck)
6 other University of London Colleges, assisted by LSE with technical expertise &
project management
Already associated because they were participating in the (national) SHERPA pilot of
Eprints as institutional repository
(LEAP = London Eprints Access Project)
The SHERPA-LEAP consortium
–
–
–
–
–
–
–
Birkbeck College
Imperial College
King’s College London
London School of Economics & Political Science
Royal Holloway College
School of Oriental & African Studies
University College London
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
6
ShibboLEAP partners
•
…a diverse collection of institutions - all on our doorstep!
– Some have lots of undergraduates studying diverse subjects
– Some are focused on small range of subjects
– Some concentrate on postgraduate studies and research
– Some focus on continuing education
– All have well-regarded research programmes
•
Most already had LDAP directories of users
– Some used project to replace existing directories
– Most common software: Active Directory
– None had eduPerson object class installed
•
Size and formality of IT department varied widely (~5 - ~35 network/internet techies)
•
…but quite a useful lot to get the UK Shibboleth ball rolling!
– Total ‘population’ of LSE =~ 10,000
– Total ‘population’ of consortium =~ 150,000+
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
7
Project objectives
•
Enable full Shib IdP for all users at each of the 7 partners
– Using their existing directory & other infrastructure services where possible
…whatever they are (THE TRICKY BIT!)
•
Access via Shibboleth to external resources which is:
– secure: limited to those people that are truly entitled to access the resource
– accountable: through Shibboleth log files and institutional systems abusers can be tracked
and dealt with
– up-to-date: leavers are quickly and accurately prevented from further access while
newcomers are granted access straight away
•
Enable Eprints software as a Shib SP
– As fully as possible within the project budget & timescale
– Contributed back to OSS development of Eprints
•
Produce a documented production process for Shib implementation by others
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
8
Role-based access in an ‘open’ archive Institutional Repository
•
(‘Open’ as in Open Archives Initiative - based on Eprints or another harvestable
repository server like DSpace, etc)
•
Who is permitted to do what:
– deposit papers (your own academics)
– add & edit metadata (library staff who know what metadata is)
– authorise publication (1 or 2 administrators)
•
Some (at least) of these roles should be derivable from existing directory attributes…
– ePSA = ‘[email protected]’
– ePSA = ‘[email protected] AND ou = ‘library’
– ePE = ‘EprintsAdmin’
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
9
[example of SOAS IR org-browse]
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
10
[example of LSE IR dat-browse]
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
11
Project management
•
•
Herding cats???
Regular Library and IT service staff involved at each site
– Two posts funded part-time by project
•
High-level buy-in (service directors)
– Some cooperation; Some competition
•
Focussed Project Management Board governance
– Defined tasks for each planned
meeting throughout project
•
Easy-to-measure (although bogus) primary objective
– Shib access to Eprints repository works…
– …so everything else will!
•
Few critical inter-dependencies
– So low risk of ‘failure’
© EDS and agency, used with permission
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
12
Key milestones
Month
Activity
Deliverable due
Apr-05
Identify key staff and technical resources. 1st Project Team
Project Plan
meeting (approve Project Plan).
Jul-05
2nd Project Team meeting (approve Eprints dev spec;
Eprints Shib-Target spec.
approve Shib-Origin architectures).
Shib-Origin architecture
plans.
Oct-05
3rd Project Team meeting (review Project Plan progress;
Interim progress report.
demo of Alpha release & Shib-Origins).
Jan-06
4th Project Team meeting (demo of production release).
Apr-06
Final Project Team meeting (sign off project; agree exit
Project Completion Report.
plans).
Published case study
article(s).
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
13
Who Needs to be Involved?
•
Network account techies
•
Athens administrator (in UK)
•
Directory admin techies
•
Firewall and security techies
•
Library IT staff and librarians who know your electronic resources
•
Managers for the above!
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
14
Where are you now?
•
What is your institutional directory?
– Who in the institution “owns” it (and how can you be their friend)?
– How is it updated?
– How do you arrange to change it?
– Or should you be considering a new directory solution?
– Does it contain all the information likely to be needed for resources protected with
Shibboleth?
•
How do you currently handle user account management?
– Are user credentials secure enough for single-sign-on use outside the institution?
•
Do you already use a Web ISO solution such as pubcookie?
•
Where will you install the Shibboleth Identity Provider?
– On what type of machine?
– How are you planning to connect it to the institutional directory?
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
15
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
16
Case Study 1: Small Research Institute
•
Approach
– Used in-house cookie authentication system as backend, and Novell eDirectory as institutional
directory
– Updates performed on live directory server with no problems
•
Difficulties encountered
– Trivial configuration errors simple to fix (when found...)
“Every thing is nice and informal, changes to the directory got done quickly on the live
service, kit installed and setup without anyone looking over my shoulder, no need for
meetings, committees etc.”
But...
“From a professional systems point of view some testing on a dev system would have
been a good idea. Things turned out OK though so shouldn't complain.”
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
17
Case Study 2: Large Undergraduate College
•
Approach
– Used mod_auth_ldap for authentication, IPlanet LDAP server as institutional directory (but
separate test server with limited number of accounts used for initial IdP installation)
– Institutional wildcard certificate used to certify Shib communications
•
Difficulties encountered
– Difficulty installing IdP; resolved by moving from RH Fedora to RHE3
Large team makes it easy to find relevant experience for solving installation problems
But...
Bureaucracy makes life harder
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
18
From Project to Production
•
Most institutions set up first Shib IdP in project context
•
Limited (but rapidly growing) number of resources available via Shibboleth
– (the Shib-to-Athens Gateway is particularly useful for this)
– …but we don’t want it to inhibit ‘proper’ adoption of Shib by vendors!
•
Few will want to take a “big bang” approach and replace all existing, “workingwell-enough” authentication regimes with Shibboleth at one go
•
Prioritise resources – need to balance usefulness against ease of changeover
– May require contacting publishers, which can help persuade them to implement
Shib if not doing it yet
•
Consider new installation of IdP for production
– Ideal for teaching mainstream IT staff to understand Shib & be able to support it
– See ‘Shib for Sysadmins’ package
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
19
[Shib@LSE SysAdmins resources page]
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
20
Communication with Users
•
Renewing documentation probably needs to be done anyway
•
...so take the opportunity to think about how electronic resources / security
issues / authentication issues are presented
•
Do you want to mention Shibboleth by name?
– (Most users should never really see it in action...unless it goes wrong)
•
At LSE, lengthy description of Athens authorisation system was replaced by
simple paragraph about use of network credentials to access most resources
with information on how to find documentation for other resources
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
21
[LSEforYou Library passwords result page]
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
22
(JISC) Institutional Participation planning
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
23
ShibboLEAP Project: www.angel.ac.uk/ShibboLEAP/
Shibboleth @ LSE resources: www.angel.ac.uk/ShibbolethAtLSE/
JISC Middleware programmes: www.jisc.ac.uk/programme_middleware.html
JISC Middleware documents: www.jisc.ac.uk/middleware_documents.html
UK federation developments: www.jisc.ac.uk/federation.html
[email protected]
26-Apr-06
Internet2 Spring Member Meeting, Arlington VA
24