26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 1

ShibboLEAP: a production model for institutional Shibboleth adoption

John Paschoud and Simon McLeishLSE Library Projects Team

London School of Economics & Political Science, UK

(and thanks to Nicole Harris for JISC programmes updates)

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 2

JISC Core Middleware Infrastructure Programme

• UK Gov’t ‘Spending Review’ grant (£3.4 million across two years) to achieve specific aim

of ‘working federated access management infrastructure’

• Focused activities:

– Shibbolising of JISC resources held at MIMAS and EDINA (national data centres)

– Funding for a support service – MATU at Eduserv

– Early Adopter funding to help institutions implement required technologies (two calls, 26

institutions)

– Regional Early Adopters to explore e-Learning collaborations with federated access

– Funding for initial development of full federated service – UKERNA

– Communications and outreach programme – e.g. letters sent to all HE institutions

• Completes July 2006

• Full federated access management services to be in place by September 2006

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 3

JISC Core Middleware Transition Plan

• Moving from a ‘working’ infrastructure to a full production federation (i.e. with critical

mass of users) for HE, FE and Schools sector through joint Becta initiative

(HE and FE: 641 institutions in the UK)

• Integration of current work plans within JISC Development and JISC Services

• Main workpackages:

– Continued support for current Athens contract (until July 2008)

– Funding for the Athens/Shibboleth gateways

• Allowing Athens authenticated users to access shibboleth protected resources (Athens

as super-Identity Provider)

• Allowing institutionally authenticated (via shibboleth) users to access Athens protected

resources (Athens as super-Resource Provider)

– Funding for JISC federation @ UKERNA

– Communications and outreach plan

– National and International liaison plan

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 4

JISC Core Middleware Timescale (Jan 2005 vn)

Jul-03 Jul-04 Jul-05 Jul-06 Jul-07 Jul-08Athens Service

Athens Development

CM: Development

CM: Infrastructure

Contract Neg

Early Adopters and Assisted Take-up

Embedding

Potential Service

Potential Service

Timescales of Athens contract, development and Core Middleware Development &

Infrastructure

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 5

JISC Core Middleware timeline (Mar 2006 vn)

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 6

The ShibboLEAP Project

• April 05 – April 06; approx £250K JISC funding as ‘Early Adopters’ of Shibboleth• (no acronym – just a badly-chosen email subject-line that stuck)• 6 other University of London Colleges, assisted by LSE with technical expertise &

project management• Already associated because they were participating in the (national) SHERPA pilot of

Eprints as institutional repository• (LEAP = London Eprints Access Project)• The SHERPA-LEAP consortium

– Birkbeck College

– Imperial College

– King’s College London

– London School of Economics & Political Science

– Royal Holloway College

– School of Oriental & African Studies

– University College London

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 7

ShibboLEAP partners

• …a diverse collection of institutions - all on our doorstep!

– Some have lots of undergraduates studying diverse subjects

– Some are focused on small range of subjects

– Some concentrate on postgraduate studies and research

– Some focus on continuing education

– All have well-regarded research programmes

• Most already had LDAP directories of users

– Some used project to replace existing directories

– Most common software: Active Directory

– None had eduPerson object class installed

• Size and formality of IT department varied widely (~5 - ~35 network/internet techies)

• …but quite a useful lot to get the UK Shibboleth ball rolling!– Total ‘population’ of LSE =~ 10,000

– Total ‘population’ of consortium =~ 150,000+

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 8

Project objectives

• Enable full Shib IdP for all users at each of the 7 partners– Using their existing directory & other infrastructure services where possible

…whatever they are (THE TRICKY BIT!)

• Access via Shibboleth to external resources which is:

– secure: limited to those people that are truly entitled to access the resource

– accountable: through Shibboleth log files and institutional systems abusers can be tracked

and dealt with

– up-to-date: leavers are quickly and accurately prevented from further access while

newcomers are granted access straight away

• Enable Eprints software as a Shib SP– As fully as possible within the project budget & timescale

– Contributed back to OSS development of Eprints

• Produce a documented production process for Shib implementation by others

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 9

Role-based access in an ‘open’ archive Institutional Repository

• (‘Open’ as in Open Archives Initiative - based on Eprints or another harvestable

repository server like DSpace, etc)

• Who is permitted to do what:

– deposit papers (your own academics)

– add & edit metadata (library staff who know what metadata is)

– authorise publication (1 or 2 administrators)

• Some (at least) of these roles should be derivable from existing directory attributes…

– ePSA = ‘staff@lse.ac.uk’

– ePSA = ‘staff@lse.ac.uk AND ou = ‘library’

– ePE = ‘EprintsAdmin’

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 10

[example of SOAS IR org-browse]

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 11

[example of LSE IR dat-browse]

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 12

• Herding cats???• Regular Library and IT service staff involved at each site

– Two posts funded part-time by project

• High-level buy-in (service directors)– Some cooperation; Some competition

• Focussed Project Management Board governance– Defined tasks for each planned

meeting throughout project

• Easy-to-measure (although bogus) primary objective– Shib access to Eprints repository works…– …so everything else will!

• Few critical inter-dependencies– So low risk of ‘failure’

© EDS and agency, used with permission

Project management

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 13

Key milestones

Month Activity Deliverable due

Apr-05 Identify key staff and technical resources. 1st Project Team meeting (approve Project Plan).

Project Plan

Jul-05 2nd Project Team meeting (approve Eprints dev spec; approve Shib-Origin architectures).

Eprints Shib-Target spec. Shib-Origin architecture plans.

Oct-05 3rd Project Team meeting (review Project Plan progress; demo of Alpha release & Shib-Origins).

Interim progress report.

Jan-06 4th Project Team meeting (demo of production release).

Apr-06 Final Project Team meeting (sign off project; agree exit plans).

Project Completion Report. Published case study article(s).

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 14

Who Needs to be Involved?

• Network account techies

• Athens administrator (in UK)

• Directory admin techies

• Firewall and security techies

• Library IT staff and librarians who know your electronic resources

• Managers for the above!

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 15

Where are you now?

• What is your institutional directory?

– Who in the institution “owns” it (and how can you be their friend)?

– How is it updated?

– How do you arrange to change it?

– Or should you be considering a new directory solution?

– Does it contain all the information likely to be needed for resources protected with

Shibboleth?

• How do you currently handle user account management?

– Are user credentials secure enough for single-sign-on use outside the institution?

• Do you already use a Web ISO solution such as pubcookie?

• Where will you install the Shibboleth Identity Provider?

– On what type of machine?

– How are you planning to connect it to the institutional directory?

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 16

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 17

Case Study 1: Small Research Institute• Approach

– Used in-house cookie authentication system as backend, and Novell eDirectory as institutional

directory

– Updates performed on live directory server with no problems

• Difficulties encountered

– Trivial configuration errors simple to fix (when found...)

“Every thing is nice and informal, changes to the directory got done quickly on the live service, kit installed and setup without anyone looking over my shoulder, no need for meetings, committees etc.”

But...

“From a professional systems point of view some testing on a dev system would have

been a good idea. Things turned out OK though so shouldn't complain.”

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 18

Case Study 2: Large Undergraduate College

• Approach

– Used mod_auth_ldap for authentication, IPlanet LDAP server as institutional directory (but

separate test server with limited number of accounts used for initial IdP installation)

– Institutional wildcard certificate used to certify Shib communications

• Difficulties encountered

– Difficulty installing IdP; resolved by moving from RH Fedora to RHE3

Large team makes it easy to find relevant experience for solving installation problems

But...

Bureaucracy makes life harder

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 19

From Project to Production

• Most institutions set up first Shib IdP in project context

• Limited (but rapidly growing) number of resources available via Shibboleth

– (the Shib-to-Athens Gateway is particularly useful for this)

– …but we don’t want it to inhibit ‘proper’ adoption of Shib by vendors!

• Few will want to take a “big bang” approach and replace all existing, “working-

well-enough” authentication regimes with Shibboleth at one go

• Prioritise resources – need to balance usefulness against ease of changeover

– May require contacting publishers, which can help persuade them to implement

Shib if not doing it yet

• Consider new installation of IdP for production

– Ideal for teaching mainstream IT staff to understand Shib & be able to support it

– See ‘Shib for Sysadmins’ package

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 20

[Shib@LSE SysAdmins resources page]

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 21

Communication with Users

• Renewing documentation probably needs to be done anyway

• ...so take the opportunity to think about how electronic resources / security

issues / authentication issues are presented

• Do you want to mention Shibboleth by name?

– (Most users should never really see it in action...unless it goes wrong)

• At LSE, lengthy description of Athens authorisation system was replaced by

simple paragraph about use of network credentials to access most resources

with information on how to find documentation for other resources

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 22

[LSEforYou Library passwords result page]

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 23

(JISC) Institutional Participation planning

26-Apr-06 Internet2 Spring Member Meeting, Arlington VA 24

ShibboLEAP Project: www.angel.ac.uk/ShibboLEAP/

Shibboleth @ LSE resources: www.angel.ac.uk/ShibbolethAtLSE/

JISC Middleware programmes: www.jisc.ac.uk/programme_middleware.html

JISC Middleware documents: www.jisc.ac.uk/middleware_documents.html

UK federation developments: www.jisc.ac.uk/federation.html

J.Paschoud@LSE.ac.uk