MATU: Middleware Assisted Take Up Service For JISC Funded Early Adopters Steve Edwards - MATU - Windermere 14 – 15 November 2005
Where We Are From - Eduserv Eduserv is a not-for-profit IT services group –born from services developed within universities The Eduserv Foundation –funds initiatives supporting application of IT in education Over 10 years experience delivering Access Management –Athens Contracted by the JISC to provide the MATU service –assist HE & FE with early adoption of Shibboleth
MATU Objectives Middleware Assisted Take Up Service –A JISC sponsored Eduserv Service Support JISC Core Middleware Project Early Adopters Provide a central repository –information –advice –training
The Problem Shibboleth ® Addresses Users accessing many different systems –proliferation of credentials –one pair of credentials per resource –forgotten passwords –Security & Integrity compromised abc123 issue –passwords sent in the clear and shared –proprietary systems – locked in –no organisational control centre
What Shibboleth ® is NOT NOT an all-in-one identity management solution –one of many components NOT an authentication or a SSO system –need to plug one in (CAS, pubcookie, …) NOT an Attribute Store –need to plug one in (Directory, Database, …) NOT a fixed specification –ongoing evolution
Internet2 Collection of over 200 U.S. Universities involved in a wide variety of initiatives: –advanced network applications –research and higher education –creating tomorrows Internet Wide variety of: –Groups Working, Specialist Interest, Advisory, … –Initiatives
Internet2 - Middleware Initiative Initiatives: –Shibboleth ® –eduPerson both of which are under umbrella of MACE Others MACE activities: –Grouper –Middleware End-To-End Diagnostics Advisory Group –Signet
Internet2 - Shibboleth ® Share secured online services Control access to restricted digital content Leverages campus identity and access management infrastructures –authenticate individual users –sends information about users to resource site –enables resource provider to make authorisation decisions Common SSO layer over existing systems
What is a Federation … Group of organizations sharing set of agreed policies, rules for access to online resources –enable the members to establish trust and shared understanding of language or terminology –provide a structure / legal framework that enables authentication and authorization Supporting technologies: –Shibboleth –SAML
SWITCHaai - Switzerland Useful demo SWITCHaai: -
SWITCHaai - Process Demo
Adoption History - World Wide … Europe –SWITCH - AAI - Switzerland Authentication & Authorization Infrastructure 8 universities, > 110k users –integrated user directories into AAI e-learning shared resources –> 10k users on a regular basis –HAKA - Finland Identity Federation of Universities
… Adoption History - World Wide USA –widespread adoption by educational and commercial organisations Australia –MAMS Meta Access Management System Macquarie - lead University
Adoption History - UK … Started with Core Middleware Programme –started July 2004 / first trial November 2004 –strategic initiative A subset - Early Adopters –over 20 H.E. institutions –includes e-Learning strand –interim reports available
… Adoption History - UK Bodington –open source Virtual Learning Environment / Learning Management System –supports teaching and learning across entire range of learning institutions –UK and worldwide Guanxi Project –UHI - University of Highlands and Islands –institutional collaborations –e-learning & e-delivery
UK Federations Athens UK Shibboleth Federation –production federation SDSS project at EDINA –building development Shibboleth federation … academic online resources –put in place essential technical components –provide environment to assist other projects JISC –Core Middleware: Infrastructure Programme –SWISh, Gilead,
JISC - Shibboleth ® The Joint Information Systems Committee –UK HE / FE support organisation JISC - Middleware Adoption –funding a major initiative - 4 years –access to internally and externally produced resources is a one step process for users –development of next generation access management system based on Shibboleth –UK Federation
MATU Support - Ethos / Approach "One Stop Shop" –Informed –Authoritative –Impartial Avoid dilution of message and advice Long term individual relationships Mutual support – cyclical –we also need assistance & feedback –returned to early adopters community
MATU People Service Manager- Richard Dunning –operations and project specialist Service Analyst- Richard Annett –formerly DSP and AthensDA support Trainer- Steve Edwards –consulting & development: J2EE, XML, Web Services –International activities: IBM, BEA, … Others involved include: –James Mulhern project director, head of R & D –David Orrell technical architect heavily involved in the middleware arena nationally & internationally
MATU Service A Comprehensive Website –FAQS, Guidance, Installation guides, business cases, downloads Software downloads –Internet2 software –Eduserv software –Other software e.g. Guanxi Service desk –Telephone and support –Access to some of the leading experts on Access Management and Shibboleth –Test infrastructure Training –Seminars / Workshops –Conferences
MATU Assisted Projects Twenty projects in total comprising of: –Over 20 early adopter projects 16 institutions –9 e-learning strand early adopter projects 11 institutions new projects to be announced mid-November 2005
Workshops & Events October –Introduction to Shibboleth: v1.3 - IdP & SP November –JISC Conference December –Introduction to Shibboleth: v1.3 - IdP & SP October workshop repeated for new project intake January –Deploying Shibboleth: v1.3 IdP –Deploying Shibboleth: v1.3 SP –LDAP - Lightweight Directory Access Protocol February –Federations and the Law
Current Activities Getting to know the projects –aims: give early adopters confidence –get early adopters to outline their projects –form relationships –help with problem solving at an early stage One-to-one meetings with project owners include: –University of Essex (Chimera) –London School of Economics –University of Essex (UK Data Archive (SAFARI)) –Liverpool University –University of Nottingham –University of Bristol –University of Exeter –University of Cardiff –University of Staffordshire
Shibboleth / Athens Interoperability Eduserv's JISC contract for Access Management services to UK HE & FE, commits us to delivering full Shibboleth Athens interoperability: Athens Federation –providing a governance framework for Athens registered organisations and online resources Athens Identity Manager (AthensIM) –fully supported and standalone Shibboleth Identity Provider (origin) software Shibboleth to Athens Gateway –providing Shibboleth-enabled organisations access to Athens-enabled resources
Prerequisites Users IDs and credentials –Database –Directory –Flat files A web-based Single Sign-On System –e.g. Pubcookie Yale CAS Bespoke Network & Server Infrastructure Skilled People
Getting Started? MATU Support Think carefully about how you are going to use Shibboleth –who and where are your users –what are you looking to access / share / protect –what Federation is best for you Make sure you know who you and your stakeholders are! –Identity Provider –Service Provider –both! Align your Access Management to your IT strategy –and adapt Align your Attribute Release Policy with Institutional DP & Privacy Ensure you have all the necessary building blocks –A populated Information Store –A Web SSO system Plan how you are going to deliver and resource your new service Decide what software is best for you
Advice to Projects Plan –especially access to institutional data Keep it simple –limit the use of user attributes at least initially Try, test, prototype –but avoid live kit Put the necessary prerequisites in place Weigh up privacy v. personalisation Do not go it alone
And Now? MATU is here to support early adopters in using Shibboleth We want to: –talk to them –understand their requirements to ensure a smoother start to assist with minimising problems
Contact Us Contact the MATU team at: Postal address: –Eduserv MATU Queen Anne House 11 Charlotte Street Bath BA1 2NE Phone: Fax: Website: –