jisc metaleth project
DESCRIPTION
JISC Metaleth Project. Athens, Shibboleth and the University of Bristol 29 th January 2007. Outline. What changes to access management are JISC proposing? What is Shibboleth? What will these changes mean For end-users? For UoB staff? What are the timescales? What are the UoB plans?. - PowerPoint PPT PresentationTRANSCRIPT
JISC Metaleth Project
Athens, Shibboleth and the University of Bristol
29th January 2007
Outline
• What changes to access management are JISC
proposing?– What is Shibboleth?
• What will these changes mean– For end-users?– For UoB staff?
• What are the timescales?
• What are the UoB plans?
What is happening?
• JISC is aiming to improve the
way in which users access
resources throughout the UK educational sector– Goal: to allow users to access internal and
external resources seamlessly using a single, institutionally controlled identity
– Reduce substantially (if not eliminate altogether) current problems in which users are required to maintain multiple passwords for multiple resources in multiple domains
What is happening? (2)
• JISC support for Athens will
cease– Athens will be available as a
paid-for service
• New JISC strategy based on
Shibboleth technology, a new
standards-based approach in this
area
Why the move from Athens?
• Relies on separate credentials– Forgotten or written down (a security issue)– Shibboleth uses local credentials
• Demand for more sophisticated systems for
enabling access to materials and resources– Shibboleth’s flexible design provides a good
basis for meeting these demands.
What is Shibboleth?
• Federated access management framework– Federation of Identity Providers (IdPs) and
Service Providers (SPs)
• No central identity service– SPs talk to user’s IdP– Authorisation decisions based on IdP-provided
information
• Federation provides trust fabric– Allows SPs and IdPs to trust each other
• Acknowledgement:
– Taken from SWITCH AAI
What is Shibboleth? (2)
What is Shibboleth? (3)
• For web services only
• Integrated with local
authentication– Single Sign On
CAS in UoB case
• Location independent– Won’t necessarily provide UoB IP address to
those services that use IP addresses to make authorisation decisions
What changes will there be for end-users?
• Single Sign On extended– To UoB resources protected by CAS SSO– To third-party resources protected by Athens or
Shibboleth
• Users will have to negotiate new WAYF step– Techniques to reduce the impact of this
What changes will there be for UoB staff?
• No more separate Athens identity management– Users will login to UoB SSO when visiting
external protected resources
• In time, no separate account management for non-
UoB users– e.g. external Blackboard users
What changes will there be for UoB staff? (2)
• UoB will have to run (or outsource) a Shibboleth
IdP– Linked to LDAP and CAS SSO– One for the techies
• Attribute exchange with resource providers will
have to be managed– Again, one for the techies
What support is there?
• JISC-provided UK Access
Management Federation for
Education and Research
• UoB experience from JISC-funded pilot project– Metaleth (Metalib + Shibboleth)
• A Shibboleth to Athens gateway– Provided by Eduserv
What is the time frame?
• JISC asking institutions to recognise this change
within their IT strategies for the next two years– Athens contract with JISC renewed until July 2008– Will run in parallel to the UK access management
federation and the Athens/Shibboleth gateway
• From July 2008, JISC will support access
management through the UK access management
federation– Athens will become a paid-for service
What are the next steps we need to take?
• UoB currently evaluating alternate approaches– Run the Shibboleth infrastructure ourselves
• Identity provision, Attribute Authority
– Outsource to Eduserv
What are the next steps we need to take? (2)
• Project starts in April– Goal: replace Athens at UoB for the Autumn
• Tasks:– A production Shibboleth IdP– Transfer of current Athens-protected resources
• Shibboleth directly or via Athens/Shibboleth gateway
– Policy decisions to be taken regarding attribute release and privacy
– Managing the change-over for end-users• Documentation, awareness raising
Further Information
• JISC Access Management– http://www.jisc.ac.uk/whatwedo/themes/access_
management.aspx
• UK Access Management Federation for Education
and Research– http://www.ukfederation.org.uk/
• Shibboleth– http://shibboleth.internet2.edu/
