MATU: Middleware Assisted Take Up ServiceFor JISC Funded Early Adopters

Steve Edwards - MATU - Windermere 14 – 15 November 2005

Where We Are From - Eduserv

• Eduserv is a not-for-profit IT services group– born from services developed within universities

• The Eduserv Foundation– funds initiatives supporting application of IT in education

• Over 10 years experience delivering Access Management– Athens

• Contracted by the JISC to provide the MATU service– assist HE & FE with early adoption of Shibboleth

MATU Objectives

• Middleware Assisted Take Up Service– A JISC sponsored Eduserv Service

• Support JISC Core Middleware Project Early Adopters

• Provide a central repository– information

– advice

– training

The Problem Shibboleth® Addresses

• Users accessing many different systems– proliferation of credentials

– one pair of credentials per resource

– forgotten passwords

– Security & Integrity compromised

• “abc123” issue

– passwords sent in the clear and shared

– proprietary systems – locked in

– no organisational control centre

What Shibboleth® is NOT

• NOT an all-in-one identity management solution– one of many components

• NOT an authentication or a SSO system– need to plug one in (CAS, pubcookie, …)

• NOT an Attribute Store– need to plug one in (Directory, Database, …)

• NOT a fixed specification– ongoing evolution

Internet2

• Collection of over 200 U.S. Universities involved in a wide variety of initiatives:

– advanced network applications

– research and higher education

– creating tomorrow’s Internet

• Wide variety of:– Groups

• Working, Specialist Interest, Advisory, …

– Initiatives

Internet2 - Middleware Initiative

• Initiatives:– Shibboleth®

– eduPerson

• both of which are under umbrella of MACE

• Others MACE activities:– Grouper

– Middleware End-To-End Diagnostics Advisory Group

– Signet

Internet2 - Shibboleth®

• Share secured online services

• Control access to restricted digital content

• Leverages campus identity and access management infrastructures

– authenticate individual users

– sends information about users to resource site

– enables resource provider to make authorisation decisions

• Common SSO layer over existing systems

What is a Federation …

• Group of organizations sharing set of agreed policies, rules for access to online resources

– enable the members to establish trust and shared understanding of language or terminology

– provide a structure / legal framework that enables authentication and authorization

• Supporting technologies:– Shibboleth

– SAML

SWITCHaai - Switzerland

• Useful demo

SWITCHaai:

- http://www.switch.ch/aai/

SWITCHaai - Process Demo

Adoption History - World Wide …

• Europe

– SWITCH - AAI - Switzerland

• Authentication & Authorization Infrastructure

• 8 universities, > 110k users– integrated user directories into AAI

• e-learning shared resources– > 10k users on a regular basis

– HAKA - Finland

• Identity Federation of Universities

… Adoption History - World Wide

• USA– widespread adoption by educational and

commercial organisations

• Australia– MAMS

• Meta Access Management System

• Macquarie - lead University

Adoption History - UK …

• Started with Core Middleware Programme– started July 2004 / first trial November 2004

– strategic initiative

• A subset - Early Adopters– over 20 H.E. institutions

– includes e-Learning strand

– interim reports available

… Adoption History - UK

• Bodington– open source Virtual Learning Environment /

Learning Management System

– supports teaching and learning across entire range of learning institutions

– UK and worldwide

• Guanxi Project– UHI - University of Highlands and Islands

– institutional collaborations

– e-learning & e-delivery

UK Federations

• Athens UK Shibboleth Federation– production federation

• SDSS project at EDINA– building development Shibboleth federation

… academic online resources– put in place essential technical components– provide environment to assist other projects

• JISC– Core Middleware: Infrastructure Programme– SWISh, Gilead,

JISC - Shibboleth®

• The Joint Information Systems Committee– UK HE / FE support organisation

• JISC - Middleware Adoption– funding a major initiative - 4 years

– access to internally and externally produced resources is a one step process for users

– development of next generation access management system based on Shibboleth

– UK Federation

MATU Support - Ethos / Approach

• "One Stop Shop"– Informed

– Authoritative

– Impartial

• Avoid dilution of message and advice

• Long term individual relationships

• Mutual support – cyclical– we also need assistance & feedback

– returned to early adopters community

MATU People

• Service Manager - Richard Dunning– operations and project specialist

• Service Analyst - Richard Annett– formerly DSP and AthensDA support

• Trainer - Steve Edwards– consulting & development: J2EE, XML, Web Services

– International activities: IBM, BEA, …

• Others involved include:– James Mulhern

• project director, head of R & D

– David Orrell

• technical architect heavily involved in the middleware arena nationally & internationally

MATU Service

• A Comprehensive Website– FAQS, Guidance, Installation guides, business cases,

downloads

• Software downloads– Internet2 software– Eduserv software– Other software e.g. Guanxi

• Service desk– Telephone and Email support– Access to some of the leading experts on Access

Management and Shibboleth– Test infrastructure

• Training– Seminars / Workshops– Conferences

MATU Assisted Projects

• Twenty projects in total comprising of:– Over 20 early adopter projects

• 16 institutions

– 9 e-learning strand early adopter projects

• 11 institutions

• 15-18 new projects to be announcedmid-November 2005

Workshops & Events

• October– Introduction to Shibboleth: v1.3 - IdP & SP

• November– JISC Conference

• December– Introduction to Shibboleth: v1.3 - IdP & SP

• October workshop repeated for new project intake

• January– Deploying Shibboleth: v1.3 IdP

– Deploying Shibboleth: v1.3 SP

– LDAP - Lightweight Directory Access Protocol

• February– Federations and the Law

Current Activities

• Getting to know the projects– aims: give early adopters confidence – get early adopters to outline their projects– form relationships – help with problem solving at an early stage

• One-to-one meetings with project owners include:

– University of Essex (Chimera)– London School of Economics– University of Essex (UK Data Archive (SAFARI))– Liverpool University – University of Nottingham– University of Bristol– University of Exeter – University of Cardiff– University of Staffordshire

Shibboleth / Athens Interoperability

Eduserv's JISC contract for Access Management services to UK HE & FE, commits us to delivering full Shibboleth Athens interoperability:

•Athens Federation– providing a governance framework for Athens

registered organisations and online resources

•Athens Identity Manager (AthensIM)– fully supported and standalone Shibboleth Identity

Provider (origin) software

•Shibboleth to Athens Gateway– providing Shibboleth-enabled organisations access to

Athens-enabled resources

Prerequisites

• Users IDs and credentials– Database

– Directory

– Flat files

• A web-based Single Sign-On System– e.g.

• Pubcookie

• Yale CAS

• Bespoke

• Network & Server Infrastructure

• Skilled People

Getting Started?

• MATU Support• Think carefully about how you are going to use Shibboleth

– who and where are your users– what are you looking to access / share / protect– what Federation is best for you

• Make sure you know who you and your stakeholders are!– Identity Provider– Service Provider– both!

• Align your Access Management to your IT strategy– and adapt

• Align your Attribute Release Policy with Institutional DP & Privacy• Ensure you have all the necessary building blocks

– A populated Information Store– A Web SSO system

• Plan how you are going to deliver and resource your new service• Decide what software is best for you

Advice to Projects

• Plan– especially access to institutional data

• Keep it simple– limit the use of user attributes

• at least initially

• Try, test, prototype– but avoid live kit

• Put the necessary prerequisites in place

• Weigh up privacy v. personalisation

• Do not go it alone

And Now?

• MATU is here to support early adopters in using Shibboleth

• We want to:– talk to them

– understand their requirements

• to ensure a smoother start

• to assist with minimising problems

Contact Us

• Contact the MATU team at:– support@matu.ac.uk

• Postal address:– Eduserv MATU

Queen Anne House11 Charlotte StreetBath BA1 2NEPhone: 01225 474373Fax: 01225 474332

• Website:– www.matu.ac.uk