matu: middleware assisted take up service for jisc funded early adopters steve edwards - matu -...
TRANSCRIPT
MATU: Middleware Assisted Take Up ServiceFor JISC Funded Early Adopters
Steve Edwards - MATU - Windermere 14 – 15 November 2005
Where We Are From - Eduserv
• Eduserv is a not-for-profit IT services group– born from services developed within universities
• The Eduserv Foundation– funds initiatives supporting application of IT in education
• Over 10 years experience delivering Access Management– Athens
• Contracted by the JISC to provide the MATU service– assist HE & FE with early adoption of Shibboleth
MATU Objectives
• Middleware Assisted Take Up Service– A JISC sponsored Eduserv Service
• Support JISC Core Middleware Project Early Adopters
• Provide a central repository– information
– advice
– training
The Problem Shibboleth® Addresses
• Users accessing many different systems– proliferation of credentials
– one pair of credentials per resource
– forgotten passwords
– Security & Integrity compromised
• “abc123” issue
– passwords sent in the clear and shared
– proprietary systems – locked in
– no organisational control centre
What Shibboleth® is NOT
• NOT an all-in-one identity management solution– one of many components
• NOT an authentication or a SSO system– need to plug one in (CAS, pubcookie, …)
• NOT an Attribute Store– need to plug one in (Directory, Database, …)
• NOT a fixed specification– ongoing evolution
Internet2
• Collection of over 200 U.S. Universities involved in a wide variety of initiatives:
– advanced network applications
– research and higher education
– creating tomorrow’s Internet
• Wide variety of:– Groups
• Working, Specialist Interest, Advisory, …
– Initiatives
Internet2 - Middleware Initiative
• Initiatives:– Shibboleth®
– eduPerson
• both of which are under umbrella of MACE
• Others MACE activities:– Grouper
– Middleware End-To-End Diagnostics Advisory Group
– Signet
Internet2 - Shibboleth®
• Share secured online services
• Control access to restricted digital content
• Leverages campus identity and access management infrastructures
– authenticate individual users
– sends information about users to resource site
– enables resource provider to make authorisation decisions
• Common SSO layer over existing systems
What is a Federation …
• Group of organizations sharing set of agreed policies, rules for access to online resources
– enable the members to establish trust and shared understanding of language or terminology
– provide a structure / legal framework that enables authentication and authorization
• Supporting technologies:– Shibboleth
– SAML
SWITCHaai - Switzerland
• Useful demo
SWITCHaai:
- http://www.switch.ch/aai/
SWITCHaai - Process Demo
Adoption History - World Wide …
• Europe
– SWITCH - AAI - Switzerland
• Authentication & Authorization Infrastructure
• 8 universities, > 110k users– integrated user directories into AAI
• e-learning shared resources– > 10k users on a regular basis
– HAKA - Finland
• Identity Federation of Universities
… Adoption History - World Wide
• USA– widespread adoption by educational and
commercial organisations
• Australia– MAMS
• Meta Access Management System
• Macquarie - lead University
Adoption History - UK …
• Started with Core Middleware Programme– started July 2004 / first trial November 2004
– strategic initiative
• A subset - Early Adopters– over 20 H.E. institutions
– includes e-Learning strand
– interim reports available
… Adoption History - UK
• Bodington– open source Virtual Learning Environment /
Learning Management System
– supports teaching and learning across entire range of learning institutions
– UK and worldwide
• Guanxi Project– UHI - University of Highlands and Islands
– institutional collaborations
– e-learning & e-delivery
UK Federations
• Athens UK Shibboleth Federation– production federation
• SDSS project at EDINA– building development Shibboleth federation
… academic online resources– put in place essential technical components– provide environment to assist other projects
• JISC– Core Middleware: Infrastructure Programme– SWISh, Gilead,
JISC - Shibboleth®
• The Joint Information Systems Committee– UK HE / FE support organisation
• JISC - Middleware Adoption– funding a major initiative - 4 years
– access to internally and externally produced resources is a one step process for users
– development of next generation access management system based on Shibboleth
– UK Federation
MATU Support - Ethos / Approach
• "One Stop Shop"– Informed
– Authoritative
– Impartial
• Avoid dilution of message and advice
• Long term individual relationships
• Mutual support – cyclical– we also need assistance & feedback
– returned to early adopters community
MATU People
• Service Manager - Richard Dunning– operations and project specialist
• Service Analyst - Richard Annett– formerly DSP and AthensDA support
• Trainer - Steve Edwards– consulting & development: J2EE, XML, Web Services
– International activities: IBM, BEA, …
• Others involved include:– James Mulhern
• project director, head of R & D
– David Orrell
• technical architect heavily involved in the middleware arena nationally & internationally
MATU Service
• A Comprehensive Website– FAQS, Guidance, Installation guides, business cases,
downloads
• Software downloads– Internet2 software– Eduserv software– Other software e.g. Guanxi
• Service desk– Telephone and Email support– Access to some of the leading experts on Access
Management and Shibboleth– Test infrastructure
• Training– Seminars / Workshops– Conferences
MATU Assisted Projects
• Twenty projects in total comprising of:– Over 20 early adopter projects
• 16 institutions
– 9 e-learning strand early adopter projects
• 11 institutions
• 15-18 new projects to be announcedmid-November 2005
Workshops & Events
• October– Introduction to Shibboleth: v1.3 - IdP & SP
• November– JISC Conference
• December– Introduction to Shibboleth: v1.3 - IdP & SP
• October workshop repeated for new project intake
• January– Deploying Shibboleth: v1.3 IdP
– Deploying Shibboleth: v1.3 SP
– LDAP - Lightweight Directory Access Protocol
• February– Federations and the Law
Current Activities
• Getting to know the projects– aims: give early adopters confidence – get early adopters to outline their projects– form relationships – help with problem solving at an early stage
• One-to-one meetings with project owners include:
– University of Essex (Chimera)– London School of Economics– University of Essex (UK Data Archive (SAFARI))– Liverpool University – University of Nottingham– University of Bristol– University of Exeter – University of Cardiff– University of Staffordshire
Shibboleth / Athens Interoperability
Eduserv's JISC contract for Access Management services to UK HE & FE, commits us to delivering full Shibboleth Athens interoperability:
•Athens Federation– providing a governance framework for Athens
registered organisations and online resources
•Athens Identity Manager (AthensIM)– fully supported and standalone Shibboleth Identity
Provider (origin) software
•Shibboleth to Athens Gateway– providing Shibboleth-enabled organisations access to
Athens-enabled resources
Prerequisites
• Users IDs and credentials– Database
– Directory
– Flat files
• A web-based Single Sign-On System– e.g.
• Pubcookie
• Yale CAS
• Bespoke
• Network & Server Infrastructure
• Skilled People
Getting Started?
• MATU Support• Think carefully about how you are going to use Shibboleth
– who and where are your users– what are you looking to access / share / protect– what Federation is best for you
• Make sure you know who you and your stakeholders are!– Identity Provider– Service Provider– both!
• Align your Access Management to your IT strategy– and adapt
• Align your Attribute Release Policy with Institutional DP & Privacy• Ensure you have all the necessary building blocks
– A populated Information Store– A Web SSO system
• Plan how you are going to deliver and resource your new service• Decide what software is best for you
Advice to Projects
• Plan– especially access to institutional data
• Keep it simple– limit the use of user attributes
• at least initially
• Try, test, prototype– but avoid live kit
• Put the necessary prerequisites in place
• Weigh up privacy v. personalisation
• Do not go it alone
And Now?
• MATU is here to support early adopters in using Shibboleth
• We want to:– talk to them
– understand their requirements
• to ensure a smoother start
• to assist with minimising problems
Contact Us
• Contact the MATU team at:– [email protected]
• Postal address:– Eduserv MATU
Queen Anne House11 Charlotte StreetBath BA1 2NEPhone: 01225 474373Fax: 01225 474332
• Website:– www.matu.ac.uk