Web Magazine for Information Professionals

EuroCAMP 2005

Masha Garibyan and Ann Borda report on the first Campus Architecture Middleware Planning workshop in Europe hosted by the Politecnico di Torino.

The rapid expansion of the Web and Internet in recent years has brought many benefits. It has never been easier to access scholarly information from anywhere in the world in real time. However, this information is often held in disparate systems and is protected by a variety of access control mechanisms, such as usernames and passwords. Many users have to struggle with increasingly complicated access control systems in order to access information they require. This is especially the case in Higher and Further Education. One way forward is to offer multiple services and applications within a single institution. It is also crucial to ensure a high level of system interoperability between identity providers (e.g. universities) and resource providers (e.g. JSTOR). This can be achieved with the help of middleware. The Joint Information Systems Committee (JISC) defines middleware as 'a layer of software or 'glue' between the network and applications' [1]. It provides central services such as identification (assigning and managing digital user identities), authentication (identifying who the user is), authorisation (determining what the user is allowed to do), directories and security.

One example of a middleware application is the Shibboleth technology. Shibboleth, developed by US Internet2, is open source software under development that can be used as part of middleware architectures for access management. Shibboleth is about allowing individuals access to a resource based on their role (e.g. affiliation with the home institution) rather than their identity. Shibboleth users role-based attributes (details about the user) to determine whether or not the users should be given access to a protected resource. The Shibboleth architecture is based on the idea of a federation. A federation is a group of identity providers (e.g. universities) and resource providers (e.g. JSTOR, EBSCO), which agree on a set of common policies, such as the usage of role-based attributes.

Campus Architecture Middleware Planning (CAMP) workshops [2] have been taking place in the United States for several years, following key collaborations and community interest in the area of middleware development. Building on the success of the US workshops and the significant work in middleware within the European research and education community, the Trans-European Research and Education Networking Association (TERENA) [3] organised the first CAMP event in Europe which was held over 2-4 March 2005 in Turin, and hosted by the Politecnico di Torino (Technical University of Turin). Interestingly, the building used to host EuroCAMP was the old Fiat factory, the only car factory (to our knowledge, at least) with a test track on the roof. (Due to its unique design, the track was used to film one of the famous chases in the original Italian Job.)

photo (43KB) : Figure 1 : The famous test track © John Paschoud

Figure 1: The famous test track © John Paschoud

EuroCAMP Workshop

The agenda for the three-day EuroCAMP 2005 workshop [4] comprised a wide-range of session topics, including the set-up and administration of identity management, authentication and authorisation systems, and examples of best practice in security. There were also a number of case studies and discussion forums.

Highlights of the workshop are further described below. Abstracts and papers of all the speaker sessions are available on the TERENA Web site [5].

Day 1: Identity Management

Chair: Miroslav Milinovic, CARNet, Croatia

The first day of the workshop focused on identity management, looking at digital identity and its different aspects, security, trust practices and user privacy preservation.

Licia Florio of TERENA and Diego Lopez of RedIRIS (Spanish National Research and Educational Network) began the workshop with a welcome to the participants, mainly IT architects and managers of universities and research centres from Europe and the US.

Alan Robiette of the Joint Information Systems Committee (JISC) set the scene with an overview of identity management outlining the key issues, such as the assignment of identities and the problems of ownership of data. Alan concluded with examples of national and international developments that are leading the way toward tangible solutions.

A second strand in the day concerned directories (e.g. use of LDAP - the Lightweight Directory Access Protocol) and meta-directories. Roland Hedberg of Umea University (Sweden) demonstrated an in-house solution for integrating different sources of identity into a metadata directory system, and John Paschoud of the London School of Economics spoke about the use of open standards with the Microsoft ActiveDirectory.

Under this strand, Michael Gettes (Duke University, USA) and Diego Lopez conducted a participatory discussion on the eduPerson schema. The eduPerson schema, jointly developed by EDUCAUSE and Internet2, aims to provide for consistent descriptions and classifications of all students and staff involved in post-16 education [6]. There was a proposal for a European eduPerson schema and extensions to object classes for applications specific to European research and higher education institutions.

A third theme of the day was the topic of public key systems and infrastructures (PKIs). David Chadwick of University of Kent began this theme by looking at the roles of directories and PKIs. In particular, Chadwick examined ways of component matching and attribute extraction and drew examples from his work with Privilege and Role Management Infrastructure Standards Validation (PERMIS) [7].

Michael Gettes and Diego Lopez briefed participants on different approaches to overcoming the problem of hierarchy through policy management attributes (PMAs), trust repositories and federations. The day ended with an open forum on best practice in identity management moderated by Ken Klingenstein, Project Director of the Internet2 Middleware and Security Initiatives [8] in the US who has undertaken pioneering work in Shibboleth development [9].

Day 2: Federated Access to (Web) Applications

Chair: Diego Lopez, RedIRIS (Spanish National Research and Educational Network)

The sessions on day two of EuroCAMP were clustered around aspects of intra- and inter-organisational authentication and authorisation systems, and new technologies in widespread deployment, such as single sign-on (SSO) systems.

Ton Verschuren from the Dutch National Research and Education Network (SURFnet) outlined the functionality and benefits of authentication and authorisation (AA) systems that are currently available (e.g. Shibboleth, PAPI, A-Select, CAS, Pubcookie, LDAP-Authentication, PERMIS).

David Orrell of Eduserv built on this introduction to provide specific examples drawn from the UK, namely the Athens AA system [10], as well as the function of webISO (web initial sign on).

Lynn McRae of Stanford University focused on the landscape of existing and developing standards such as SAML (Security Assertion Mark-Up Language) [11] and XACML (extensible Access Control Mark-Up Language) [12] and current initiatives in inter-organisational access, including work in grid communities.

A much-awaited session was Ken Klingenstein's introduction to Shibboleth. Klingenstein gave participants a tour of Shibboleth concepts and supporting technologies, in addition to related topics of federated approach, privacy and SAML.

Two case studies illustrated the use of Shibboleth and its applications. Firstly, a demonstration of an operational inter-organisational system in Swiss Higher Education was presented by Ueli Kienholz and Thomas Lenggenhager of the Swiss Education and Research Network (SWITCH) [13]. Secondly, Masha Garibyan of the Portal-Enabled Resources via the Shibbolized End-User Security (PERSEUS) Project [14] from the London School of Economics provided the perspective of both an end-user and librarian in the challenges of providing access to library resources and the potential requirements of an AA system to resolve these.

Ton Verschuren ended the day's sessions with a moderated forum on Identity Federation in which workshop participants discussed why federations are important and what it means to build a federation.

photo (47KB) : Figure 2 : One of the presentations at EuroCAMP 2005 © John Paschoud

Figure 2: One of the presentations at EuroCAMP 2005 © John Paschoud

Day 3: Federated Access to the Network

Chair: Ton Verschuren, SURFnet

The third day of the workshop centred on secure network access and state-of-the-art network authentication and authorisation systems. The issue of extending identity-based networking to enable the granting of access to registered users and guest logins was a recurring theme.

Carsten Bormann, chair of the TERENA Mobility Task Force [15], opened the final day with an introduction to network access security and touched on a range of concepts and scenarios, and this was complemented by Ken Klingenstein's talk on identity network access security.

Klaas Wierenga of SURFnet spoke about federated network access with respect to EduRoam [16]. EduRoam is an academic networking roaming infrastructure initially developed in Europe, but recently expanded to Australia and soon to be trialled in the US. Klaas' session was followed with a practical guide for joining EduRoam.

Ken Klingenstein concluded the EuroCAMP programme with a wrap-up that covered a landscape for the future in the wider middleware community. Ken identified a number of common requirements that need to be addressed and other areas that await further development over the next five years. These requirements encompass communication and collaboration support, the 'plumbing' of virtual organisation technologies into the local environment (e.g. simplification of end-use tools that are consistent with needs of the user) and 'plumbing' the control plane (namely, the über-management of management aspects of virtual organisation domain tools).

Recurrent throughout was an emphasis on the need to leverage enterprise middleware developments and external trust fabrics, as well as support centres, especially in relation to virtual organisations. These three interdependencies were seen as key considerations.

Conclusion

EuroCAMP is an important event for the academic community, moving it one step closer toward an integrated and collaborative research environment. EuroCAMP provided an excellent overview of the current access management and identity management systems. The event brought together an impressive range of prominent speakers in the fields of identity, authentication and authorisation management.

The lectures themselves were consistently informative and provided an excellent opportunity to become acquainted with major European initiatives, as well as international developments. The participants were given every opportunity to interact with the speakers and with each other. The only slightly negative aspect concerned the occasional jump between overview concepts to levels of technical specificity about which a considerably smaller proportion of the audience was suitably knowledgeable.

For a first CAMP event, however, there appeared to be general satisfaction that the workshops met their aims and reached the expectations of the majority of participants. Attendance remained notably high from day one to day three. This is especially remarkable, considering the event happened to coincide with the Turin annual chocolate festival.

photo (56KB) : Figure 3 : The Turin Chocolate Festival © John Paschoud

Figure 3: The Turin Chocolate Festival © John Paschoud

References

  1. JISC Middleware Team http://www.jisc.ac.uk/index.cfm?name=middleware_team
  2. EDUCAUSE, CAMP workshops http://www.educause.edu/conference/camp/
  3. TERENA Web site http://www.terena.nl/
  4. TERENA, Middleware EuroCAMP 2005 http://www.terena.nl/tech/eurocamp/
  5. TERENA, EuroCAMP 2005 Programme http://www.terena.nl/tech/eurocamp/programme.html
  6. EDUCAUSE, eduPerson Schema http://www.educause.edu/eduPersonObjectClass/949
  7. PERMIS http://sec.isi.salford.ac.uk/permis/
  8. Internet2 Web site http://www.internet2.edu
  9. Internet2, Shibboleth http://shibboleth.internet2.edu
  10. Eduserv, Athens and Shibboleth http://www.athensams.net/shibboleth/
  11. OASIS, SAML http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
  12. OASIS, XACML http://www.oasis-open.org/specs/index.php
  13. SWITCH http://www.switch.ch/
    SWITCH Authentication and Authorization Infrastructure http://www.switch.ch/aai/
  14. PERSEUS Project Web site http://www.angel.ac.uk/PERSEUS/
  15. TERENA, Mobility Task Force http://www.terena.nl/tech/task-forces/tf-mobility/
  16. EduRoam Web site http://www.eduroam.org

Author Details

Dr. Ann Borda
JISC Programme Manager
Core Middleware, Eresearch and Open Source
JISC

Email: a.borda@jisc.ac.uk
Web site: http://www.jisc.ac.uk

Masha Garibyan
Project and Communications Officer
PERSEUS Project
London School of Economics and Political Science

Email: M.Garibyan@lse.ac.uk
Web site: http://www.angel.ac.uk/PERSEUS/

Return to top