Authentication and Authorisation Project Manager
Shibboleth Installation Workshop
Staff and students in Higher and Further Education institutions currently experience an overload of information. In many cases, this information is held on different systems, available via widely differing levels of access control, ranging from open to strictly controlled access. Access controls are also subject to data protection legislation and/or tough licensing conditions. One way of overcoming the problem of accessing information from various systems is to build Web portals. These can provide a superficial environment for the presentation of information from various sources. However, for a portal to be effective, it needs to have intelligent access controls to authenticate users and authorisation management systems to match user attributes and privileges to grant access to information whilst adhering to licensing/access conditions.
This can be achieved with the help of middleware. The Joint Information Systems Committee (JISC) defines middleware as 'a layer of software or 'glue' between the network and applications' . The most important function for portal middleware is authorisation management to the hybrid collections of resources, for institutional learning, teaching, research and administration - resolving (with minimal human intervention) questions of 'who can access what'.
Shibboleth technology, developed by Internet2 , is the most up-to-date open source software under development that can be used for developing middleware architectures. Shibboleth is a standards-based protocol for securely transferring user credentials and attributes (information about the user and the resource the user wants to access) between the user's home site (e.g. a university or its library) and resource site (e.g. the publisher) to establish whether the user should have access to the requested information. Access to Shibboleth can be independent of the location of the user's institution. A useful demonstration of how Shibboleth works can be found on the Swiss Education and Research Network's (SWITCH) Web site .
The JISC is currently investing in Core Middleware (the central services essential to middleware as a whole, such as access and authorisation management)  and is intending to build a UK Core Middleware architecture based on Shibboleth technology. The JISC has funded a number of projects investigating the possibilities of Shibboleth. For example, the PERSEUS Project (Portal-enabled Resources via Shibbolized End-User Security)  at the LSE Library is investigating the challenge of Shibboleth-based access management to information resources via an institutional portal.
The main aim of this 'hands-on' workshop was to configure a Shibboleth origin site. An origin site is a site that contains users who want to access Web-based content (e.g. a university), such as academic e-journals, but who must be authenticated as recognised members of the origin site in order to be granted access to authorised content. One of the advantages of the Shibboleth model is that it has the option to protect users' privacy by enabling them to control the release of their attributes to a target site (e.g. the publisher hosting content) after successful authentication.
The event was led by Nate Klingenstein and Walter Hoehn, Shibboleth technical developers from the USA representing Internet2. This was the first Shibboleth installation event (or Shib InstallFest as it is more commonly known) held outside the USA. The workshop was attended by approximately thirty delegates from eighteen institutions. The delegates were mainly IT professionals.
In order to participate in the workshop, the delegates had to choose a server to be configured as the Shibboleth origin site at their institution beforehand as well as ensure appropriate supporting settings and communications were in place. A small proportion of the delegates had prepared beforehand, whilst other delegates attended as observers to enhance their understanding of how Shibboleth works.
The day comprised of three practical sessions and followed the Shibboleth Installation Checklist that is available online .
Infrastructure, Security, Configuration
The first session focused on checking that all delegates had all the surrounding infrastructure necessary to support Shibboleth in place.
The second session focused on the creation of a secure environment for exchanging user credentials and attributes. With the growing use of the Internet, the need for 'confidentiality and positive identification of all parties involved' cannot be underestimated . Therefore, the origin and target sites must initially go through the process of proving each other's identity. Specific configurations of various software components underpinning Shibboleth were also made.
The final session focused solely on configuring Shibboleth with site-specific information. As there was some remaining time, the workshop included a hands-on section on how to configure user attributes to access additional resources. The delegates were also shown some examples of 'Shibbolized' resources produced by target sites (e.g. JSTOR and EBSCO Publishing).
At the end of the last session, the delegates had an opportunity to discuss their experiences and ask questions. The general consensus was that it had been extremely useful to see the installation performed. A number of delegates managed to install Shibboleth successfully and many were interested in how Shibboleth could be used in their own institutional environments. All delegates felt more confident about Shibboleth having experienced it first hand, which was much better than just hearing about it. It was also felt useful to establish a UK-only Shibboleth mailing list, in addition to the mailing lists provided by Internet2 .
In conclusion, the workshop was a success. A number of delegates were able to configure Shibboleth successfully. There was an acknowledgement that configuring Shibboleth did require a high level of technical expertise and that this may be a barrier to the rate of future deployment. All agreed that work should continue to develop Shibboleth documentation in order to simplify the configuration process where possible. Furthermore, it was also recommended that service providers hosting content should be more closely involved in the configuration of target sites. Participants equally acknowledged the need to create a federation for UK origin and target sites with links to other international federations, a move which would encourage a more supportive environment for the use of Shibboleth in this country.
- JISC, Middleware http://www.jisc.ac.uk/index.cfm?name=middleware_team
- Internet2, Shibboleth http://shibboleth.internet2.edu/
- SWITCH, Shibboleth demo http://www.switch.ch/aai/demo/
- JISC Core Middleware Programmes
- PERSEUS Project Web site http://www.angel.ac.uk/PERSEUS/
- Shibboleth Identity Provider Installation Checklist
- Walder, B., "Public key infrastructure overview", TechOnline, 12 June 2002
- Shibboleth Internet2 mailing lists