ShibbolethPenn State Case Study

Renée ShueySenior Systems Engineer

ITS – Emerging TechnologiesOctober 13, 2003

Penn State/NC State Pilot

• Summer 2002– ~ 20 students, 2 weeks, 1 course

• Fall 2002– ~200 students– 3 courses

• Spring 2003– ~1800 students– Successful login: 63,026 – All courses

Penn State/NC State Pilot

• Hardware: Dell Poweredge 1650 , Dual 1.2 GHz Pentium III 1GB RAM 30 GB HD Intel 82544EI Gigabit Ethernet Controller

• Software: RedHat Linux 9 Apache 1.3.27 Tomcat 4.1.24 Sun Java 1.4.1_03 Shibboleth Origin 1.0

Pilot to Production

• Agree on attributes/formats for WebAssign– eduPersonEntitlement, eduPersonAffiliation,

eduPersonPrincipalName, Common Name– Ex. URN:PSU.EDU:COURSE:UP:PHYS211L:002

• Upgrade to RedHat 9.0• Upgrade to Shibboleth 1.1• Configure Attribute Release Policy (ARP)

set up to release attributes to webassign.net

Pilot to Production

• Update LDAP eduPersonEntitlement with course/section/campus location

• Share keystore for pilot and production servers until InCommon is production ready

• Create regular expression for multi-value attributes in the ARP

• Join InCommon• WebAssign dynamic update

Production Environment

• Hardware: IBM BladeCenter w/ 2-way 2.4 GHz Intel w/ 2.5 GB memory

• Software: RedHat Linux 9.0 Apache 1.3.28 Tomcat 4.1.24 Sun Java 1.4.1_03 Shibboleth Origin 1.1

…<Requester>www.webassign.net</Requester>                         <AnyResource/>                 </Target>                 <Attribute name="urn:mace:dir:attribute-def:eduPersonPrincipalName">                         <AnyValue release="permit"/>                 </Attribute>                 <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement">                         <AnyValue release="permit"/>                 </Attribute>                 <Attribute name="urn:mace:dir:attribute-def:cn">                         <AnyValue release="permit"/>                 </Attribute>         </Rule>

</AttributeReleasePolicy>

<Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"> <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="typens:AttributeValueType">      URN:PSU.EDU:COURSE:UP:PHYS211L:002     </AttributeValue> <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="typens:AttributeValueType">      URN:PSU.EDU:COURSE:UP:PHYS211R:030     </AttributeValue>    </Attribute>    <Attribute xmlns:typens="urn:mace:shibboleth:1.0" AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">     <AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Scope="psu.edu" xsi:type="typens:AttributeValueType">      member     </AttributeValue>   

What’s Next?

• Investigate Shibboleth Meteor Gateway• Use Shibboleth to access PHEAA from

student web applications• Investigate Shibboleth for non Web

applications such as LionShare (P2P)• Continue to pilot with Library vendors• Incorporate University of Michigan’s

Cosign (WebISO) with our origin site