Shibbolise This!Federated access management without

the Kool-Aid

• Involved with directory deployment for a decade

• Involved in JISC eFramework and eLearning interoperability projects

• I’m a federated-service believer

Why listen to me?

What we’ll cover

• The case against Shibboleth

• Considerations for deployment

• Alternatives to doing it yourself

The case against Shibboleth

• Shibboleth is an ideology not a solution to a problem

• Anyway, Athens works - and is far less trouble

• The nature of the problem Shibboleth solves is going away

Shibboleth as religion[Web applications] should stop doing authentication. That's the web server's job [...] Web servers are very capable beasts. Applications don't need to do these things [...] Supporting [authentication] directly inside an application is wrong, just as supporting passwords natively is wrong today.

Scott Cantor, Ohio State University. Designer of Shibboleth

• If the access management federation is about access to library resources, isn’t Athens good enough?

• Is the poor state of inter-institutional collaboration the consequence of a lack of federated access management?

Athens works

Time moves on

• Shibboleth is a product of an enterprise-centric age

• How relevant is this?

• The web is becoming more user-centric

• VLEs are becoming PLEs

• How long before OpenID?

Deployment considerations

• Support

• Resilience

• Security

• Directory and SRS

• Institutional politics

• Available resources

More support

• Not just one password - all your users

• Will your LRC staff help out ...?

• Not just authentication, but authorisation

• How will the Federation user interface work?

• When do people do web-based access?

Single point of failure - multiple dependencies

• What happens when your iDP goes down?

• Or your directory service?

• Even for maintenance?

• Or your DNS, MAN connection, &c...

• When did people want to access those web-based services again?

Security considerations

• You must provide and manage SSL server certificates

• They expire annually

• You can’t hot-replace them

• On a critical service

• The iDP is another server in your DMZ

Directory enquiries

• What is your policy for populating your user directory?

• What information do you keep?

• Attributes for authorisation?

• Grouping information matching courses of study?

• What is your expiry policy?

Political animals

• Who owns student and staff information?

• The same people who need it for the Federation?

• Will they gather the information you need

• And provide it on your schedule?

Available resourcesPhoto: 5Lab (Hugh Lunnon)

Alternatives

• Pay to use an outsourced service

• Pay to continue using Athens

Outsourcing

• Betting on an unknown service

• How many problems will outsourcing solve?

• How much will it cost?

• How much of your time will it take?

Athens eternal?

• Don’t bet on it!

• You will have to face Shibboleth sooner or later

• That likely means getting started now

Thanks!Miles Metcalfe, Ravensbourne College