Shibbolise This!
-
Upload
miles-metcalfe -
Category
Technology
-
view
1.048 -
download
0
Transcript of Shibbolise This!
![Page 1: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/1.jpg)
Shibbolise This!Federated access management without
the Kool-Aid
![Page 2: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/2.jpg)
• Involved with directory deployment for a decade
• Involved in JISC eFramework and eLearning interoperability projects
• I’m a federated-service believer
Why listen to me?
![Page 3: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/3.jpg)
What we’ll cover
• The case against Shibboleth
• Considerations for deployment
• Alternatives to doing it yourself
![Page 4: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/4.jpg)
The case against Shibboleth
• Shibboleth is an ideology not a solution to a problem
• Anyway, Athens works - and is far less trouble
• The nature of the problem Shibboleth solves is going away
![Page 5: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/5.jpg)
Shibboleth as religion[Web applications] should stop doing authentication. That's the web server's job [...] Web servers are very capable beasts. Applications don't need to do these things [...] Supporting [authentication] directly inside an application is wrong, just as supporting passwords natively is wrong today.
Scott Cantor, Ohio State University. Designer of Shibboleth
![Page 6: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/6.jpg)
• If the access management federation is about access to library resources, isn’t Athens good enough?
• Is the poor state of inter-institutional collaboration the consequence of a lack of federated access management?
Athens works
![Page 7: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/7.jpg)
Time moves on
• Shibboleth is a product of an enterprise-centric age
• How relevant is this?
• The web is becoming more user-centric
• VLEs are becoming PLEs
• How long before OpenID?
![Page 8: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/8.jpg)
Deployment considerations
• Support
• Resilience
• Security
• Directory and SRS
• Institutional politics
• Available resources
![Page 9: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/9.jpg)
More support
• Not just one password - all your users
• Will your LRC staff help out ...?
• Not just authentication, but authorisation
• How will the Federation user interface work?
• When do people do web-based access?
![Page 10: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/10.jpg)
Single point of failure - multiple dependencies
• What happens when your iDP goes down?
• Or your directory service?
• Even for maintenance?
• Or your DNS, MAN connection, &c...
• When did people want to access those web-based services again?
![Page 11: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/11.jpg)
Security considerations
• You must provide and manage SSL server certificates
• They expire annually
• You can’t hot-replace them
• On a critical service
• The iDP is another server in your DMZ
![Page 12: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/12.jpg)
Directory enquiries
• What is your policy for populating your user directory?
• What information do you keep?
• Attributes for authorisation?
• Grouping information matching courses of study?
• What is your expiry policy?
![Page 13: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/13.jpg)
Political animals
• Who owns student and staff information?
• The same people who need it for the Federation?
• Will they gather the information you need
• And provide it on your schedule?
![Page 14: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/14.jpg)
Available resourcesPhoto: 5Lab (Hugh Lunnon)
![Page 15: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/15.jpg)
Alternatives
• Pay to use an outsourced service
• Pay to continue using Athens
![Page 16: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/16.jpg)
Outsourcing
• Betting on an unknown service
• How many problems will outsourcing solve?
• How much will it cost?
• How much of your time will it take?
![Page 17: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/17.jpg)
Athens eternal?
• Don’t bet on it!
• You will have to face Shibboleth sooner or later
• That likely means getting started now
![Page 18: Shibbolise This!](https://reader034.fdocuments.us/reader034/viewer/2022050614/5889356c1a28ab22578b59eb/html5/thumbnails/18.jpg)
Thanks!Miles Metcalfe, Ravensbourne College