Shibboleth: Early Experience at OSUShibboleth: Early Experience at OSU

Scott Cantor (cantor.2@osu.edu)

October 28, 2002

Scott Cantor (cantor.2@osu.edu)

October 28, 2002

2

Funding and Interconnections

• No OSU funding explicitly supporting work

• Tasked with supporting an Ohio Board of Regents grant to develop a platform for competency-based learning (partnership with Apple and WebCT)

• Shibboleth a SSO umbrella for deployment of content alongside library resources and WebCT/Blackboard/Angel

3

Expectations and Motivations

• Personal stake in design and development

• More comprehensive testing vs. contrived developer testing

• Scope work needed to deploy as SSO solution

• Demonstrate LMS/Library integration

• Extend access to research projects beyond university

4

General Timeline

Summer ’02: Deploy alpha origin using existing SSO service, assess data situation

Fall ’02: Deploy alpha targets on library’s reverse proxy (ezproxy), OBR development server, LMS testbeds, other local applications (eg. Peoplesoft)

Fall ’02: Participate in I2 pilot with external library vendors

5

General Timeline

Winter ’03: Migrate to 1.0 code base

Winter ’03: Assess functionality gaps in code, expected time line for enhancements from I2, and scope of work for deployment

Winter ’03: Produce a plan for deployment with funding request attached

Spring ’03: Go / no go

(no go leads to “interesting” decisions on existing SSO system)

6

Origin Site Alpha DeploymentApproach

• Hosting Handle Service behind existing SSO service, so user experience is (mostly) identical between Shibboleth applications and existing applications

• Provides clear migration strategy from Handle Service behind SSO to Handle Service as SSO once code supports it

7

Origin Site Alpha DeploymentIssues

• Java made installation simple, but immediately had problems with LDAP (mixture of code issues and local issues), so very limited attributes

• Need for cleaner extension mechanisms in AA for custom attributes and caching

• OSU’s LDAP service not ready for use, not being actively developed or enhanced at the present time

• Comparing scope of work to build out LDAP or use RDBMS with Shibboleth AA

8

Alpha Target DeploymentsProxying Resources

Main Library rolling out ezproxy as an off-campus access solution

• Advised library on ezproxy authentication interface using one time username/passwords

• Deployed second proxy with Shibboleth as proof of concept and an OBR project resource

• “Real” deployment with proxy would use a routing script to detect on-campus access and bypass proxy, already part of library’s production proxy

9

Alpha Target DeploymentsInternal Application Development

Deployed Windows port of alpha code to OBR grant development server to support applications being developed

• Extended code being reused for project to support EPPN-based authorization

10

Alpha Target DeploymentsLearning Management Systems

Grant includes assessment of multiple LMS platforms (WebCT, Blackboard, Angel) for compliance with IMS standards and future support for competency-based instruction

• WebCT Vista price increase forcing reassessment of LMS platform choices

• Angel providing on-site test platform, worked with vendor to support Shibboleth using ISAPI port produced by me for EBSCO (almost working)

• WebCT provided a working demo using Shibboleth with external authentication API, not yet used for grant

11

Alpha Target Deployments800 Pound Gorilla

Parallel, unrelated activity investigating rollout of Peoplesoft self-service components

• Some existing ERP-related services (Brio) use campus SSO service already

• Common need for improved data to feed Shibboleth and new Peoplesoft applications

• Tentative plan to prototype use of Shibboleth as SSO and authorization feed for Peoplesoft, making Shibboleth deployment a component of ERP infrastructure (“follow the money”)

12

Internet2 Shibboleth PilotProgress

Participating in the formal pilot program, but somewhat under the radar (see funds, none)

• Vendors providing direct access with Shibboleth fit seamlessly alongside local resources

• OSU access to EBSCO works as of late September• OCLC another possible test• Many databases licensed and accessed through OhioLink consortium, constraining additional choices until they can be persuaded to participate

13

Internet2 Shibboleth Pilot“Wow, the technology was easy…”

Access to EBSCO worked within minutes of the “try this URL” e-mail from company.

Understanding the contractual picture took days, and is still only imperfectly understood.

We have to understand what Shibboleth means today in order to explore tomorrow.

Does emulating existing policies help with migration, or undermine the business case?

14

Internet2 Shibboleth PilotNext Steps

• Interesting pilots require immediate consideration of how to subset users and communicate this to vendors (affiliation vs. entitlements vs. multiple origin sites)

• Need to send knowledge gained back to MACE-Dir to explore directory implications

• Need to engage campus resources for wider testing (“I built it, are they coming?”)

15

Shibboleth at OSUNext Steps

• Always viewed as a means to migrate from proprietary Web-ISO system to open standard, with federated features a bonus

• Shibboleth 1.0 is not going to be a great Web-ISO, but I believe it is the right design to build on

• Document and scope the road from point A to point B

• Point A isn’t sustainable, but funds are scarce, so check back in a year (and see if we’re at B or A-1)