Athens, Shibboleth, The Uk Access Management - Single sign-on for your Web site
13
J u l y 2 0 0 7 Andy Powell, Eduserv Foundation [email protected] www.eduserv.org.uk/foundation Athens, Shibboleth, the UK Access Management Federation, OpenID, CardSpace and all that Single sign-on for your Web site
-
Upload
eduserv-foundation -
Category
Technology
-
view
4.164 -
download
0
description
A presentation for one of the parallel sessions at IWMW 2007 in York.
Transcript of Athens, Shibboleth, The Uk Access Management - Single sign-on for your Web site
July
20
07
Andy Powell, Eduserv [email protected]
www.eduserv.org.uk/foundation
Athens, Shibboleth, the UK Access Management Federation, OpenID, CardSpace and all that
Single sign-on for your Web site
July 2007IWMW 2007, York 2
Athens
• single sign-on to Web resources– typically ‘external’ collections and services
• initially deployed in 1996
• established as the SSO mechanism to protected online resources in HE and the NHS
• 4 million users in 100 countries
• access to resources from around 180 leading service providers
• delivered over 99.9999% availability since 1998
• ~10,000,000 authentications per month
July 2007IWMW 2007, York 3
Shibboleth
• an open SAML-based architecture
• single sign-on to Web resources
• developed by the Internet2 middleware group
• supports the secure exchange of authentication and attributes (e.g. affiliation / id / targettedid / entitlement) between institution (IdP) and service provider (SP)
• multiple software implementations available
• federations used to create a “trust environment” for organisations that want to access a set of resources
July 2007IWMW 2007, York 4
The UK Access Management Federation
• UK academic community currently in transition to federated approach (Shibboleth)
• a (the) UK federation for education and research - a “trust environment” for UK academia
• delivers shared policy and WAYF
• WAYF service puts SP in touch with IdP
• ‘gateways’ to connect to/from Athens
• institutions encouraged to support Shibboleth and join the federation
• note that this can be done in-house or thru an outsourced identity provider (e.g. OpenAthens)
July 2007IWMW 2007, York 5
Why should I care?
• single sign-on across institutions and external services
• institutions acting as both identity providers and service providers
• sharing institutional resources with others
• standards
• several implementation options– though note interoperability issues
• but… still some confusion– costs, requirements, gateway funding, …
July 2007IWMW 2007, York 6
% of institutions planning to join
0
10
20
30
40
50
%
Already a member Yes No Don't Know
47% of respondents are undecided
100 institutions,May 2007
July 2007IWMW 2007, York 7
0
10
20
30
40
50
60
%
Already a member NowBefore 07.08 After 07.08Don't know
32% plan to join the Federation before July 200856% don’t know when they will join
When would you like to join the Federation?
July 2007IWMW 2007, York 8
OpenAthens
• new standards based access and identity management framework – software and services
• outsourced ‘shared’ solution
• enables institutions to participate in the Federation
• maintains access to Athens resources
• accommodates a range of IdP and SP options
• provides choice– support for multiple identity and access management
standards
– support for multiple federations
July 2007IWMW 2007, York 9
OpenID – key features
• the identifier is a URI (typically a URL)– e.g. mine is http://andypowell.myopenid.com/
• this is convenient for a number of reasons, but especially because it removes the need for a WAYF service
– the OpenID directly provides the location of the OpenID Provider
• issues to be solved– around phishing (spoofing the OpenID Provider)
– trust issues – which OpenID Providers do I trust?
• still a work in progress, see http://openid.net/
July 2007IWMW 2007, York 10
OpenID example
July 2007IWMW 2007, York 11
Microsoft CardSpace
• a client-side Windows application for managing multiple user-centric identities…
– and implementing the protocol transactions needed to inter-work with server-side (Web) applications
• sits within high-level open framework known as the ‘Identity Metasystem’
• perceived as a more open replacement for MS’s failed ‘passport’ initiative
• builds on WS- stack – so not lightweight
• but some commitment between MS and OpenID leading players to work together
July 2007IWMW 2007, York 12
Why should I care?
• OpenID and CardSpace indicative of general move towards ‘user-centric’ identity management
– users arriving at university with an existing online identity
– reduced value of university-specific identity in the context of lifelong learning
– c.f. current situation with email
– but… significant trust issues
• identity management technology is a (fast) moving target
– shared outsourcing vs. shared open source vs. commercial user-group approaches to sustainability
July 2007IWMW 2007, York 13
Questions and discussion
