20021028-Shibboleth-Cantor

advertisement
Shibboleth: Early Experience at OSU
Scott Cantor (cantor.2@osu.edu)
October 28, 2002
Funding and Interconnections
• No OSU funding explicitly supporting work
• Tasked with supporting an Ohio Board of
Regents grant to develop a platform for
competency-based learning (partnership
with Apple and WebCT)
• Shibboleth a SSO umbrella for deployment
of content alongside library resources and
WebCT/Blackboard/Angel
2
Expectations and Motivations
• Personal stake in design and development
• More comprehensive testing vs. contrived
developer testing
• Scope work needed to deploy as SSO
solution
• Demonstrate LMS/Library integration
• Extend access to research projects beyond
university
3
General Timeline
Summer ’02: Deploy alpha origin using
existing SSO service, assess data situation
Fall ’02: Deploy alpha targets on library’s
reverse proxy (ezproxy), OBR development
server, LMS testbeds, other local
applications (eg. Peoplesoft)
Fall ’02: Participate in I2 pilot with external
library vendors
4
General Timeline
Winter ’03: Migrate to 1.0 code base
Winter ’03: Assess functionality gaps in code,
expected time line for enhancements from I2, and
scope of work for deployment
Winter ’03: Produce a plan for deployment with
funding request attached
Spring ’03: Go / no go
(no go leads to “interesting” decisions on existing
SSO system)
5
Origin Site Alpha Deployment
Approach
• Hosting Handle Service behind existing
SSO service, so user experience is
(mostly) identical between Shibboleth
applications and existing applications
• Provides clear migration strategy from
Handle Service behind SSO to Handle
Service as SSO once code supports it
6
Origin Site Alpha Deployment
Issues
• Java made installation simple, but immediately
had problems with LDAP (mixture of code issues
and local issues), so very limited attributes
• Need for cleaner extension mechanisms in AA
for custom attributes and caching
• OSU’s LDAP service not ready for use, not
being actively developed or enhanced at the
present time
• Comparing scope of work to build out LDAP or
use RDBMS with Shibboleth AA
7
Alpha Target Deployments
Proxying Resources
Main Library rolling out ezproxy as an offcampus access solution
• Advised library on ezproxy authentication interface
using one time username/passwords
• Deployed second proxy with Shibboleth as proof of
concept and an OBR project resource
• “Real” deployment with proxy would use a routing
script to detect on-campus access and bypass proxy,
already part of library’s production proxy
8
Alpha Target Deployments
Internal Application Development
Deployed Windows port of alpha code to
OBR grant development server to support
applications being developed
• Extended code being reused for project to support
EPPN-based authorization
9
Alpha Target Deployments
Learning Management Systems
Grant includes assessment of multiple LMS
platforms (WebCT, Blackboard, Angel) for
compliance with IMS standards and future
support for competency-based instruction
• WebCT Vista price increase forcing reassessment of
LMS platform choices
• Angel providing on-site test platform, worked with vendor
to support Shibboleth using ISAPI port produced by me
for EBSCO (almost working)
• WebCT provided a working demo using Shibboleth with
external authentication API, not yet used for grant
10
Alpha Target Deployments
800 Pound Gorilla
Parallel, unrelated activity investigating rollout
of Peoplesoft self-service components
• Some existing ERP-related services (Brio) use campus
SSO service already
• Common need for improved data to feed Shibboleth and
new Peoplesoft applications
• Tentative plan to prototype use of Shibboleth as SSO
and authorization feed for Peoplesoft, making Shibboleth
deployment a component of ERP infrastructure (“follow
the money”)
11
Internet2 Shibboleth Pilot
Progress
Participating in the formal pilot program, but
somewhat under the radar (see funds, none)
• Vendors providing direct access with Shibboleth fit
seamlessly alongside local resources
• OSU access to EBSCO works as of late September
• OCLC another possible test
• Many databases licensed and accessed through
OhioLink consortium, constraining additional choices
until they can be persuaded to participate
12
Internet2 Shibboleth Pilot
“Wow, the technology was easy…”
Access to EBSCO worked within minutes of
the “try this URL” e-mail from company.
Understanding the contractual picture took
days, and is still only imperfectly understood.
We have to understand what Shibboleth
means today in order to explore tomorrow.
Does emulating existing policies help with
migration, or undermine the business case?
13
Internet2 Shibboleth Pilot
Next Steps
• Interesting pilots require immediate
consideration of how to subset users and
communicate this to vendors (affiliation vs.
entitlements vs. multiple origin sites)
• Need to send knowledge gained back to
MACE-Dir to explore directory implications
• Need to engage campus resources for wider
testing (“I built it, are they coming?”)
14
Shibboleth at OSU
Next Steps
• Always viewed as a means to migrate from
proprietary Web-ISO system to open standard,
with federated features a bonus
• Shibboleth 1.0 is not going to be a great WebISO, but I believe it is the right design to build
on
• Document and scope the road from point A to
point B
• Point A isn’t sustainable, but funds are scarce,
so check back in a year (and see if we’re at B or
A-1)
15
Download