Shibboleth: Early Experience at OSU Scott Cantor (cantor.2@osu.edu) October 28, 2002 Funding and Interconnections • No OSU funding explicitly supporting work • Tasked with supporting an Ohio Board of Regents grant to develop a platform for competency-based learning (partnership with Apple and WebCT) • Shibboleth a SSO umbrella for deployment of content alongside library resources and WebCT/Blackboard/Angel 2 Expectations and Motivations • Personal stake in design and development • More comprehensive testing vs. contrived developer testing • Scope work needed to deploy as SSO solution • Demonstrate LMS/Library integration • Extend access to research projects beyond university 3 General Timeline Summer ’02: Deploy alpha origin using existing SSO service, assess data situation Fall ’02: Deploy alpha targets on library’s reverse proxy (ezproxy), OBR development server, LMS testbeds, other local applications (eg. Peoplesoft) Fall ’02: Participate in I2 pilot with external library vendors 4 General Timeline Winter ’03: Migrate to 1.0 code base Winter ’03: Assess functionality gaps in code, expected time line for enhancements from I2, and scope of work for deployment Winter ’03: Produce a plan for deployment with funding request attached Spring ’03: Go / no go (no go leads to “interesting” decisions on existing SSO system) 5 Origin Site Alpha Deployment Approach • Hosting Handle Service behind existing SSO service, so user experience is (mostly) identical between Shibboleth applications and existing applications • Provides clear migration strategy from Handle Service behind SSO to Handle Service as SSO once code supports it 6 Origin Site Alpha Deployment Issues • Java made installation simple, but immediately had problems with LDAP (mixture of code issues and local issues), so very limited attributes • Need for cleaner extension mechanisms in AA for custom attributes and caching • OSU’s LDAP service not ready for use, not being actively developed or enhanced at the present time • Comparing scope of work to build out LDAP or use RDBMS with Shibboleth AA 7 Alpha Target Deployments Proxying Resources Main Library rolling out ezproxy as an offcampus access solution • Advised library on ezproxy authentication interface using one time username/passwords • Deployed second proxy with Shibboleth as proof of concept and an OBR project resource • “Real” deployment with proxy would use a routing script to detect on-campus access and bypass proxy, already part of library’s production proxy 8 Alpha Target Deployments Internal Application Development Deployed Windows port of alpha code to OBR grant development server to support applications being developed • Extended code being reused for project to support EPPN-based authorization 9 Alpha Target Deployments Learning Management Systems Grant includes assessment of multiple LMS platforms (WebCT, Blackboard, Angel) for compliance with IMS standards and future support for competency-based instruction • WebCT Vista price increase forcing reassessment of LMS platform choices • Angel providing on-site test platform, worked with vendor to support Shibboleth using ISAPI port produced by me for EBSCO (almost working) • WebCT provided a working demo using Shibboleth with external authentication API, not yet used for grant 10 Alpha Target Deployments 800 Pound Gorilla Parallel, unrelated activity investigating rollout of Peoplesoft self-service components • Some existing ERP-related services (Brio) use campus SSO service already • Common need for improved data to feed Shibboleth and new Peoplesoft applications • Tentative plan to prototype use of Shibboleth as SSO and authorization feed for Peoplesoft, making Shibboleth deployment a component of ERP infrastructure (“follow the money”) 11 Internet2 Shibboleth Pilot Progress Participating in the formal pilot program, but somewhat under the radar (see funds, none) • Vendors providing direct access with Shibboleth fit seamlessly alongside local resources • OSU access to EBSCO works as of late September • OCLC another possible test • Many databases licensed and accessed through OhioLink consortium, constraining additional choices until they can be persuaded to participate 12 Internet2 Shibboleth Pilot “Wow, the technology was easy…” Access to EBSCO worked within minutes of the “try this URL” e-mail from company. Understanding the contractual picture took days, and is still only imperfectly understood. We have to understand what Shibboleth means today in order to explore tomorrow. Does emulating existing policies help with migration, or undermine the business case? 13 Internet2 Shibboleth Pilot Next Steps • Interesting pilots require immediate consideration of how to subset users and communicate this to vendors (affiliation vs. entitlements vs. multiple origin sites) • Need to send knowledge gained back to MACE-Dir to explore directory implications • Need to engage campus resources for wider testing (“I built it, are they coming?”) 14 Shibboleth at OSU Next Steps • Always viewed as a means to migrate from proprietary Web-ISO system to open standard, with federated features a bonus • Shibboleth 1.0 is not going to be a great WebISO, but I believe it is the right design to build on • Document and scope the road from point A to point B • Point A isn’t sustainable, but funds are scarce, so check back in a year (and see if we’re at B or A-1) 15