CAMP Shibboleth: Flexible Web-Based Authentication and Authorization

Interested in using a Web single sign-on (SSO) and leveraging it to access resources supported inside your institution as well as contracted services? Need to make the case across campus and want strategies to help? Looking for some guidance for technical staff on connecting it up to applications too?

Internet2's Shibboleth is being deployed nationally and internationally as a campus and interinstitutional federating or Web SSO system. It leverages campus identity and access management infrastructures to authenticate individuals and then sends information about them to the resource site, enabling the resource provider to make an informed authorization decision. Many campuses are asking what value they derive from deploying separate intra- and intercampus SSO systems and are switching to Shibboleth to support both requirements.

In addition to being a Web SSO, the software can also simplify application deployment and maintenance. For instance, using attribute delivery:

• Users can auto populate forms instead of manually entering authorized personal information.
• System administrators can create just-in-time accounts when the user first logs in instead of batch updates at a specified time.
• Developers don’t need to know how or where to get user data or have access rights to it, once they have permission for its use.

Shibboleth allows for customization and personalization of applications for the user, in addition to enabling authorization.

This CAMP will offer concrete practice and real-world experience from institutions running Shibboleth in production for controlling access to both on- and off-campus services. Both IT management and technical staff will find sessions of interest and guidance for running Shibboleth in production. Participants will learn the answers to questions such as:

• What is Shibboleth and how does it work?
• What is the business case for it and how can I sell it on my campus?
• What policies and business practices must I consider?
• What resources do I need to have to implement and support it?
• What is the migration path to support intercampus Web SSO in the future?
• How much identity management infrastructure do I need?
• How do I integrate it with my applications?
• What is new in the recent 2.0 release of Shibboleth?

This workshop will offer education and guidance to higher education IT managers, project managers, middleware architects, and systems analysts involved at a technical, management, or stakeholder level in supporting Web-based services. Participants are encouraged to have a sound knowledge of identity management to learn the most from the sessions. Those interested in knowing more about identity management can review the Enterprise Directory and Authentication Implementation roadmaps.

A note to previous CAMP Shibboleth Workshop attendees: If you participated in the authentication workshop in June 2006, consider attending this meeting to learn about how your colleagues are using the software to address their development challenges.

CAMP is sponsored by the National Science Foundation Middleware Initiative-Enterprise and Desktop Integration Technologies (NMI-EDIT) Consortium: Internet2 and EDUCAUSE. Additional support was provided by the National Science Foundation OCI-0330626. For information about NMI-EDIT and participation in the NSF Middleware Initiative, see www.nmi-edit.org.