Transcript Shibboleth for Middle Schools : James

Shibboleth for
Middle Schools
James Burger - [email protected]
What do an ear of corn, a stream of
water, and computer networks have in
common?
Shibboleth.
What is Shibboleth?
 Shibboleth is software, more specifically referred to
as middleware
 Middleware is a layer of software that acts as a
facilitator between a network and its applications,
providing services such as identification,
authentication, and authorization
 Shibboleth was developed by Internet2/MACE. The
current version is v1.2
2 communities
 Users – In this case, middle school
educators and learners
 Service Providers – In this case, content
providers who contribute the NSDL
collections
Why Shibboleth in middle schools?
 Shibboleth is a superior system for allowing users to
login to secure resources, because it provides a high
level of privacy by allowing communities to set their
own Attribute Release Policies.
 Attributes conveyed to resources can be used to
customize levels of access for the user. For example,
a resource might have two distinct areas, one for
teachers and one for students. Logging in would
bring the user directly to the appropriate area.
Don’t some middle schools already
log into resources on the Internet?
 Yes. Middle schools already benefit from
such resources. There are several
established ways to link communities in a
collaborative manner.
 But, each system suffers from significant
inefficiencies. For example…
Users can login with individual
usernames and passwords
 Difficult to remember different usernames
 Difficult to authenticate, limits customization
 Easy to generate redundant accounts
 User can’t control personal info
Service providers recognize Internet
Protocol (IP) addresses of subscribing
organizations
 Access is limited to on-site use
 Administrative burden on both sides
Users can log in through a secure
portal or proxy server on their
school’s site
 Portals and proxy servers may not be as
secure as Shibboelth enabled servers
 Generic attributes = insufficient data
(member@schoolname)
 Administrative burden on both sides
Shibboleth was developed as a means
to address each of these issues.
The school assigns each member of
its community a unique identifier
For example, jb701 = James Burger
 SOLVED: Access is limited to use on-site at the
middle school
 SOLVED: Difficult to remember different usernames
 SOLVED: Easy to generate several accounts
When the user logs into the school’s
network, a temporary, opaque “handle”
is created. The handle disassociates the ID
from identifying information. Instead, the user’s
organization specifies attributes to send to the
content provider through an Attribute Release
Policy (ARP).
 SOLVED: User can’t control personal info
 SOLVED: Difficult to authenticate, limits
customization
A user can have several Attribute
Release Policies (ARP)
ARP I
Member of subscribing community
ARP II
Member of subscribing community
Student
ARP III
Member of subscribing community
Student
Grade
Federations agree on Attribute
Release Policies
 SOLVED, again: Difficult to authenticate, limits
customization
 SOLVED, again: Generic attributes = insufficient
data (member@schoolname)
 SOLVED, again: User can’t control personal info
Shibboleth establishes a truly
efficient system for content access
 Enough detail to know user’s needs
 Not enough detail to know user’s identity
 Ability to access resources remotely
 SOLVED: Generic attributes = insufficient
data (member@schoolname)
Fewer attributes = greater privacy
More attributes = greater granularity
Shibboleth federations are striking a
balance.
How much does it cost to implement
Shibboleth?
 The software itself costs nothing
 Implementation costs depend on the
existing technological infrastructure of the
school and the technical capability of the
staff
What is required to implement
Shibboleth?
 Web Server
 Java Servlet Container
 Login system (identity management)
 Agreement with federation policies
What does Shibboleth look like?
Isn’t it more complex than that?
What does the user see?
 The user may see two screens before
reaching the requested content
 Both should be intuitive and may be used
in numerous other applications:
 Where Are You From (WAYF)
 Organization login screen
OK, so far you’ve described a new way to network
computers. What does that have to do with an ear of
corn or a stream of water?
Shibboleth derives its name from the Hebrew word
for an ear of corn or a stream of water. The name’s
significance lies in its use as a Biblical password
devised by the Gileadites to ward off the Ephraimites.
“…they would say to him, then say, ‘shibboleth;’ but
he would say, ‘sibboleth,’ not being able to pronounce
it correctly.” --Judges 12.6
Contact Information
James Burger
Manager, Subscriber Services
National Science Digital Library (NSDL)
Columbia University
417 Watson Hall
612 West 115th Street
New York, NY 10027
212-854-1110 / [email protected]