Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session...
-
Upload
sylvia-garrett -
Category
Documents
-
view
213 -
download
0
Transcript of Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session...
Joint Information Systems Committee 18-Jul-2006 | | Slide 1
Change Management for Libraries
Session B, 11:00 - 12:00
John Paschoud and Peter Spring
London School of Economics
Joint Information Systems Committee Supporting education and research
Access Management Showcase, July 2006
[JISC Showcase title slide]
Joint Information Systems Committee 18-Jul-2006 | | Slide 2
Why fix what ain’t broke?
Our Athens authentication system seems to work quite well, and has done so for several years. Why has JISC decided to migrate to Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 3
Why Shibboleth?
Moves closer to the single sign-on ideal - users need not remember so many passwords
Aligns with international convergence on Shibboleth/SAML - wider market for suppliers
Avoids the need to maintain a central Athens-type database- by JISC/Eduserv and by participating libraries
Open Source and Open Standards –based- so tools can be developed by participants and shared
Supports internal applications, collaborative inter-institutional sharing of resources, and virtual organisations
Joint Information Systems Committee 18-Jul-2006 | | Slide 5
Is that all!?!?
Improved security for resources, so publishers happy - they also don’t have to pay a licence fee (as they do for Athens), nor maintain campus IP address ranges
Because the access is role-based rather than identity-based there is improved privacy for users
Supports the trend towards a devolved / distributed model for access management
– Authentication by the end-users’ institution
– Authorisation by the resource owner
Suited to the demands for more mobile access – from home, travelling, or working at other institutions or libraries
Joint Information Systems Committee 18-Jul-2006 | | Slide 6
So what is Shibboleth?
OK, sounds convincing, but what is Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 7
What is Shibboleth?
An initiative (of Internet2) to develop an architecture and policy framework supporting the sharing – between domains – of secured web resources and services
A project delivering an open source implementation of the architecture and framework
Deliverables:
– Software for Identity Providers (universities, libraries)
– Software for Service Providers (publishers …and universities, libraries)
– Policy models for Federations (scalable trust)
Joint Information Systems Committee 18-Jul-2006 | | Slide 8
What are the costs and benefits?
What are the costs and benefits for our library of migrating to Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 9
Costs/Benefits of Shibboleth?
Costs:
Institution’s directory must be in good shape and set up to support a Shibboleth Identity Provider (IdP)
Shibboleth middleware needs installing and maintaining
Benefits:
Reduced overheads in password support
No difference in on-campus and off-campus access
More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource
Joint Information Systems Committee 18-Jul-2006 | | Slide 10
Any other capabilities?
Are there things Shibboleth can do that Athens cannot?
Joint Information Systems Committee 18-Jul-2006 | | Slide 11
The Other Capabilities of Shibboleth?
With Shibboleth your institution would be able to set up its repository, e-learning or any other service as a Service Provider
– as LSE has done for Exam Papers and other ‘members only’ collections
This will facilitate sharing of resources within the academic community
– you can provide controlled access to users from other institutions, without needing to administer usernames/passwords for them
– as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART)
The fine-tuning of access control possible with Shibboleth will protect confidential or sensitive data except for those whose roles allow this
Joint Information Systems Committee 18-Jul-2006 | | Slide 12
(the LSE Exam Papers collection – secured with Shibboleth)
Joint Information Systems Committee 18-Jul-2006 | | Slide 13
So how do we get Shibbolised?
What will our library need to have in place and do in order to migrate to Shibboleth?
What ‘infrastructure’ is required?
Joint Information Systems Committee 18-Jul-2006 | | Slide 14
What infrastructure is required?
Within your Library: IdentityProvider (IdP) site – Required Enterprise Infrastructure
– Authentication
– Attribute Repository
IdentityProvider Site – Shib Components– Handle Server
– Attribute Authority
At your Publishers / Aggregators / e-Resource Providers: ServiceProvider (SP) site - Required Enterprise Infrastructure
– Web Server (Apache or IIS)
ServiceProvider Site – Shib Components– SHIRE
– SHAR
– WAYF
– Resource Manager
Joint Information Systems Committee 18-Jul-2006 | | Slide 15
IdP server
Shibboleth IdP architecture
8443 Shibboleth
SP
Webbrowser
(various communications)
443
LDAP server
MOD_SSL
Certificate check
MOD_LDAP_AUTHZ
MOD_JK
Apache
Tomcat
Shibboleth IdP AA (Attribute
Authority)
HS (Handle Server)
idp.xml
resolver.xml
arp.xml
Joint Information Systems Committee 18-Jul-2006 | | Slide 16
Is there help out there?
What help and support will be available to our library as we set about installing and migrating to Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 17
What support is there?
Internet2, who ‘own’ Shibboleth, maintain discussion lists for implementors and provide other documentation
JISC has set up MATU (Middleware Assisted Take-Up service) and will have other services to support the transition from Athens
LSE Library (the first Shibboleth installation in the UK) has built websites including the PERSEUS and Shibboleth@LSE sites, documenting our experience
– (with JISC funding via PERSEUS and other projects)
Joint Information Systems Committee 18-Jul-2006 | | Slide 18
What resources are Shibbolised?
But not all e-resources are going to be accessible via Shibboleth overnight, I believe. Will that be a problem for us?
…shouldn’t we wait for another 2 years, until they’ve all converted from Athens?
Joint Information Systems Committee 18-Jul-2006 | | Slide 19
Shib authenticated
resources
Athens authenticated
resources
Athens national
authentication service
Athens enabledusers
University Shib-IdP
Shib enabledusers University
Shib-IdP
Shib enabledusers
University Shib-IdP
Shib enabledusers
AthensShib
Shib Athens
Ah! Eduserv has a cunning plan!
The Athens-Shibboleth Gateways
Joint Information Systems Committee 18-Jul-2006 | | Slide 20
And the Athens Administrator?
We have an Athens Administrator. What happens to that role after migrating to Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 21
Athens Administrator role?
Initially to manage the changeover from ‘classic Athens’ to either ‘Shibbolised’ resources, or via the Athens Gateway, and continue to maintain other ad hoc access methods where neither of these options is available
As things settle down, there will be the need to maintain the links in your library’s list of e-resources
Closer liaison with your own IT people (who manage your institutional directories) may be needed
Joint Information Systems Committee 18-Jul-2006 | | Slide 22
What’s a Federation?
What are these ‘Federations’ I hear about in relation to Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 23
What is a Federation?
A group of organisations with a common purpose (e.g. education and research) who trust each other
Not a subscription-purchasing consortium!
– but could be related to one or more of those
Federation members…
– sign up to a set of rules, including minimum standards for Identity Management practices
May have legal status
Needs the trust of suppliers
Joint Information Systems Committee 18-Jul-2006 | | Slide 24
What does Shibboleth access look like?
So what does access to an e-resource using Shibboleth look like to the end user?
Joint Information Systems Committee 18-Jul-2006 | | Slide 25
Well Shibboleth can look like this:
User knows URL of resource and that Shibboleth is used
And where they are from
Joint Information Systems Committee 18-Jul-2006 | | Slide 26
Or, Shibboleth works invisibly behind the library portal
Alternatively, on or off campus, you could just go to the list of e-resources in the library’s portal.
In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:
…but it could just be a list on a ‘hand-crafted’ web page
Joint Information Systems Committee 18-Jul-2006 | | Slide 27
Shibboleth behind the library portal
The expanded list shows a link direct to the Service Provider, in this case Elsevier
Joint Information Systems Committee 18-Jul-2006 | | Slide 28
Shibboleth behind the library portal
After clicking link in library portal:
If users prefer the route through the library portal, e-resource usage statistics should become more representative
Joint Information Systems Committee 18-Jul-2006 | | Slide 29
What do we tell our users?
What should we tell our staff and student library users about the change to Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 30
What to tell your users?
As little as possible!
There is no Athens-type username and password to distribute (and remind of when forgotten or lost)
One strand of the change management will be to remove references to Athens passwords from user guides etc
– there should be no need to substitute Shibboleth in Athens’ place
During changeover, decreasing reliance will be made on Athens passwords
– some users may need reassuring the library has not lost access to a super-database called Athens!
LSE now tells users that “your LSE Login” is the default access for everything
– …and provides help with the diminishing number of exceptions
Joint Information Systems Committee 18-Jul-2006 | | Slide 31
From LSE’s Electronic Library FAQs:
The FAQ shows how access to e-resources is getting easier, both on and off-campus.
Many LSE electronic resources can also be accessed off-campus via your LSE login (network username and password).
Joint Information Systems Committee 18-Jul-2006 | | Slide 32
‘LSE for You’ provides diminishing passwords:
The ‘LSE for You’ page, protected by the LSE login, provides the remaining passwords still required for some e-resources.
Joint Information Systems Committee 18-Jul-2006 | | Slide 33
How did the LSE do it?
You were the first installation of Shibboleth in the UK. How did the LSE Library manage the change to Shibboleth?
Joint Information Systems Committee 18-Jul-2006 | | Slide 34
How did the LSE do it?
Installing the infrastructure was surprisingly easy
– (once we had the first working version of the software!)
We chose a ‘cautious’ changeover from Athens access, with careful quality assurance testing of each resource link
We were at the ‘bleeding edge’, with over 150 resource collections being accessed by ‘classic Athens’, Shibboleth, the Athens Gateway and EZproxy, and about 20% by all sorts of ad hoc methods
The methods used for these tests, a progress bar and a table of the Shibbolised status of those resources can be found on the Shibboleth@LSE website
Joint Information Systems Committee 18-Jul-2006 | | Slide 38
The End
Joint Information Systems Committee Supporting education and research
Change Management for Libraries
[JISC Conf title slide]
Joint Information Systems Committee 18-Jul-2006 | | Slide 39
Links, Questions and Conclusions
Shibboleth: shibboleth.internet2.edu
Shibboleth@LSE: www.angel.ac.uk/ShibbolethAtLSE/
PERSEUS: www.angel.ac.uk/PERSEUS/
Questions?
Arguments?
…you’ll think of them later?: [email protected]