Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session...

Joint Information Systems Committee 18-Jul-2006 | | Slide 1

Change Management for Libraries

Session B, 11:00 - 12:00

John Paschoud and Peter Spring

London School of Economics

Joint Information Systems Committee Supporting education and research

Access Management Showcase, July 2006

[JISC Showcase title slide]


Why fix what ain’t broke?

Our Athens authentication system seems to work quite well, and has done so for several years. Why has JISC decided to migrate to Shibboleth?


Why Shibboleth?

Moves closer to the single sign-on ideal - users need not remember so many passwords

Aligns with international convergence on Shibboleth/SAML - wider market for suppliers

Avoids the need to maintain a central Athens-type database- by JISC/Eduserv and by participating libraries

Open Source and Open Standards –based- so tools can be developed by participants and shared

Supports internal applications, collaborative inter-institutional sharing of resources, and virtual organisations


Is that all?

Is that all?


Is that all!?!?

Improved security for resources, so publishers happy - they also don’t have to pay a licence fee (as they do for Athens), nor maintain campus IP address ranges

Because the access is role-based rather than identity-based there is improved privacy for users

Supports the trend towards a devolved / distributed model for access management

– Authentication by the end-users’ institution

– Authorisation by the resource owner

Suited to the demands for more mobile access – from home, travelling, or working at other institutions or libraries


So what is Shibboleth?

OK, sounds convincing, but what is Shibboleth?


What is Shibboleth?

An initiative (of Internet2) to develop an architecture and policy framework supporting the sharing – between domains – of secured web resources and services

A project delivering an open source implementation of the architecture and framework

Deliverables:

– Software for Identity Providers (universities, libraries)

– Software for Service Providers (publishers …and universities, libraries)

– Policy models for Federations (scalable trust)


What are the costs and benefits?

What are the costs and benefits for our library of migrating to Shibboleth?


Costs/Benefits of Shibboleth?

Costs:

Institution’s directory must be in good shape and set up to support a Shibboleth Identity Provider (IdP)

Shibboleth middleware needs installing and maintaining

Benefits:

Reduced overheads in password support

No difference in on-campus and off-campus access

More flexible access control – e.g. different categories of users to different levels of access (or none) to a resource


Any other capabilities?

Are there things Shibboleth can do that Athens cannot?


The Other Capabilities of Shibboleth?

With Shibboleth your institution would be able to set up its repository, e-learning or any other service as a Service Provider

– as LSE has done for Exam Papers and other ‘members only’ collections

This will facilitate sharing of resources within the academic community

– you can provide controlled access to users from other institutions, without needing to administer usernames/passwords for them

– as LSE and Columbia (NY) did for a collaborative Anthropology teaching project (DART)

The fine-tuning of access control possible with Shibboleth will protect confidential or sensitive data except for those whose roles allow this


(the LSE Exam Papers collection – secured with Shibboleth)


So how do we get Shibbolised?

What will our library need to have in place and do in order to migrate to Shibboleth?

What ‘infrastructure’ is required?


What infrastructure is required?

Within your Library: IdentityProvider (IdP) site – Required Enterprise Infrastructure

– Authentication

– Attribute Repository

IdentityProvider Site – Shib Components– Handle Server

– Attribute Authority

At your Publishers / Aggregators / e-Resource Providers: ServiceProvider (SP) site - Required Enterprise Infrastructure

– Web Server (Apache or IIS)

ServiceProvider Site – Shib Components– SHIRE

– SHAR

– WAYF

– Resource Manager


IdP server

Shibboleth IdP architecture

8443 Shibboleth

SP

Webbrowser

(various communications)

443

LDAP server

MOD_SSL

Certificate check

MOD_LDAP_AUTHZ

MOD_JK

Apache

Tomcat

Shibboleth IdP AA (Attribute

Authority)

HS (Handle Server)

idp.xml

resolver.xml

arp.xml


Is there help out there?

What help and support will be available to our library as we set about installing and migrating to Shibboleth?


What support is there?

Internet2, who ‘own’ Shibboleth, maintain discussion lists for implementors and provide other documentation

JISC has set up MATU (Middleware Assisted Take-Up service) and will have other services to support the transition from Athens

LSE Library (the first Shibboleth installation in the UK) has built websites including the PERSEUS and Shibboleth@LSE sites, documenting our experience

– (with JISC funding via PERSEUS and other projects)


What resources are Shibbolised?

But not all e-resources are going to be accessible via Shibboleth overnight, I believe. Will that be a problem for us?

…shouldn’t we wait for another 2 years, until they’ve all converted from Athens?


Shib authenticated

resources

Athens authenticated

resources

Athens national

authentication service

Athens enabledusers

University Shib-IdP

Shib enabledusers University

Shib-IdP

Shib enabledusers

University Shib-IdP

Shib enabledusers

AthensShib

Shib Athens

Ah! Eduserv has a cunning plan!

The Athens-Shibboleth Gateways


And the Athens Administrator?

We have an Athens Administrator. What happens to that role after migrating to Shibboleth?


Athens Administrator role?

Initially to manage the changeover from ‘classic Athens’ to either ‘Shibbolised’ resources, or via the Athens Gateway, and continue to maintain other ad hoc access methods where neither of these options is available

As things settle down, there will be the need to maintain the links in your library’s list of e-resources

Closer liaison with your own IT people (who manage your institutional directories) may be needed


What’s a Federation?

What are these ‘Federations’ I hear about in relation to Shibboleth?


What is a Federation?

A group of organisations with a common purpose (e.g. education and research) who trust each other

Not a subscription-purchasing consortium!

– but could be related to one or more of those

Federation members…

– sign up to a set of rules, including minimum standards for Identity Management practices

May have legal status

Needs the trust of suppliers


What does Shibboleth access look like?

So what does access to an e-resource using Shibboleth look like to the end user?


Well Shibboleth can look like this:

User knows URL of resource and that Shibboleth is used

And where they are from


Or, Shibboleth works invisibly behind the library portal

Alternatively, on or off campus, you could just go to the list of e-resources in the library’s portal.

In the LSE Library’s case our ‘Electronic Library’ is run from Endeavor’s Encompass system:

…but it could just be a list on a ‘hand-crafted’ web page


Shibboleth behind the library portal

The expanded list shows a link direct to the Service Provider, in this case Elsevier


Shibboleth behind the library portal

After clicking link in library portal:

If users prefer the route through the library portal, e-resource usage statistics should become more representative


What do we tell our users?

What should we tell our staff and student library users about the change to Shibboleth?


What to tell your users?

As little as possible!

There is no Athens-type username and password to distribute (and remind of when forgotten or lost)

One strand of the change management will be to remove references to Athens passwords from user guides etc

– there should be no need to substitute Shibboleth in Athens’ place

During changeover, decreasing reliance will be made on Athens passwords

– some users may need reassuring the library has not lost access to a super-database called Athens!

LSE now tells users that “your LSE Login” is the default access for everything

– …and provides help with the diminishing number of exceptions


From LSE’s Electronic Library FAQs:

The FAQ shows how access to e-resources is getting easier, both on and off-campus.

Many LSE electronic resources can also be accessed off-campus via your LSE login (network username and password).


‘LSE for You’ provides diminishing passwords:

The ‘LSE for You’ page, protected by the LSE login, provides the remaining passwords still required for some e-resources.


How did the LSE do it?

You were the first installation of Shibboleth in the UK. How did the LSE Library manage the change to Shibboleth?


How did the LSE do it?

Installing the infrastructure was surprisingly easy

– (once we had the first working version of the software!)

We chose a ‘cautious’ changeover from Athens access, with careful quality assurance testing of each resource link

We were at the ‘bleeding edge’, with over 150 resource collections being accessed by ‘classic Athens’, Shibboleth, the Athens Gateway and EZproxy, and about 20% by all sorts of ad hoc methods

The methods used for these tests, a progress bar and a table of the Shibbolised status of those resources can be found on the Shibboleth@LSE website


Shibboleth@LSE Home


Shibboleth@LSE Shibbolisation Progress


Shibboleth@LSE Table of e-Resources


The End

Joint Information Systems Committee Supporting education and research

Change Management for Libraries

[JISC Conf title slide]


Links, Questions and Conclusions

Shibboleth: shibboleth.internet2.edu

Shibboleth@LSE: www.angel.ac.uk/ShibbolethAtLSE/

PERSEUS: www.angel.ac.uk/PERSEUS/

Questions?

Arguments?

…you’ll think of them later?: [email protected]

Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session...

Documents

Transcript of Joint Information Systems Committee 18-Jul-2006 | | Slide 1 Change Management for Libraries Session...