Shibboleth for Middle Schools James Burger -
24
-
Upload
charlotte-coleen-evans -
Category
Documents
-
view
217 -
download
0
description
What is Shibboleth? Shibboleth is software, more specifically referred to as middleware Middleware is a layer of software that acts as a facilitator between a network and its applications, providing services such as identification, authentication, and authorization Shibboleth was developed by Internet2/MACE. The current version is v1.2Internet2/MACE
Transcript of Shibboleth for Middle Schools James Burger -
What do an ear of corn, a stream of water, and computer networks have in common?
Shibboleth.
What is Shibboleth?
Shibboleth is software, more specifically referred to as middleware
Middleware is a layer of software that acts as a facilitator between a network and its applications, providing services such as identification, authentication, and authorization
Shibboleth was developed by Internet2/MACE. The current version is v1.2
2 communities
Users – In this case, middle school educators and learners
Service Providers – In this case, content providers who contribute the NSDL collections
Why Shibboleth in middle schools?
Shibboleth is a superior system for allowing users to login to secure resources, because it provides a high level of privacy by allowing communities to set their own Attribute Release Policies.
Attributes conveyed to resources can be used to customize levels of access for the user. For example, a resource might have two distinct areas, one for teachers and one for students. Logging in would bring the user directly to the appropriate area.
Don’t some middle schools already log into resources on the Internet?
Yes. Middle schools already benefit from such resources. There are several established ways to link communities in a collaborative manner.
But, each system suffers from significant inefficiencies. For example…
Users can login with individual usernames and passwords
Difficult to remember different usernames
Difficult to authenticate, limits customization
Easy to generate redundant accounts
User can’t control personal info
Service providers recognize Internet Protocol (IP) addresses of subscribing organizations
Access is limited to on-site use
Administrative burden on both sides
Users can log in through a secure portal or proxy server on their school’s site
Portals and proxy servers may not be as secure as Shibboelth enabled servers
Generic attributes = insufficient data (member@schoolname)
Administrative burden on both sides
Shibboleth was developed as a means to address each of these issues.
SOLVED: Access is limited to use on-site at the middle school
SOLVED: Difficult to remember different usernames
SOLVED: Easy to generate several accounts
The school assigns each member of its community a unique identifier
For example, jb701 = James Burger
When the user logs into the school’s network, a temporary, opaque “handle” is created. The handle disassociates the ID from identifying information. Instead, the user’s organization specifies attributes to send to the content provider through an Attribute Release Policy (ARP).
SOLVED: User can’t control personal info
SOLVED: Difficult to authenticate, limits customization
A user can have several Attribute Release Policies (ARP)
ARP IMember of subscribing community ARP IIMember of subscribing communityStudent ARP IIIMember of subscribing communityStudent Grade
Federations agree on Attribute Release Policies
SOLVED, again: Difficult to authenticate, limits customization
SOLVED, again: Generic attributes = insufficient data (member@schoolname)
SOLVED, again: User can’t control personal info
Shibboleth establishes a truly efficient system for content access
Enough detail to know user’s needs
Not enough detail to know user’s identity
Ability to access resources remotely
SOLVED: Generic attributes = insufficient data (member@schoolname)
Fewer attributes = greater privacy
More attributes = greater granularity
Shibboleth federations are striking a balance.
How much does it cost to implement Shibboleth?
The software itself costs nothing
Implementation costs depend on the existing technological infrastructure of the school and the technical capability of the staff
What is required to implement Shibboleth?
Web Server
Java Servlet Container
Login system (identity management)
Agreement with federation policies
What does Shibboleth look like?
Isn’t it more complex than that?
What does the user see?
The user may see two screens before reaching the requested content
Both should be intuitive and may be used in numerous other applications: Where Are You From (WAYF) Organization login screen
OK, so far you’ve described a new way to network computers. What does that have to do with an ear of corn or a stream of water?
Shibboleth derives its name from the Hebrew word for an ear of corn or a stream of water. The name’s significance lies in its use as a Biblical password devised by the Gileadites to ward off the Ephraimites.
“…they would say to him, then say, ‘shibboleth;’ but he would say, ‘sibboleth,’ not being able to pronounce it correctly.” --Judges 12.6
Contact Information
James Burger
Manager, Subscriber Services National Science Digital Library (NSDL)Columbia University417 Watson Hall612 West 115th StreetNew York, NY 10027
212-854-1110 / [email protected]
