Last year we began “Project Shibboleth”, which was set-up to discuss a possible transition away from OpenAthens MD (classic Athens) authentication to our electronic resources. This project quickly became known as ‘Single sign-on’ once we were aware of all our options, as well as feedback we had recieved from Shibboleth run institutions.

We have been running Eduserv’s LA 2.0 as our IDP for over six months now, taking us from the BETA product right through to the full release. The project did begin very slowly, mainly down to fact that we were all so new to the world of identity management, having used OpenAthens MD/IP authentication since the beginning of time.

I am impressed at how easy LA 2.0 has been to set-up and maintain. Our computing services department install all of the regular updates now, whilst I log-in to the admin console when needed to configure attributes and settings.  Our Active Directory did have to be cleaned up however, making sure that leavers are removed quickly and that LA can differenciate between staff/students/affiliates.

Once these issues were ironed out, OCLC’s GEOBASE was the only database which required LA to send out a specific affiliated attribute to be sent out, taking just minutes to set-up. Otherwise the default release of attributes was set-up at the very beginning and has not been touched since. The system just works.

For a full (colour coded) list of electronic resources that work with LA 2.0, visit here.

The main difficulties I did experience were with service providers, who were not aware of LA. I instead began to refer to our IDP as Shibboleth, to cut down the amount of confusion when providers referred to the fact that we already had Athens authentication set-up.

After registering our ‘Live’ install of LA with the Federation, the real hard work begins. We have chosen April 5th as the official changeover date when the Library removes all mention of Athens, instead forcing (where we can) students and staff to log-in via our new single sign-on service. This has involved regular all staff/student emails, blog updates, as well a published panel on the ‘MyAthens’ page warning of the changeover. There will also be some work during the summer to provide better ways in which students discover our resources.

It is seen that the change will have limited implications for our users, however Refworks users will have to migrate their data between accounts. In order to cope with this I have emailed all Refworks users, sending them directly to a video tutorial on our Library blog.

The success of our project has resulted in Eduserv basing a case study on us, and I have been invited to discuss our experiences at a series of Athens workshops throughout March.

Tags: Athens, Authentication, bath spa, shibboleth

Posted on the Bath Spa Shibboleth project WIKI:

Yesterday I attended an Access Management Federation event in Bristol. The Federation promotes the use of the Shibboleth framework after the JISC withdrew its funding for Athens in July 2008.

One of the most useful documents provided on the day was the Uk Federation Quick Reference Guide, which presents an overview of useful documents available to Librarians and IT staff, from making a business case to installing and setting up your institution as an identity provider. Below is a URL to all of these resources:

http://www.ukfederation.org.uk/content/Documents

A lot of this information is highly useful; there are case studies of institutions that have implemented Shibboleth as well as technical documents detailing the installation method of Shibboleth.

Another superb resource is Janet’s EdLab, a portal containing a variety of media on a range of topics to support their events, as well as a discussion forum for users. The Federation now has its own dedicated space on the site, with a wide range of discussion and document download opportunities surrounding Shibboleth implementation.

One important point that came out of the event was how Shibboleth can benefit institutions as a whole. It has been easy thus far for me to consider single sign-on only as a direct benefit to Library services. However at Bath Spa there are many different systems that may benefit from the security that Shib provides. For example the University has been looking at a repository for some time. Once implememented, Shibboleth could be used to provide access for other institutions that may need to get involved. I understand also that our VLE is hosted elsewhere; Shib could control the amount of information on students that is transferred off campus for authentication.

By joining the Federation and opting with Shibboleth we are agreeing with the rules of membership. As a result we are required to consider how well we deal with personal data at the University:

all and any Data, when provided to the Federation Operator or
another Member (as the case may be), are accurate and up-todate
and any changes to Metadata are promptly provided to the
Federation Operator;

We should have the system in place to make sure that the information we hold is accurate an up to date; does the SITS system at the University update active directory? Many IT professionals at the event talked about the ease in which a simple script can update active directory via an export from an enrolment system.

A major theme was to consider how students/staff will be authenticated to use external resources. From the Library’s point of view we would need a service provider to be able to dicipher between user groups, as some resources are only available to staff at the University. If you the University continues to expand we may also need to assertain the school that as student belongs to. Service providers would also like to assertain whether a student is viable to access a resource, i.e enrolment may have taken place but the student is yet to pay tuition!

There may also need to be some change in our own authentication culture. The set-up of a single sign-on means that students and staff use only one username/password to access a very wide range of systems. As a result we may have to review how often passwords are changed at the University, as authentication relies so heavily on this one log-in.

From a technical point of view there were some interesting discussions, some of which I didn’t understand! However there exists a simple Windows (wizard-like) installer to set-up Shibboleth in a Windows environment, through which installation was presented as easy. This installs Shib 1.3 and therefore may only be useful for testing, as the federation has now moved on to support Shib 2.0. Apparently an installer for Shib 2 is being developed in the open source community. It was unclear whether Shib can run on Windows server 2008, so we may need to discuss whether this will become an issue.

Overall the Federation provided a clear message: if you choose to install Shibboleth they will hold our hand and support us through every step of implementation. If we opt for a third party solution (i.e OpenAthens LA 2.0), we are on our own!

The next step for me is to work out how many of our Electronic subscriptions are ‘Shibbolised’, as this will give us a very clear indication of how essential this project is overall.

Tags: Athens, Authentication, shibboleth

I travelled to Birmingham on Wednesday for an event introducing Eduserv’s new single-sign on product, OpenAthens LA 2.0.

The slides for the event:

The product was presented as a sequel to AthensDA (Devolved Authentication), launched in 2002, well used by Universities/ FE Colleges in the UK.

Some important points that were brought up at the conference:

1. Currently only 40% of electronic resource providers in the UK support Shibboleth, causing a great deal of complication for Shibboleth as a single-sign on solution.
2. Statistics are almost non-existent in Shibboleth. Librarians/ IT staff currently have to make sense of the endless log data in order to work out how often their resources are accessed.
3. AthensDA is still used by Universities alongside Shibbleth in order to connect to resources that Athens authenticated only. As a result IT departments are required to implement an interoperability between the two technologies.

Realistically the disadvantages of Shibboleth should be short term. As the product is now widely used as well as open source, there will likely be developments to enable librarians to manipulate data easily. In the long term it is highly likely that the amount of service providers will increase rapidly due to support and pressure from the JISC.

OpenAthens LA 2.0 really interested me as a product. The message throughout was fairly consistent: if you have an LDAP server / Windows environment, the product will run without issue. It requires two parts of the system to be hosted internally, including the main set-up of the system as well as the admin side hosted on a web server so that changes can be made remotely. The admin system did seem fairly complicated to use and therefore may require IT to become much more involved in the early stages of use. Eduserv however were confident that this system will be much more simpler when available for release.

The statistics side is a real treat though, as it allows Librarians to use the comprehensive process they are already used to with classic Athens. The system also caters for Libraries who need to set-up quick accounts so that walk-in users can access electronic resources. With Shibboleth this would involve setting up a temporary entry in the Active Directory, clearly not a solution for many institutions!

Overall I think we should consider this as a viable alternative. Over the coming years many of our electronic providers may choose to provide Shibboleth only authentication, in which case moving over to this framework would be much more important. But if many institutions begin to choose this product over Shibboleth in the short term, why would service providers seek to spend money on Shibboleth?

I would welcome any comments on this as I am an authentication noob, starting out a career in digital resource Librarianship.

Tags: Athens, Authentication, shibboleth