9. Authentication

9.1 Service Authentication

All JISC funded EDINA services were converted to accept federated access from 1 August 2008. Institutions accessing EDINA services using federated access require their own native Identity providers (IdP) or to use OpenAthens (which provides a virtual IdP).

Unforeseen by EDINA during the original conversion of EDINA services to Shibboleth was the user demand for WAYFless URLs. WAYFless URLs are used where access to a service is required and the IdP that the user should use to login is known. Such URLs allow the user to bypass the complexities of the WAYF and so enhance the user experience. To meet the demand, EDINA services published WAYFless URLs but these are in native Shibboleth format and their use was not recommended; native Shibboleth WAYFless URLs have the following disadvantages:

• They are complex
• They are not permanent; they will change if the service host changes or the SAML protocol version changes.
• A user using a WAYFless URL misses the service login page, and so will not see service announcements.

To counter these disadvantages, EDINA has begun to develop an integrated login system to provide simple, stable WAYFless URLs across all EDINA services. It is expected that this facility will become available in late 2009.

While EDINA Shibbolised services were working reliably and well, Shibboleth is a complex technology with points of failure outwith the control of the service provider. EDINA was fortunate to have the UK federation's technical support located in-house and they were generally able to advise when users reported difficulties accessing EDINA services.

9.2 EDINA IdP

To accommodate EDINA staff access to EDINA services, EDINA training accounts non-affiliated one-off users and trial access to EDINA services, EDINA developed its own local IdP. This IdP service, which carries an EDINA branding, was originally developed using Shibboleth 1.3, and was later successfully upgraded to Shibboleth 2. This upgrade was used as a case study within the UK federation as an example of a rolling upgrade with minimal downtime. Data within the IdP was maintained through EDINA's User Support team using their web-based helpdesk software.