Newsline from EDINA
March 2006: Volume 11, Issue 1

EDINA > News > Newsline > Newsline 11.1 > Shibboleth and EDINA SDSS

Shibboleth and EDINA SDSS

For some time JISC has been planning a major switch in the access management software which JISC-funded services use, namely from Athens to a technology called Shibboleth, a product of the Internet2 initiative.

Shibboleth is intended as the next generation access management system for UK Higher and Further Education, for use across a wide range of applications, not just those traditionally addressed by Athens.

National UK federation

An important component of the Shibboleth approach is the federation, made up of Service Providers (SP) and institutions with members who wish to make use of services; such institutions are known as Identity Providers (IdP), since their primary task in the context of Shibboleth is to manage the identities of the people associated with them.

While a Shibboleth federation is a technical construct, the main challenges are not technical, but rather legal and ethical. It takes time for the full implications and obligations of a federal structure to develop, and for the participants to appreciate the change of mindset required from a centralised access management system (such as Athens) to one which is truly federated.

The SDSS project was required to set up a development federation to enable JISC-funded Shibboleth projects to have a structure in which to locate their work, and to give everyone involved some experience of the federal way of working.

From the start, SDSS operated their federation on strict guidelines so that it could be used as a model for production operation in due course. The SDSS federation has been seen as a success within the community and has been adopted as the forerunner to the UK national federation, scheduled to come into existence later this year. The best way for an SP or IdP to prepare for membership of the UK national federation is to join the SDSS federation now. A smooth transition has been promised by JISC!

JISC has asked UKERNA, the group responsible for JANET, to manage the UK national Shibboleth federation. SDSS will provide technical support to UKERNA in this work.

SDSS contributions to Internet2 development activity

SDSS staff have attended Internet2 meetings in the USA. Current areas of activity include:

1. WAYF development. The use of Shibboleth can entail use of a WAYF (Where Are You From?) server and web page, which enables end users to specify which IdP they belong to. SDSS made proposals last year on enhancements to the WAYF software to support multi-federation operation. These were accepted, and new code submitted by SDSS has now been incorporated into the Internet2 Shibboleth reference source code tree.
2. OpenSAML library. SAML (Security Assertion Markup Language) is the protocol which underpins Shibboleth. Rod Widdowson, a member of the SDSS team, was seconded at the end of 2005 to work on the OpenSAML library in collaboration with Internet2 colleagues. This work is now largely complete, and clears the way for a release of Shibboleth 2.0, possibly in the third quarter of 2006.

Further collaborative work is likely.

New SDSS WAYF

On 25th January the SDSS federation's WAYF server was upgraded with a new graphic design and enhanced functionality based on the latest Internet2 reference code contributed by SDSS (described above).

What's next?

Another important part of the SDSS work is to assist in the conversion of EDINA services to Shibboleth access management. This work is substantially complete, and when the UK national Shibboleth federation comes into existence, later in 2006, EDINA services will be ready for the brave new world!

Further Background to Shibboleth

SDSS Project web site