CAMP Shibboleth - Wrap Up

June 29, 2006

Shibboleth LogoThe following is a wrap-up of what I saw, heard, and hopefully learned from CAMP Shibboleth in Burlington, VT. As always with conferences and workshops, conversations with others and listening to questions asked are usually the most insightful and valuable moments. Much of this may seem scattered in thought, but I need to document these things somewhere…

1) Plymouth State is looking at Shibboleth as a way to accomplish centralized authZ. SunGard sold me on this idea months ago when I could only see Shibb as a federated WebISO solution. I was surprised to see that they are clearly marketing this use case as step two in your implementation plan. Number one is of course to get WebSSO implemented. Both of these are suggested before attacking the politics and policy of extending beyond institutional boundaries. It is clear that this is a smaller step base method that has stages of success. I like this a lot.

2) Shibboleth does attribute release or attribute assertions, not authZ. This seemed like semantics initially, but then I realized from responses to questions that this is an important distinction. Shibboleth could assert in some instances a common name attribute. This has no place in being used for authorization of any sort, but still may be useful, especially with intra-institutional home grown applications. An extremely valuable distinction to understand.

3) I learned that our current implementation methodology of CAS is not ideal. As we rely on an API based mechanism, the authN is coded into our system to rely on CAS. This does not make it as easy to change authN providers or WebSSO solutions as if we used a technology like mod_cas. This explanation from Scott Cantor was illuminating as it gave me a much clearer understanding of how the Shibboleth SP was intended to work when we begin Shibbolizing internal applications.

4) There is an increasing number of federated services becoming available from through third parties that interoperate with Shibboleth. None of these constitutes “the killer app” for Plymouth State University, yet. Of particular note, international federations seem to be moving and forming much quicker than ones in the US. In Europe, a fair number of library related companies appear on their prioritized vendor list including some Plymouth State licenses: EBSCO, JSTOR, and ExLibris.

5) Shibboleth 1.3 can interoperate with federal E-Authentication with a “simple plugin”. This may evolve into our killer application as the Department of Education brings student oriented services online. Currently there are schools using this method to connect so NSF grant applications and the like.

6) The “Where Are You From” (WAYF) concept and implementation has problems. They are even referring to it as “the weakest link.” I’ve had concerns about this, so am happy this is getting attention. In our initial implementation, I believe the simplicity of our environment should allow us to bypass the WAYF. Hopefully WAYF issues will be resolved by the time we start playing in the federated space.

7) When it comes to identity, SunGard’s Luminis causes nearly as many problems as it solves. Others seem to be struggling with this. I’m left wondering if SunGard’s research into the identity management space will eventually lead to some better redesign around this issue.

8) This group has awareness and respect for OpenID. Glad to see this on their radar. When am I getting around to using it?

9) We (Bill Baber, Petr Brym, Ted Wisniewski and myself) met with a representative from the consulting firm Aegis USA. They seem very tuned into what is going on in this space. They also seem to have solid experience working with the Sun Identity Suite which I assume will be a large contender as we work to improve our identity management infrastructure. USNH will be considering them as potential consultant as we look into identity management system wide.

10) Finally some terminology:

IdP - Identity Provider - the core Shibb service that knows who a user is and has access to some attributes it can assert about them.
SP - Service Provider - This is the end service that will consume Shibb asserted attributes. These are the applications we would refer to as “Shibbolized”
ARP - Attribute Release Policy - fairly complicated policies about what attributes are released for what services, and potentially on a per user basis. These are configured through XML.
WebSSO - this is a rebranding of WebISO. Not sure why, but I like it.

aegis, aegis usa, arp, attribute release, camp, camp_062, eauthentication, educause, federation, identity management, idp, internet2, luminis, nmi-edit, openid, scott cantor, shibb, shibboleth, single sign on, sp, Sun Identity Suite, sungard, wayf, webiso, websso, xml

Tags: , , , , , , , , , , , , , , , , , , , , , , , , ,

Related:

Posted by zbtirrell | Filed Under Technology Bits 


Comments

One Response to “CAMP Shibboleth - Wrap Up”

  1. No Sheep » 2006 in Review: Personal Top 10 on December 31st, 2006 12:38 pm

    [...] 7 - Attended CAMP Shibboleth in Burlington, VT Educause puts on a pretty good show and I certainly learned a great deal from this one. Shibboleth and identity management as a whole are important topics for me. I hope to be able to leverage much of what I learned from this conference to get centralized authorization and federated single sign-on in place at Plymouth State University. [...]

Got something to say?





User contributed tags: "jstor password" (171) - warcraft 121 crack (70) - warcraft 1.21a crack (60) - warcraft 3 121 crack (59) - jstor crack (55) - WARCRAFT 3 1.21 NO CD CRACK (41) - warcraft 3 crack 1.21 (40) - jstor password hack (39) - jstor passwords (35) - dota 1.21 (35) - jstor hack (34) - warcraft 3 1.21a crack (33) - jstor password crack (32) - dota 1.21 crack (28) - "Hack JSTOR" (24) - crack jstor (23) - crack warcraft 3 1.21 (21) - warcraft crack 1.21 (21) - War3x No-cd 1.21a (21) - 1.21 no-cd crack (19) - wc3 1.21 crack (19) - warcraft 3 no cd crack 1.21 (19) - warcraft 1.21 no cd crack (18) - war3x no-cd 121 (18) - crack warcraft 121 (17) - CAS OpenID (16) - openid vs shibboleth (16) - warcraft 3 1.21a no cd crack (16) - no Authn provider configured (16) - warcraft 1.21a no cd crack (16) - war3 121 crack (15) - warcraft 3 crack 1.21a (15) - war3 1.21a crack (14) - 1.21a crack (14) - crack dota 1.21 (13) - crack 1.21 (12) - crack 1.21a (12) - wc3 1.21 no cd crack (11) - warcraft 121 no cd (11) - "getting up crack" (11) - "password jstor" (11) - 1.21a no cd crack (11) - getting up no cd crack (11) - crack war3 1.21 (11) - 1.21a no cd (11) - Crack Warcraft 1.21a (10) - PH (10) - warcraft no cd crack 1.21 (10) - wc3 no cd crack 1.21 (10) - dota 1.21 no cd crack (10) - crack 121 warcraft (9) - wc3 no cd hack 1.21 (9) - openid cas (9) - 1.21a nocd (9) - shibboleth openid (9) - shibboleth (8) - hack jstor password (8) - openid shibboleth (8) - "warcraft 1.21"+crack (8) - warcraft 1.21 cd crack (7) - war3 no cd crack (7) - wc3 crack 1.21 (7) - jstor crack password (7) - shibboleth vs openid (7) - war3 1.21a (7) - dota 1.21a (7) - Frozen Throne 1.21a No CD Crack (7) - hack into JSTOR (7) - dota 1.21a crack (7) - t (7) - no cd crack warcraft 3 1.21 (7) - all (7) - shibboleth + php (7) - openid vs cas (7) - warcraft 3 no cd 1.21 (7) - 1.21 warcraft crack (6) - war3 1.21 no cd crack (6) - warcraft 1.21 no cd hack (6) - no-cd Warcraft 1.21a (6) - crack war3 1.21a (6) - warcraft 3 1.21a no cd (6) - warcraft 3 no cd crack 1.21a (6) - warcraft crack 1.21a (6) - jstor torrent (5) - war3 121 no cd (5) - w3 crack 1.21 (5) - SG (5) - warcraft 1.21a no cd (5) - dota 1.21 patch (5) - websso (5) - how to hack jstor (5) - mss (5) - war3 1.21 (5) - Warcraft 3 No CD Hack "1.21" (5) - warcraft 3 patch 121 crack (5) - warcraft patch 1.21 crack (5) - 1.21 crack (5) - wc3 1.21a no cd crack (5) - warcraft 1.21 nocd (5) - dota patch 1.21 crack (5) - war3 crack 1.21 (5) - warcraft 3 121 no cd (5) - warcraft 1.21a nocd crack (5) - "frozen throne 1.21a no cd" (4) - warcraft patch 1.21a crack (4) - warcraft3 crack 1.21 (4) - no cd crack getting up (4) - dota 1.21a no cd crack (4) - wc3 1.21a nocd crack (4) - warcraft 3 1.21 no cd hack (4) - openid educause (4) - crack for 1.21a (4) - warcraft 3 no cd 1.21crack (4) - no-cd crack 1.21a (4) - 1.21a nocd crack (4) - crack for war3 (4) - warcraft 3 nocd 1.21 (4) - war3 1.21a no cd (4) - shibboleth webiso (4) - dota 1.21 no cd (4) - patch 1.21a crack (4) - Warcraft 3 1.21 patch crack (4) - DOTA 1.21a NoCD (4) - warcraft3 1.21 crack (4) - warcraft 1.21 patch crack (4) - shibboleth mod_cas (4) - 1.21 crack warcraft (4) - crack+warcraft 3 1.21 (4) - JSTOR hacked passwords (4) - crack 1.21a warcraft (4) - war3 1.21a no cd crack (4) - wc3 1.21 nocd crack (4) - 1.21a patch crack (4) - JSTOR hack password (4) - crack dota 1.21a (3) - warcraft3 crack (3) - MY (3) - warcraft 3 crack for 1.21 (3) - War 3 Crack nocd 1.21 (3) - patch 1.21a nocd (3) - wc3 1.21a no cd (3) - wc3 patch 1.21a (3) - war3 no-cd 121 (3) - Warcraft 3 crack (3) - war 3 1.21 crack (3) - war3 no cd crack 1.21 (3) - hacked jstor password (3) - dota explanation (3) - password for jstor (3) - war3 crack (3) -