US Federal E-Authentication and Higher Education
March 28, 2007 | Leave a Comment
The United States federal government has been working on an E-Authentication project actively since 2003 in response to the E-Government Act of 2002. Movement has been slow, but there are many federal agencies now leveraging this infrastructure in a federated manner. For more details about the initiative, there is the publicly available Burton Group Report on the Federal E-Authentication Initiative. For an updated view see the GCN article, E-Authentication maps out its future.
Since then, there has been work to bridge both Liberty Alliance and Shibboleth-based federations with the e-Government services. Involvement also extends to the Post Secondary Electronic Standards Council (PESC) who is working with all these organizations to assure higher education is appropriately represented. Certainly NSF Fastlane and Federal Student Aid (FAFSA) seem like the most obvious first candidates to work with higher education institutions.
With all the activity surrounding the federal government deploying these services in a federated method, institutions should definitely be getting their internal infrastructure in place to support and interoperate with one of the major federations (InCommon, eGovernment, etc).
Tags: "liberty alliance", act, authentication, burton group, e-authentication, eauth, eauthentication, egovernment, fafsa, fastlane, federal, federated, federation, financial aid, gcn, government, higher education, identity, identity management, idm, incommon, initiative, liberty, pesc, pki, shibboleth
2006 in Review: Personal Top 10
December 31, 2006 | Leave a Comment
In general I don’t directly blog much about my personal life. However, I think it is nice to look back at the year and remember the big things that happened. With that in my mind here is my top 10 list of most significant personal events and whatnot from 2006.
10 - Had a new roof put on our house
We hired Black Ox Roofing to put a standing seam metal roof on our house. They did a fantastic job and I will be much more comfortable this winter knowing we should be free from leaks.
9 - Upgraded our living room
I’m starting small here, but I do spend a lot of time each day in my living room. Early in the year my mother repainted our living room as a favor during her February school break. This lead us to rearranging the furniture in a way that greatly enhances flow and conversation. Later we bought a new Samsung 42″ DLP projection TV and a couch, chair, and ottoman set. We also rewired the connectivity between my Mac and the TV so no more wires run across the floor. As a whole all these changes have created a much more habitable and comfortable living room experience. Most of this work was done in preparation for our new baby and the extended time we would be spending hanging around in the living room.
8 - Attended and presented at SunGard HE Northeast Conference in Lake George, NY
I presented on three topics at SunGardHE’s brand new northeast regional conference. The topics were: Collecting Luminis Statistics, Extending SSO - CAS in Luminis, and Implement and Deploy Banner Channels. It is always fun to present and I had great attendance at my various sessions. In addition, the sections I attended were informative and generally well presented. This conference should be great for SunGard HE clients.
7 - Attended CAMP Shibboleth in Burlington, VT
Educause puts on a pretty good show and I certainly learned a great deal from this one. Shibboleth and identity management as a whole are important topics for me. I hope to be able to leverage much of what I learned from this conference to get centralized authorization and federated single sign-on in place at Plymouth State University.
6 - Was introduced to JQuery
After attending the Ajax Experience, Matt introduced me to JQuery. This is the ideal JavaScript toolkit for how I like code to be structured. This new technology in my toolkit is already greatly effecting what I am capable of creating and maintaining. As I become more proficient, I expect my love of JQuery to grow even further.
5 - Blog became trafficked and profitable
I now have over 400 posts and my daily numbers according to Bsuite dance around the 20k mark. I am getting a fair number of comments. In general, this blog has become a highly satisfying piece of my life. In addition I am making a reasonable amount of money doing it, allowing me to fund other entertainment like comics, movies, and video games.
4 - Attended and presented at SunGard HE Summit in Orlando, FL
See my previous post for all the details.
3 - Cruised the Caribbean with my wife and my family
In the spring my parents, my brother and his wife, my aunt and uncle, and my wife and I travelled together to the Caribbean on a cruise. We visited Puerto Rico, Saint Thomas, Dominica, Barbados, and Aruba. I could not have asked for a more entertaining group of people to travel with. The things we saw and experiences we had will forever remain significant in my life.
2 - Found out we were having a baby
Early this year we learned my wife was pregnant and we were having our first baby. This is an amazingly significant milestone in our lives. My wife’s pregnancy went very well, and you can read her week by week experiences on her blog, Being Sara.
1 - Xander was born
At 6:39 pm on Wednesday September 20th my first born son arrived, Alexander “Xander” Grady Tirrell. He weighed 8 lbs 2 oz and was 20.5″ long. After a long labor he was finally born cesarian. He is happy and healthy. As part of his coming into the world, I have not been at work much. I took 6 weeks when he was born followed by a longer leave from November 17th through January 2nd. I have been fortunate to spend a great deal of time with the little guy now when it is so important.
So that’s it. There is my year in top 10 summary style. It’s been exceptional.
Tags: baby, being sara, caribbean, identity management, javascript, jquery, shibboleth, summit
CAMP Shibboleth - Wrap Up
June 29, 2006 | 1 Comment
The following is a wrap-up of what I saw, heard, and hopefully learned from CAMP Shibboleth in Burlington, VT. As always with conferences and workshops, conversations with others and listening to questions asked are usually the most insightful and valuable moments. Much of this may seem scattered in thought, but I need to document these things somewhere…
1) Plymouth State is looking at Shibboleth as a way to accomplish centralized authZ. SunGard sold me on this idea months ago when I could only see Shibb as a federated WebISO solution. I was surprised to see that they are clearly marketing this use case as step two in your implementation plan. Number one is of course to get WebSSO implemented. Both of these are suggested before attacking the politics and policy of extending beyond institutional boundaries. It is clear that this is a smaller step base method that has stages of success. I like this a lot.
2) Shibboleth does attribute release or attribute assertions, not authZ. This seemed like semantics initially, but then I realized from responses to questions that this is an important distinction. Shibboleth could assert in some instances a common name attribute. This has no place in being used for authorization of any sort, but still may be useful, especially with intra-institutional home grown applications. An extremely valuable distinction to understand.
3) I learned that our current implementation methodology of CAS is not ideal. As we rely on an API based mechanism, the authN is coded into our system to rely on CAS. This does not make it as easy to change authN providers or WebSSO solutions as if we used a technology like mod_cas. This explanation from Scott Cantor was illuminating as it gave me a much clearer understanding of how the Shibboleth SP was intended to work when we begin Shibbolizing internal applications.
4) There is an increasing number of federated services becoming available from through third parties that interoperate with Shibboleth. None of these constitutes “the killer app” for Plymouth State University, yet. Of particular note, international federations seem to be moving and forming much quicker than ones in the US. In Europe, a fair number of library related companies appear on their prioritized vendor list including some Plymouth State licenses: EBSCO, JSTOR, and ExLibris.
5) Shibboleth 1.3 can interoperate with federal E-Authentication with a “simple plugin”. This may evolve into our killer application as the Department of Education brings student oriented services online. Currently there are schools using this method to connect so NSF grant applications and the like.
6) The “Where Are You From” (WAYF) concept and implementation has problems. They are even referring to it as “the weakest link.” I’ve had concerns about this, so am happy this is getting attention. In our initial implementation, I believe the simplicity of our environment should allow us to bypass the WAYF. Hopefully WAYF issues will be resolved by the time we start playing in the federated space.
7) When it comes to identity, SunGard’s Luminis causes nearly as many problems as it solves. Others seem to be struggling with this. I’m left wondering if SunGard’s research into the identity management space will eventually lead to some better redesign around this issue.
8) This group has awareness and respect for OpenID. Glad to see this on their radar. When am I getting around to using it?
9) We (Bill Baber, Petr Brym, Ted Wisniewski and myself) met with a representative from the consulting firm Aegis USA. They seem very tuned into what is going on in this space. They also seem to have solid experience working with the Sun Identity Suite which I assume will be a large contender as we work to improve our identity management infrastructure. USNH will be considering them as potential consultant as we look into identity management system wide.
10) Finally some terminology:
IdP - Identity Provider - the core Shibb service that knows who a user is and has access to some attributes it can assert about them.
SP - Service Provider - This is the end service that will consume Shibb asserted attributes. These are the applications we would refer to as “Shibbolized”
ARP - Attribute Release Policy - fairly complicated policies about what attributes are released for what services, and potentially on a per user basis. These are configured through XML.
WebSSO - this is a rebranding of WebISO. Not sure why, but I like it.
Tags: aegis, aegis usa, arp, attribute release, camp, camp_062, eauthentication, educause, federation, identity management, idp, internet2, luminis, nmi-edit, openid, scott cantor, shibb, shibboleth, single sign on, sp, Sun Identity Suite, sungard, wayf, webiso, websso, xml
Shibboleth For AuthZ
June 27, 2006 | 1 Comment
I had the opportunity to spend a fair amount of time discussing Shibboleth with Vishal Goenka and Josh Horner while I was at Summit 2006 in Orlando. I wanted to know about the support for Shibboleth that was supposed to be coming in a future version of Luminis and a bit about how it will work. During this discussion it became clear to me that Shibboleth’s core ability for attribute release allows applications to get the information they need to make authorization (authZ) decisions.
Until this point I had only though of Shibb as a solution for inter-organizational web-based single-sign on (Federated SSO or WebISO or WebSSO). I knew I could use Shibboleth internally to serve as my WebSSO, but we already have a hugely successful implementation of CAS in our environment. Additionally I haven’t been able to point at a killer application of the federated WebSSO ability. I knew this driver would be coming, but without immediate demand I was luke warm on Shibboleth.
However, the ability to use Shibboleth internally as a central authority for attribute release and in turn a consistent way of doing centralized AuthZ is a gigantically huge win for us. No longer will every homegrown application need to establish it’s own authorization layer with associated interfaces for maintaining that data. Now I have a serious driver for getting Shibboleth in our environment as soon as possible.
So that’s the lead-in to why Ted Wisniewski, Ken Kochien, and I are attending CAMP Shibboleth: Enabling Campus and Federated Single Sign-On.
Tags: authentication, authorization, camp_062, federated, federation, josh horner, shibb, shibboleth, single sign on, sso, summit, vishal goenka, webiso, websso
NERCOMP: Identity Management SIG
September 27, 2005 | 37 Comments
Yesterday we attended the NERCOMP Identity Management Workshop at the College of the Holy Cross.
Steve Carmody of Brown University explained an ideal infrastructure including a reminder for me to review “Identifiers, Authentication, and Directories: Best Practices for Higher Education” by Internet2. Carmody had a lot of great things to say, giving a solid overall update of how Internet2 and MACE are coming along with Shibboleth, Grouper, Signet, and various other initiatives. He also pointed me at Sun’s XACML Implementation which is very interesting.
Christopher Misra of UMass Amherst and Robert Banz of UMBC both presented on their current IdM initiatives. They both seem to have established IdM infratructures which need one enhancement or another.
In the final time slot was a general group discussion. I took this opportunity to ask how schools are establishing and maintaining credentials remotely. No one had an answer that was ideal, I suggested our current proposal and no one seemed to have any criticisms. One person suggested that maybe we don’t need to have as secure a system as we’re proposing to merely secure someone’s email. My reply to this was in a federated world with connections to the federal PKI bridge, InCommon services, and more, we are securing far more than email. It is our responsibility to have as high a level of assurance as possible.
Tags: authentication, authorization, credentials, grouper, higher education, identity, identity management, internet2, MACE, NERCOMP, password, passwords, shib, shibboleth, signet, xacml
Library Metasearching and Digital Collections
July 13, 2005 | Leave a Comment
Last week I attended two vendor demos in response to a University System of NH RFP. The two vendors were exLibris and Endeavor. In short, USNH is looking for two things: a solution for managing digital collections at the various schools in the university system and a utility for doing metasearching to give one-stop access to the various resources in the library’s many digital collections. Now I am not a librarian, nor all that familiar with library technology or processes. I was participating here purely from a technology standpoint, so in turn, anything I state here is from that angle.
One of our biggest needs is the ability to integrate the products with our existing university portal, SunGardSCT Luminis. By integration we really have three distinct pieces to this: Single Sign On (SSO), look and feel customization, and data exchange. From my perspective, those are listed in order of descending importance. I also care about APIs so the product can be extended and reused in ways the original company did not imagine. Last but not least, I care about usability. If untrained users cannot pick up the product and feel successful using it, they won’t.
Endeavor
The first vendor was Endeavor. Their two products are ENCompass and LinkFinderPlus.
LinkFinderPlus has great ability to allow for interface customization due to its use of XSLT. Basically you change the XSLT and you can make the interface look and act however you want. There is currently no built-in way to support SSO, but they believe it would not be difficult to build an extension. Additionally, they intend on supporting Shibboleth within the year. Depending on how they implement Shib, it could be good or bad… LinkFinderPlus doesn’t have any data per se, so data exchange is not necessary.
They do have APIs, sort of. Basically, if you don’t apply an XSLT, then you have straight XML and can interpret it like you would REST. As far as I’m concerned this is a great solution, even if it does seem like a “happy coincidence” feature.
ENCompass does have data, but no clear way to exchange it cleanly, not that I can imagine a need for this. The web interface again is XSLT customizable. The “archivers” interface is client side, which seems to work out quite nicely. I thought I’d be opposed to this, but recently my use of utilities like ecto and the Gallery plugins has me thinking differently. It does not yet support JPEG 2000, which is really important for archiving things like maps or murals which need to exist in extremely high resolutions to be able to see any of the useful details. It is also passing of the responsibility of all role and user identification to a directory or your ILS. This is a great step in the realm of identity management.
As a final note on Endeavor, all their products claim to be usability tested in their entirety. The interfaces are simple, could use a bit of work, but are adequate.
Final Grades:
Portal Integration: D
APIs: B
Usability: B
exLibris
My main impression of exLibris is that there are more bells and whistles. They seem to be a technology centered company and like most, suffer a bit from feature creep. Many of their interfaces have a lot of options that could leave users wondering what they are doing and feeling lost. Their two products are called MetaLib (with SFX) and DigiTool.
MetaLib (with SFX) is where the bells and whistles are really obvious. There are varying degrees of increased complexity in the interface depending on how deep you go. This is great for the librarians, but unlikely that students would use it. In fact Casey at MaisonBisson, also in attendance with me, states that “only 0.0067% (YES, less than a hundredth of a percent!) of the searches on our OPAC get “limitedâ€? to specific languages, locations, dates, or material types” in his article The High Cost Of Metasearch For Libraries. The interface seems to be minimally customizable, limited to headers, footers, and CSSS. However, there are “real” APIs for MetaLib, a separate product they call XServer. It is well documented and seems to be just the right amount of useful, but more cumbersome than a mere REST-like interface.
As for SSO, they currently support Shib, but it is unclear if that is as a destination or origin. On a much more degrading note, they had never heard of SunGardSCT Luminis or UPortal, so their knowledge of the portal space, specifically in higher-ed is limited at best.
DigiTool is purely web based and looks and functions adequately. Once again customization is limited. They do have JPEG 2000 support though, so thats a big plus. They claim to authenticate against an LDAP, but other than that, the identity management opportunities are limited at best. Usability seems low all around on these applications.
Final Grades:
Portal Integration: C
APIs: B
Usability: D
From the grades I gave, none of these are ideal. Read Casey’s assessment for more detail about where the metasearching falls down. I just wish the could make it more like Google Scholar or A9. My major question is how do these digital archives provide a solution better than DSpace? Check out the many existing, live, DSpace instances. DSpace is free and in turn has not got an equal seat at the table. It is scary how money often corrupts decisions like this.
Tags: a9, api, digital archive, endeavor, exlibris, google scholar, identity management, integration, jpeg2000, libraries, library, library systems, metasearch, metasearching, portal, REST, search technology, shibboleth, shibbolith, usability