CAS Frappr Map
January 16, 2007 | 1 Comment
CAS is by far my favorite Web ISO solution. In the past I have posted about it’s popularity at other institutions.
Along those lines is this cool Frappr map of CAS deployments worldwide.
Tags: authentication, cas, frappr, frappr map, google maps, identity management, maps, sso, web iso, web sso, webiso, websso, yale cas, yalecas
CAMP Shibboleth - Wrap Up
June 29, 2006 | 1 Comment
The following is a wrap-up of what I saw, heard, and hopefully learned from CAMP Shibboleth in Burlington, VT. As always with conferences and workshops, conversations with others and listening to questions asked are usually the most insightful and valuable moments. Much of this may seem scattered in thought, but I need to document these things somewhere…
1) Plymouth State is looking at Shibboleth as a way to accomplish centralized authZ. SunGard sold me on this idea months ago when I could only see Shibb as a federated WebISO solution. I was surprised to see that they are clearly marketing this use case as step two in your implementation plan. Number one is of course to get WebSSO implemented. Both of these are suggested before attacking the politics and policy of extending beyond institutional boundaries. It is clear that this is a smaller step base method that has stages of success. I like this a lot.
2) Shibboleth does attribute release or attribute assertions, not authZ. This seemed like semantics initially, but then I realized from responses to questions that this is an important distinction. Shibboleth could assert in some instances a common name attribute. This has no place in being used for authorization of any sort, but still may be useful, especially with intra-institutional home grown applications. An extremely valuable distinction to understand.
3) I learned that our current implementation methodology of CAS is not ideal. As we rely on an API based mechanism, the authN is coded into our system to rely on CAS. This does not make it as easy to change authN providers or WebSSO solutions as if we used a technology like mod_cas. This explanation from Scott Cantor was illuminating as it gave me a much clearer understanding of how the Shibboleth SP was intended to work when we begin Shibbolizing internal applications.
4) There is an increasing number of federated services becoming available from through third parties that interoperate with Shibboleth. None of these constitutes “the killer app” for Plymouth State University, yet. Of particular note, international federations seem to be moving and forming much quicker than ones in the US. In Europe, a fair number of library related companies appear on their prioritized vendor list including some Plymouth State licenses: EBSCO, JSTOR, and ExLibris.
5) Shibboleth 1.3 can interoperate with federal E-Authentication with a “simple plugin”. This may evolve into our killer application as the Department of Education brings student oriented services online. Currently there are schools using this method to connect so NSF grant applications and the like.
6) The “Where Are You From” (WAYF) concept and implementation has problems. They are even referring to it as “the weakest link.” I’ve had concerns about this, so am happy this is getting attention. In our initial implementation, I believe the simplicity of our environment should allow us to bypass the WAYF. Hopefully WAYF issues will be resolved by the time we start playing in the federated space.
7) When it comes to identity, SunGard’s Luminis causes nearly as many problems as it solves. Others seem to be struggling with this. I’m left wondering if SunGard’s research into the identity management space will eventually lead to some better redesign around this issue.
8) This group has awareness and respect for OpenID. Glad to see this on their radar. When am I getting around to using it?
9) We (Bill Baber, Petr Brym, Ted Wisniewski and myself) met with a representative from the consulting firm Aegis USA. They seem very tuned into what is going on in this space. They also seem to have solid experience working with the Sun Identity Suite which I assume will be a large contender as we work to improve our identity management infrastructure. USNH will be considering them as potential consultant as we look into identity management system wide.
10) Finally some terminology:
IdP - Identity Provider - the core Shibb service that knows who a user is and has access to some attributes it can assert about them.
SP - Service Provider - This is the end service that will consume Shibb asserted attributes. These are the applications we would refer to as “Shibbolized”
ARP - Attribute Release Policy - fairly complicated policies about what attributes are released for what services, and potentially on a per user basis. These are configured through XML.
WebSSO - this is a rebranding of WebISO. Not sure why, but I like it.
Tags: aegis, aegis usa, arp, attribute release, camp, camp_062, eauthentication, educause, federation, identity management, idp, internet2, luminis, nmi-edit, openid, scott cantor, shibb, shibboleth, single sign on, sp, Sun Identity Suite, sungard, wayf, webiso, websso, xml
Shibboleth For AuthZ
June 27, 2006 | 1 Comment
I had the opportunity to spend a fair amount of time discussing Shibboleth with Vishal Goenka and Josh Horner while I was at Summit 2006 in Orlando. I wanted to know about the support for Shibboleth that was supposed to be coming in a future version of Luminis and a bit about how it will work. During this discussion it became clear to me that Shibboleth’s core ability for attribute release allows applications to get the information they need to make authorization (authZ) decisions.
Until this point I had only though of Shibb as a solution for inter-organizational web-based single-sign on (Federated SSO or WebISO or WebSSO). I knew I could use Shibboleth internally to serve as my WebSSO, but we already have a hugely successful implementation of CAS in our environment. Additionally I haven’t been able to point at a killer application of the federated WebSSO ability. I knew this driver would be coming, but without immediate demand I was luke warm on Shibboleth.
However, the ability to use Shibboleth internally as a central authority for attribute release and in turn a consistent way of doing centralized AuthZ is a gigantically huge win for us. No longer will every homegrown application need to establish it’s own authorization layer with associated interfaces for maintaining that data. Now I have a serious driver for getting Shibboleth in our environment as soon as possible.
So that’s the lead-in to why Ted Wisniewski, Ken Kochien, and I are attending CAMP Shibboleth: Enabling Campus and Federated Single Sign-On.
Tags: authentication, authorization, camp_062, federated, federation, josh horner, shibb, shibboleth, single sign on, sso, summit, vishal goenka, webiso, websso
Web Initial Sign-on (WebISO)
March 8, 2006 | 6 Comments
Web initial sign-on or WebISO is a term defined by Internet2 as a system
designed to allow users, with standard web browsers, to authenticate to web-based services across many web servers, using a standard, typically username/password-based central authentication service.
They created the definition, but that doesn’t mean I need to like it… I’d like to propose an alternate working definition:
A single point for web based authentication which provides SSO across multiple systems and services.
I think that could be word-smithed further to really get it nice and concise. Please comment any recommendations you have on this.
What excites me about WebISO solutions is their fantastic ability to deep link systems and services. Users can bookmark or share URLs and when someone accesses these systems and services they will be required to provide credentials and then be directed through to what they need. This also sets up applications in a loosly coupled structure ideal for changing individual services without affecting others.
The drawback of this approach (when compared against a monolithic portal application) is how there is generally not a single welcome screen presented to users after authenticating. This loss of a “funnel” approach can cause weaknesses in communication and a perceived loss of control in your user population. Another potential area for weakness is providing a directory of services and ways for users to find what they need initially.
For those not familiar, a couple examples of real life WebISO tools would be: CAS (now JA-SIG as opposed to Yale), Pubcookie, WebAuth (from Duke), Shibboleth, and more.
Tags: "central authentication service", "web initial sign-on", authentication, cas, definition, duke, federation, identity, identity management, single sign on, sso, webauth, webiso, yale, yale cas
Summit 2006 Presentation Proposals
October 3, 2005 | 2 Comments
I finally put together all my material to submit proposals for Summit presentations. I looked back at what we’ve been doing in the portal this year and the following is what I came up with. Overall it’s been a busy year, I was surprised to come up with as many as I did.
My Title: Portal Administrator and Senior Web Developer
My Bio
Zach Tirrell is from Plymouth State University in northern New Hampshire. Zach is both portal administrator and senior web developer for the institution. The main areas of his concentration revolve around integrating systems and identity management, Luminis has become a perfect enabler of this. He is often looking to get just a bit more out of Luminis than what is delivered.
Collecting Stats in Luminis
By leveraging the underlying UPortal infrastructure, learn how to take advantage of RDBMSStatsRecorder to generate detailed numbers on who is logging in, logging out, how often, and by role. You can then use these numbers to better understand how effective your portal strategy is. Tracking user adoption and growth over time becomes essential to decision making about the portal.
This presentation is for technical audiences.
YaleCAS in Luminis
One of the most common WebISO solutions is the Central Authentication Service developed by Yale (YaleCAS). In Luminis III.2 CAS became available as an installable module. Learn how to get YaleCAS installed, configured, and where it might fit in your organization. See how Plymouth State University has leveraged the phpCAS libraries to CAS’ify all their internally developed PHP web applications as well as a few third-party ones. What’s best, it only takes a couple lines of code!
This presentation is for technical audiences.
Luminis and Identity Management
While deploying Luminis, or maybe immediately after, lots of questions arise related to identity management. Are you using a central authentication point like LDAP or Active Directory? How do technologies like CPIP or YaleCAS fit into your authentication scheme? What applications should and can use SSO? Are you centrally managing authorization? Is shibboleth something you should be thinking about? How is your password policy? What’s you level of assurance on accounts you have assigned? All these questions and more will be discussed. Come prepared for lots of crowd participation.
LDI Implementation Tips and Tricks
Plymouth State University is starting to reap the rewards of its integrated campus portal strategy. PSU started its Banner migration in 2001, deployed Campus Platform 3 with its legacy SIS in 2002, publicly deployed Banner in 2003, and in 2004 with the migration to Luminis and implementation of LDI for eLearning, has finally reached “critical mass.” Luminis provides the infrastructure and LDI provides the glue that connects Banner, WebCT, the library, and other services. The presentation details Plymouth State University’s implementation and discusses the problems and solutions we faced along the way, with an emphasis on LDI and Luminis. Plymouth State has used this technology to realize the benefits of a unified digital campus.
This is a repeat from last year
Implement and Deploy Banner Channels
Banner 7 comes with a huge pile of exciting new channels. These channels greatly leverage the relationship between Luminis and Banner, however, implementation is complicated and deployment even more so. Banner channels are fantastic, but they need to be rolled out carefully. Plymouth State University has already run this gauntlet, come hear some of the concerns and pitfalls so you can avoid them yourself.
Tags: active directory, banner, campus portal, cas, channel, channels, identity management, integrate, integrated, integration, ldap, luminis, php, plymouth state university, portal, sct, sso, summit, sungard, sungardsct, tirrell, webiso, yalecas, Zach Tirrell, Zachary Tirrell