1 / 11

Shibboleth: OSU Early Adoption Scenarios

This article discusses the current deployment, new developments, and medium to long-term projects of Shibboleth at OSU, highlighting existing challenges, opportunities, and future plans.

jeffreysharp
Download Presentation

Shibboleth: OSU Early Adoption Scenarios

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth: OSU Early Adoption Scenarios Scott Cantor (cantor.2@osu.edu) April 10, 2003

  2. Things that Haven’t Changed Since the Fiesta Bowl • Existing SSO infrastructure still reliable but problematic (funding, platforms, support) • Still actively identifying opportunities that need Shibboleth or something like it • Slowly building interest via customer pressure and external publicity • Wide range of systems equating authentication with authorization (including e-mail) limit our options

  3. New Developments • Data warehouse migration winding down • Better understanding of flaws in library access control policies • Concerns over non-ubiquity of staff with active Kerberos accounts • Pressing need to handle guest accounts to support variety of demos and academic projects

  4. Current Deployment • Both origin releases now running in a semi-production state on the same Solaris server handling web logins, using Netscape Enterprise 3.x and Apache. • New layout and configuration process of 0.8 release vastly improves manageability and upgrade path. • Excited about flexibility of 1.0 feature set.

  5. Current Deployment • Planning an origin load test sometime this month to benchmark the system and frame near-term expectations. • Only current target is an application testbed server hosting a learning objects research prototype. • Waiting on Windows port for wider local testing.

  6. Medium Term Projects • Strongest business case is a reporting server currently using SSO system that OSU Hospital wants to access with NDS. • Two Options: • Run a new origin site inside firewall (“hospital.osu.edu”), convert server to act as target • Second access path authenticating against NDS via LDAP, password goes from outside firewall back in over SSL

  7. Medium Term Projects • Strong need to enable one-off access to applications for external users that probably won’t have Shibboleth-enabled access. • Considering Shibboleth as a front-end for a delegatable guest domain (“guest.osu.edu”) so applications can largely ignore the issue.

  8. Medium Term Projects • Library so far unable/unwilling to spend money, or request money for future pilots. • Immediate need undermined by permissiveness of vendors. • Obvious first candidates are J-STOR and EBSCO, though the persistent URL issue would have to be addressed.

  9. Medium Term Projects • Proposing use with EZProxy as a first step to restricting access to proxy, but load test is crucial. • Also can’t support ongoing use without funding, so considering a short term test to get them addicted.

  10. Long Term Projects • Central IT unwillingness to address need for new account types (alumni, applicants) in timely fashion leaves a guerilla attack open. • Shibboleth origins likely much cheaper than decoupling authentication and authorization in large central systems for next 1-2 years.

  11. Issues • Still a range of improvements needed to code in error handling and failure modes. • More SSO features would be desirable, but probably not showstoppers until real high-volume apps come on-board. • Immediately have to address federation and trust implications of multiple origin sites that won’t be in InCommon.

More Related