Athens, Shibboleth, the UK Access Management Federation, OpenID, CardSpace and all that Single sign-on for your Web site
Athens <ul><li>single sign-on to Web resources </li></ul><ul><ul><li>typically ‘external’ collections and services </li></...
Shibboleth <ul><li>an open SAML-based architecture </li></ul><ul><li>single sign-on to Web resources </li></ul><ul><li>dev...
The UK Access Management Federation <ul><li>UK academic community currently in transition to federated approach (Shibbolet...
Why should I care? <ul><li>single sign-on across institutions and external services </li></ul><ul><li>institutions acting ...
% of institutions planning to join 47% of respondents are undecided 100 institutions, May 2007
When would you like to join the Federation? 32% plan to join the Federation before July 2008 56% don’t know when they will...
OpenAthens <ul><li>new standards based access and identity management framework – software and services </li></ul><ul><li>...
OpenID – key features <ul><li>the identifier is a URI (typically a URL) </li></ul><ul><ul><li>e.g. mine is http://andypowe...
OpenID example
Microsoft CardSpace <ul><li>a client-side Windows application for managing multiple user-centric identities… </li></ul><ul...
Why should I care? <ul><li>OpenID and CardSpace indicative of general move towards ‘user-centric’ identity management </li...
Questions and discussion
Upcoming SlideShare
Loading in …5
×

Athens, Shibboleth, The Uk Access Management - Single sign-on for your Web site

4,848 views
4,687 views

Published on

A presentation for one of the parallel sessions at IWMW 2007 in York.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,848
On SlideShare
0
From Embeds
0
Number of Embeds
65
Actions
Shares
0
Downloads
81
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Athens, Shibboleth, The Uk Access Management - Single sign-on for your Web site

  1. 1. Athens, Shibboleth, the UK Access Management Federation, OpenID, CardSpace and all that Single sign-on for your Web site
  2. 2. Athens <ul><li>single sign-on to Web resources </li></ul><ul><ul><li>typically ‘external’ collections and services </li></ul></ul><ul><li>initially deployed in 1996 </li></ul><ul><li>established as the SSO mechanism to protected online resources in HE and the NHS </li></ul><ul><li>4 million users in 100 countries </li></ul><ul><li>access to resources from around 180 leading service providers </li></ul><ul><li>delivered over 99.9999% availability since 1998 </li></ul><ul><li>~10,000,000 authentications per month </li></ul>
  3. 3. Shibboleth <ul><li>an open SAML-based architecture </li></ul><ul><li>single sign-on to Web resources </li></ul><ul><li>developed by the Internet2 middleware group </li></ul><ul><li>supports the secure exchange of authentication and attributes (e.g. affiliation / id / targettedid / entitlement) between institution (IdP) and service provider (SP) </li></ul><ul><li>multiple software implementations available </li></ul><ul><li>federations used to create a “trust environment” for organisations that want to access a set of resources </li></ul>
  4. 4. The UK Access Management Federation <ul><li>UK academic community currently in transition to federated approach (Shibboleth) </li></ul><ul><li>a (the) UK federation for education and research - a “trust environment” for UK academia </li></ul><ul><li>delivers shared policy and WAYF </li></ul><ul><li>WAYF service puts SP in touch with IdP </li></ul><ul><li>‘ gateways’ to connect to/from Athens </li></ul><ul><li>institutions encouraged to support Shibboleth and join the federation </li></ul><ul><li>note that this can be done in-house or thru an outsourced identity provider (e.g. OpenAthens) </li></ul>
  5. 5. Why should I care? <ul><li>single sign-on across institutions and external services </li></ul><ul><li>institutions acting as both identity providers and service providers </li></ul><ul><li>sharing institutional resources with others </li></ul><ul><li>standards </li></ul><ul><li>several implementation options </li></ul><ul><ul><li>though note interoperability issues </li></ul></ul><ul><li>but… still some confusion </li></ul><ul><ul><li>costs, requirements, gateway funding, … </li></ul></ul>
  6. 6. % of institutions planning to join 47% of respondents are undecided 100 institutions, May 2007
  7. 7. When would you like to join the Federation? 32% plan to join the Federation before July 2008 56% don’t know when they will join
  8. 8. OpenAthens <ul><li>new standards based access and identity management framework – software and services </li></ul><ul><li>outsourced ‘shared’ solution </li></ul><ul><li>enables institutions to participate in the Federation </li></ul><ul><li>maintains access to Athens resources </li></ul><ul><li>accommodates a range of IdP and SP options </li></ul><ul><li>provides choice </li></ul><ul><ul><li>support for multiple identity and access management standards </li></ul></ul><ul><ul><li>support for multiple federations </li></ul></ul>
  9. 9. OpenID – key features <ul><li>the identifier is a URI (typically a URL) </li></ul><ul><ul><li>e.g. mine is http://andypowell.myopenid.com/ </li></ul></ul><ul><li>this is convenient for a number of reasons, but especially because it removes the need for a WAYF service </li></ul><ul><ul><li>the OpenID directly provides the location of the OpenID Provider </li></ul></ul><ul><li>issues to be solved </li></ul><ul><ul><li>around phishing (spoofing the OpenID Provider) </li></ul></ul><ul><ul><li>trust issues – which OpenID Providers do I trust? </li></ul></ul><ul><li>still a work in progress, see http://openid.net/ </li></ul>
  10. 10. OpenID example
  11. 11. Microsoft CardSpace <ul><li>a client-side Windows application for managing multiple user-centric identities… </li></ul><ul><ul><li>and implementing the protocol transactions needed to inter-work with server-side (Web) applications </li></ul></ul><ul><li>sits within high-level open framework known as the ‘Identity Metasystem’ </li></ul><ul><li>perceived as a more open replacement for MS’s failed ‘passport’ initiative </li></ul><ul><li>builds on WS- stack – so not lightweight </li></ul><ul><li>but some commitment between MS and OpenID leading players to work together </li></ul>
  12. 12. Why should I care? <ul><li>OpenID and CardSpace indicative of general move towards ‘user-centric’ identity management </li></ul><ul><ul><li>users arriving at university with an existing online identity </li></ul></ul><ul><ul><li>reduced value of university-specific identity in the context of lifelong learning </li></ul></ul><ul><ul><li>c.f. current situation with email </li></ul></ul><ul><ul><li>but… significant trust issues </li></ul></ul><ul><li>identity management technology is a (fast) moving target </li></ul><ul><ul><li>shared outsourcing vs. shared open source vs. commercial user-group approaches to sustainability </li></ul></ul>
  13. 13. Questions and discussion

×