Athens, Shibboleth, the UK Access Management Federation, OpenID, CardSpace and all that Single sign-on for your Web site

Athens single sign-on to Web resources typically ‘external’ collections and services initially deployed in 1996 established as the SSO mechanism to protected online resources in HE and the NHS 4 million users in 100 countries access to resources from around 180 leading service providers delivered over 99.9999% availability since 1998 ~10,000,000 authentications per month

single sign-on to Web resources

typically ‘external’ collections and services

initially deployed in 1996

established as the SSO mechanism to protected online resources in HE and the NHS

4 million users in 100 countries

access to resources from around 180 leading service providers

delivered over 99.9999% availability since 1998

~10,000,000 authentications per month

Shibboleth an open SAML-based architecture single sign-on to Web resources developed by the Internet2 middleware group supports the secure exchange of authentication and attributes (e.g. affiliation / id / targettedid / entitlement) between institution (IdP) and service provider (SP) multiple software implementations available federations used to create a “trust environment” for organisations that want to access a set of resources

an open SAML-based architecture

single sign-on to Web resources

developed by the Internet2 middleware group

supports the secure exchange of authentication and attributes (e.g. affiliation / id / targettedid / entitlement) between institution (IdP) and service provider (SP)

multiple software implementations available

federations used to create a “trust environment” for organisations that want to access a set of resources

The UK Access Management Federation UK academic community currently in transition to federated approach (Shibboleth) a (the) UK federation for education and research - a “trust environment” for UK academia delivers shared policy and WAYF WAYF service puts SP in touch with IdP ‘ gateways’ to connect to/from Athens institutions encouraged to support Shibboleth and join the federation note that this can be done in-house or thru an outsourced identity provider (e.g. OpenAthens)

UK academic community currently in transition to federated approach (Shibboleth)

a (the) UK federation for education and research - a “trust environment” for UK academia

delivers shared policy and WAYF

WAYF service puts SP in touch with IdP

‘ gateways’ to connect to/from Athens

institutions encouraged to support Shibboleth and join the federation

note that this can be done in-house or thru an outsourced identity provider (e.g. OpenAthens)

Why should I care? single sign-on across institutions and external services institutions acting as both identity providers and service providers sharing institutional resources with others standards several implementation options though note interoperability issues but… still some confusion costs, requirements, gateway funding, …

single sign-on across institutions and external services

institutions acting as both identity providers and service providers

sharing institutional resources with others

standards

several implementation options

though note interoperability issues

but… still some confusion

costs, requirements, gateway funding, …

% of institutions planning to join 47% of respondents are undecided 100 institutions, May 2007

When would you like to join the Federation? 32% plan to join the Federation before July 2008 56% don’t know when they will join

OpenAthens new standards based access and identity management framework – software and services outsourced ‘shared’ solution enables institutions to participate in the Federation maintains access to Athens resources accommodates a range of IdP and SP options provides choice support for multiple identity and access management standards support for multiple federations

new standards based access and identity management framework – software and services

outsourced ‘shared’ solution

enables institutions to participate in the Federation

maintains access to Athens resources

accommodates a range of IdP and SP options

provides choice

support for multiple identity and access management standards

support for multiple federations

OpenID – key features the identifier is a URI (typically a URL) e.g. mine is http://andypowell.myopenid.com/ this is convenient for a number of reasons, but especially because it removes the need for a WAYF service the OpenID directly provides the location of the OpenID Provider issues to be solved around phishing (spoofing the OpenID Provider) trust issues – which OpenID Providers do I trust? still a work in progress, see http://openid.net/

the identifier is a URI (typically a URL)

e.g. mine is http://andypowell.myopenid.com/

this is convenient for a number of reasons, but especially because it removes the need for a WAYF service

the OpenID directly provides the location of the OpenID Provider

issues to be solved

around phishing (spoofing the OpenID Provider)

trust issues – which OpenID Providers do I trust?

still a work in progress, see http://openid.net/

OpenID example

Microsoft CardSpace a client-side Windows application for managing multiple user-centric identities… and implementing the protocol transactions needed to inter-work with server-side (Web) applications sits within high-level open framework known as the ‘Identity Metasystem’ perceived as a more open replacement for MS’s failed ‘passport’ initiative builds on WS- stack – so not lightweight but some commitment between MS and OpenID leading players to work together

a client-side Windows application for managing multiple user-centric identities…

and implementing the protocol transactions needed to inter-work with server-side (Web) applications

sits within high-level open framework known as the ‘Identity Metasystem’

perceived as a more open replacement for MS’s failed ‘passport’ initiative

builds on WS- stack – so not lightweight

but some commitment between MS and OpenID leading players to work together

Why should I care? OpenID and CardSpace indicative of general move towards ‘user-centric’ identity management users arriving at university with an existing online identity reduced value of university-specific identity in the context of lifelong learning c.f. current situation with email but… significant trust issues identity management technology is a (fast) moving target shared outsourcing vs. shared open source vs. commercial user-group approaches to sustainability

OpenID and CardSpace indicative of general move towards ‘user-centric’ identity management

users arriving at university with an existing online identity

reduced value of university-specific identity in the context of lifelong learning

c.f. current situation with email

but… significant trust issues

identity management technology is a (fast) moving target

shared outsourcing vs. shared open source vs. commercial user-group approaches to sustainability

Questions and discussion