Federated access management without
Why listen to me?
• Involved with directory deployment
for a decade
• Involved in JISC eFramework and
eLearning interoperability projects
• I’m a federated-service believer
What we’ll cover
• The case against Shibboleth
• Considerations for deployment
• Alternatives to doing it yourself
The case against
• Shibboleth is an ideology not a
solution to a problem
• Anyway, Athens works - and is far less
• The nature of the problem Shibboleth
solves is going away
Shibboleth as religion
[Web applications] should stop doing
authentication. That's the web server's job
[...] Web servers are very capable beasts.
Applications don't need to do these things [...]
Supporting [authentication] directly inside
an application is wrong, just as supporting
passwords natively is wrong today.
Scott Cantor, Ohio State University. Designer of Shibboleth
• If the access management federation
is about access to library resources,
isn’t Athens good enough?
• Is the poor state of inter-institutional
collaboration the consequence of a
lack of federated access management?
Time moves on
• Shibboleth is a product of an
• How relevant is this?
• The web is becoming more user-
• VLEs are becoming PLEs
• How long before OpenID?
• Directory and SRS
• Institutional politics
• Available resources
• Not just one password - all your users
• Will your LRC staff help out ...?
• Not just authentication, but
• How will the Federation user interface
• When do people do web-based access?
Single point of failure -
• What happens when your iDP goes
• Or your directory service?
• Even for maintenance?
• Or your DNS, MAN connection, &c...
• When did people want to access those
web-based services again?
• You must provide and manage SSL
• They expire annually
• You can’t hot-replace them
• On a critical service
• The iDP is another server in your DMZ
• What is your policy for populating
your user directory?
• What information do you keep?
• Attributes for authorisation?
• Grouping information matching
courses of study?
• What is your expiry policy?
• Who owns student and staff
• The same people who need it for the
• Will they gather the information you
• And provide it on your schedule?