Shibbolise This!
•
0 gefällt mir•313 views
Federated access management without the KoolAid
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Andere mochten auch
Andere mochten auch (10)
Ähnlich wie Shibbolise This!
Ähnlich wie Shibbolise This! (20)
Mehr von Miles Metcalfe
Mehr von Miles Metcalfe (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Shibbolise This!
- 1. Shibbolise This! Federated access management without the Kool-Aid
- 2. Why listen to me? • Involved with directory deployment for a decade • Involved in JISC eFramework and eLearning interoperability projects • I’m a federated-service believer
- 3. What we’ll cover • The case against Shibboleth • Considerations for deployment • Alternatives to doing it yourself
- 4. The case against Shibboleth • Shibboleth is an ideology not a solution to a problem • Anyway, Athens works - and is far less trouble • The nature of the problem Shibboleth solves is going away
- 5. Shibboleth as religion [Web applications] should stop doing authentication. That's the web server's job [...] Web servers are very capable beasts. Applications don't need to do these things [...] Supporting [authentication] directly inside an application is wrong, just as supporting passwords natively is wrong today. Scott Cantor, Ohio State University. Designer of Shibboleth
- 6. Athens works • If the access management federation is about access to library resources, isn’t Athens good enough? • Is the poor state of inter-institutional collaboration the consequence of a lack of federated access management?
- 7. Time moves on • Shibboleth is a product of an enterprise-centric age • How relevant is this? • The web is becoming more user- centric • VLEs are becoming PLEs • How long before OpenID?
- 8. Deployment considerations • Support • Resilience • Security • Directory and SRS • Institutional politics • Available resources
- 9. More support • Not just one password - all your users • Will your LRC staff help out ...? • Not just authentication, but authorisation • How will the Federation user interface work? • When do people do web-based access?
- 10. Single point of failure - multiple dependencies • What happens when your iDP goes down? • Or your directory service? • Even for maintenance? • Or your DNS, MAN connection, &c... • When did people want to access those web-based services again?
- 11. Security considerations • You must provide and manage SSL server certificates • They expire annually • You can’t hot-replace them • On a critical service • The iDP is another server in your DMZ
- 12. Directory enquiries • What is your policy for populating your user directory? • What information do you keep? • Attributes for authorisation? • Grouping information matching courses of study? • What is your expiry policy?
- 13. Political animals • Who owns student and staff information? • The same people who need it for the Federation? • Will they gather the information you need • And provide it on your schedule?
- 14. Photo: 5Lab (Hugh Lunnon) Available resources
- 15. Alternatives • Pay to use an outsourced service • Pay to continue using Athens
- 16. Outsourcing • Betting on an unknown service • How many problems will outsourcing solve? • How much will it cost? • How much of your time will it take?
- 17. Athens eternal? • Don’t bet on it! • You will have to face Shibboleth sooner or later • That likely means getting started now
- 18. Thanks! Miles Metcalfe, Ravensbourne College