- What is access management?
- What is federated access management?
- What are the reasons for moving from Athens to federated access management?
- What is Shibboleth?
- What technologies does Shibboleth use?
- What are the benefits of using Shibboleth?
- What does the word "Shibboleth" mean and where does it come from?
- What is the most recent version of the Shibboleth software?
- What is SAML?
- What is a federation?
- What support and guidance is available to help with access management deployment?
- Where can I find out more on the terminology?
The UK federation
- How can I join the UK federation as an identity provider?
- How can I join the UK federation as a service provider?
- What if my organisation decides not to adopt Shibboleth technology?
- Can I use commercial products?
- What are the costs of joining the UK federation?
- What do I need to do now?
Athens and the UK federation
- Is Athens still available following the withdrawal of JISC funds in July 2008?
- What is the difference between Shibboleth and AthensDA?
- Should an organisation planning to use Athens join the UK federation?
- How does an organisation planning to use Athens join the UK federation?
- What is OpenAthens?
- Are Classic Athens and AthensDA federation-compliant?
- Do JISC Collections and JISC Services resources continue to support Athens?
- Can organisations no longer using Athens still access Athens-protected resources?
- How does this affect IP-based access?
Access Management is the term used to describe the process of permitting access to protected online information, usually in the context of web pages or web-based applications. It describes both the means by which an online information resource decides whether to allow access to a protected area, and also the administrative process of allowing access for approved individuals.
Federated Access Management builds a trust relationship between identity providers (IdP) and service providers (SP). It devolves the responsibility for authentication to a user's home organisation, and establishes authorisation through the secure exchange of information (known as attributes) between the two parties.
The Athens service has not ceased, so you can continue using it (see below). However, there are a number of advantages for organisations and users in adopting a federated access management system based on Shibboleth technology, in particular the evolving needs of e-learning and e-research communities for a single access management system that supports a range of authentication scenarios, including access to internal resources, external resources and collaborative requirements. Continued use of Athens will only allow access to external, third-party resources.
In addition, while the UK has been using Athens, other countries have been developing their own solutions to the problem of accessing multiple resources with a single identity. Shibboleth, which is a product of the US's Internet2 initiative, has emerged as the frontrunner for the most widely-adopted standards-based approach.
Shibboleth also separates authentication from authorisation. Authentication is controlled by the user's home organisation and authorisation is based on user attributes and controlled by the service provider. Users don't have to acquire and remember a separate identity for accessing protected services - they simply use their local organisational username and password.
Athens will continue to be available to organisations beyond July 2008 on a subscription basis.
Shibboleth is an open source technology that enables federated access management, developed by the Internet2 Group. It both triggers the authentication process within an organisation, and supports the secure exchange of information to establish authorisation.
The identity provider software is written in Java and runs on Windows and Unix. The service provider software is written in C++ and also runs on Windows and Unix. Shibboleth itself is a SAML profile, which is an XML language for exchanging security information. The protocol uses SSL over HTTP to transport information between entities.
Users have a single sign-on using an organisational ID and password for a wide range of resources, as well as the assurance that their personal data is not disclosed to third parties. Librarians are free of the burden of username and password administration, and can use new tools for managing licenses and service subscriptions. IT managers have more control over the access management process through enhancements to enterprise directories, although this requires additional organisational effort in the short term. Simplification of the authentication process has also been shown to lead to increased use of subscribed services.
Shibboleth is a Hebrew word that means an ear of corn, stream or flood. The word comes from the Old Testament (Judges 12:1-6). The Ephraimites who lived to the west of the river Jordan invaded Gilead on the other side of the river and were defeated. Retreating, their way was blocked by the Gileadites who controlled the fords. The dialect of the Ephraimites did not have the "sh" sound, so to differentiate friend from foe, those crossing the river were asked to pronounce the word "shibboleth". According to the Bible, the 42,000 who pronounced it "sibboleth" were killed.
Therefore it has come to mean a word or sound which a person is unable to pronounce correctly; a word used as a test for detecting foreigners, or persons from another district, by their pronunciation. In this context, it is used in the wider sense of a catchword or formula adopted by a party or sect, by which their adherents or followers may be discerned, or those not their followers may be excluded.
The most recent version of the Shibboleth IdP software is 2.2 and it can be downloaded from this link on the Shibboleth website.
The most recent version of the Shibboleth SP software is 2.4 and it can be downloaded from this link on the Shibboleth website.
Shibboleth 1.3 reached its end-of-life on June 30, 2010; therefore Shibboleth 1.3 is not recommended for new installations.
Shibboleth is an implementation of an open standard known as SAML (Security Assertion Mark-Up Language). SAML is an XML-based architecture, framework and protocol for the secure exchange of security credentials between separate security domains. SAML is a standard, ratified by OASIS (Organisation for the Advancement of Structured Information Standards). The goal of SAML is to provide a standard mechanism and language for the exchange of security-related information between organisations (or across distinct units of a single organisation). SAML works on a federated trust model, where mutual trust between participating organisations is established to allow secure interactions between them.
Federation members needing access to resources install identity provider (IdP) software, and members providing resources install service provider (SP) software. Members sign up to an agreed set of policies for exchanging information about users and resources. The federation operator acts as a registrar for this information, which describes the configuration of the members' identity and service providers. The information is known as metadata.
How authentication is carried out by the identity provider and how rights management is carried out by the service provider is left up to the respective parties. Thus, federated access management depends on a certain level of trust. These trust agreements are managed by federations. Federations are typically being established at a national level.
Examples of other federations include:
- InCommon (http://www.incommonfederation.org/) in the US
- SWITCHaai (http://www.switch.ch/aai/docs/AAI_Org_Processes.pdf) in Switzerland
- HAKA ( http://www.csc.fi/suomi/funet/middleware/english/index.phtml) in Finland
- The UK federation Helpdesk is available for all queries about the UK federation.
- Mailing lists are available for getting guidance from others deploying access management software.
- Case studies are available to help organisations to learn from others' experiences.
- Roadmaps, joining options and documentation are available to help organisations to move towards implementation.
- Events and Training are available to help organisations work towards implementation of federated access management.
The ' Glossary' section of this website contains definitions of terms commonly used when discussing SAML, Shibboleth and middleware.
The UK federation
JISC recommends that all organisations carry out an organisational audit, and include these developments within the Information Strategy. A potential identity provider will need to carry out the following activities:
- Review the information structure within its organisational directory and ensure that it meets the required standards for exchanging information.
- Adopt a Single Sign-On or Common ID Solution for authentication.
- Join the UK federation.
- Install identity provider software.
- Register your IdP in the UK federation.
- Configure your IdP for operation in the UK federation.
- Roll out the service within the organisation.
The federation roadmap document produced by JISC gives a simple visual explanation of these processes and choices available to organisations.
A potential service provider will need to carry out the following activities:
- Review the information structure within its organisational directories and databases and ensure that it meets the required standards for exchanging information.
- Join the UK federation.
- Install service provider software.
- Register your SP in the UK federation.
- Configure your SP for operation in the UK federation.
- Roll out the service to user groups.
Another option is to outsource your identity or service provision to an external provider to work through the federation on your organisation's behalf. The costs of this option include the subscription costs to the external supplier and internal administration. Some organisations who can provide outsourcing services are listed here, as well as some organisations who can provide IdP and SP installation services.
Organisations are free to choose either open-source or commercial products. The products chosen must be SAML-compliant, and meet the requirements of the federation. Recommendations can be found in the UK federation policy documents, particularly the Technical Recommendations for Participants document.
Membership of the UK federation is free at the point of use for both identity providers and service providers within or serving the UK education community.
Costs of implementing the federated access management solution will depend on the model chosen. There are three options:
- In-house: Adopt access management technologies at your organisation, using community-supported (or open-source) tools. This will mainly involve internal costs in terms of the effort required to implement the solutions.
- In-house, using 3rd party support: Deploy access management in-house, with paid-for support from a 3rd party organisation.
- Outsourced: Adopt access management by paying for a third party to provide identity management or to host service provision on your behalf.
It has been estimated that the up-front costs of adopting federated access management range from £5,000 for a simple implementation to £150,000 for a full directory replacement project. Pragmatic costs are recommended at £40,000 for large organisations and £10,000 for small organisations.
The potential models for adoption are outlined in the 'join' area of the website. Organisations should consider how well each model fits with their IT strategy. Case studies are available to help organisations to deploy federated access management.
Athens continues to be available to organisations on a subscription basis.
There is little technical difference. AthensDA is essentially a proprietary implementation of the open source Shibboleth software.
Athens and the UK federation
Yes. Many resources only offer access via the UK federation (e.g. EDINA resources) and the only way that an Athens organisation can access these resources is as a member of the UK federation.
OpenAthens is a container term for a variety of products including Classic Athens and AthensDA. Most organisations that purchase OpenAthens will simply carry on using the same Athens service they are currently using (Classic or DA).
No, but they can be used with the Athens-Shibboleth Gateway Service to make them work with the UK federation. As JISC discontinued funding for the gateway from July 2008 it cannot guarantee that the gateway will continue to be upgraded and developed to keep working with the UK federation. Any organisation subscribing to OpenAthens should ensure that they receive assurances of ongoing compliance with the UK federation in their agreement with Eduserv.
JISC no longer asks for Athens in any agreements with publishers, and does not financially support Athens usage within JISC Services. Since late 2006 JISC Collections and JISC Services have been including federation compliance in all of their agreements with publishers, and have been working to make sure that all resource providers that currently use Athens will be federation-compliant as soon as possible. Many service providers may also choose to continue supporting Athens for Athens customers. For those resources that don't, subscribers to OpenAthens will still be able to access resources via the UK federation for as long as Eduserv keep the gateway product compliant with the UK federation.
Not directly, unless the organisation purchases an OpenAthens subscription. Organisations not wishing to purchase OpenAthens can use the federation-compliant EZProxy solution as an alternative, and JISC is offering advice and support on how to move forward with this. More information is available from Nicole Harris (firstname.lastname@example.org).
Organisations should see no change to their current IP-based access arrangements with publishers.