Eduserv organised seminar on Institutional Audit (and a lot about Shibboleth) held at the Birmingham Metropole Hotel (right next to the NEC, nr. Birmingham International Station).
Before you read on... This seminar was billed as "...this half-day seminar will provide advice on how best to perform an institutional audit and plan the task in a logical manner". That's what I went for. Unfortunately, it was just a general presentation about aspects of Shibboleth. Nothing really about doing an audit at all. Interesting stuff about Shibboleth (which I'd heard a 1000 times before). Rubbish on audit. Pah.
If you're interested in any of this, the slides are supposed to appear on the MATU web site. At the time of writing they are not there. Check out http://www.matu.ac.uk/training/ to see if you can find them.
MATU = Eduserv's JISC-funded Middleware Assisted Take-Up (probably finishing in December 2006 and handing over to UKERNA for the support of Shibboleth etc.)
Arrived a bit late (trains)...
When I entered Lucas Hammerle from SWITCH was giving a presentation about Federated Identity Mangement and SWITCH/Shib in general.
Lucas Hämmerle from SWITCH
- Very general stuff about Shibboleth (i.e. introducing terms like IdP, WAYF etc.). Federation - what is it?
- Organisations agree on common set of rules and standards
- Trust (via legal and technical means) Described Shibboleth as a concept to identify mambers of a group Clarified that the IdP did not include the SSO. IdP relies on a user directory. Etc. etc. Showed the Swiss DOIT (for medical students) app as an example of the end-to-end Shib story.
Nick Johnson, University of Exeter
- Project SWISh. SWISh was one of the 15 early adopter projects.
Presented a slide with a timeline showing AthensDA (prior to 2006) -> AthensDA renewal (2006) -> Shibboleth (in 2008) Technical imp. of Shib, and pilot service across SW England - University, library and Peninsula medical services.
What needs auditing?
- Campus Identity and Access Management (IAM)
- SSO
- Security strategy - decide on privacy policy for attributes
- System admin resources - learning Shib, IdP installation and management
- Maintaining attributes: ensuring consistency and accuracy afterwards
- Training IT and library staff in changes
Interesting that he didn't list ownership of data on his main slide, nor did he talk about it.
Why do we need IAM?
Lots of different services (portals, e-learning, experiments etc.). An audit is useful in being able to (for example) remove all accounts for someone when s/he moves on from the institution.
Huge numbers of 'exceptions'. Alumni, friends of the library (friends of the chancellor!).
Campus wide policy creation - hopes to avoid departments etc. from creating their own identities and policies for identities.
Institutional Planning
He made a very big thing about retaining staff with Shib expertise. It isn't trivial and the org. can take a big hit when someone who understands the !IdP or Attribute Authority.
Need good resourcing for an Attribute Authority (it is expensive and difficult at first).
SWISh and Shibboleth
How we thought we were going to do it.. and how we really did it.
They may not have thought about it up front but Nick suggests that you really need a test SP installation to test your new !IdP against. Created their local SWISh federation!
The User trial came up with issues like "we need to solve problems like, if you use Athens to connect to a service and the web server is down, the user gets a message saying that s/he hasn't logged in properly (even though that isn't correct)" Shib wasn't really going to fix that.
However, when they got the trial system set up, people looked at it (with the SSO) and could visualise the calls to the help desk going down - that really helped.
Consider using NMI-EDIT and MACE technologies such as Grouper and Signet (for grouping and authZ facilities, including delegation rules within Signet).
Nick strongly recommends EuroCAMP for learning about technologies.
Shib Admin skill base
- Need to know a good amount about Java (installing SDK is not enough!!)
- Tomcat: Deploying WARs not enough. Configuring mod_jk etc. is the level you need to be at
- SSL: generating a key is not enough. Configuring a key store, more like it
- Apache: mod_jk etc. level
- XML attribute editing not enough. Namespaces and schema definitions
- Documentation: scribbled notes are not enough. Blogging, etc etc. very important.
Recommends deploying on RedHat Linux - easier than anywhere else (Microsoft a bit of a nightmare in places).
Questions
I asked about ownership of data - in audit? There's something on building business plans on the Internet2 web site and good road maps about this.
- Need to check that out!
Subsequent note: It turned out not to be Internet2 but NMI-EDIT. Their resource on The Enterprise Directory Implementation Roadmap could be very useful indeed. However, it doesn't really seem to cover this 'ownership of data' stuff very well (as far as I can see in a quick glance).
Lucas Hämmerle from SWITCH - SWITCHaai
(again)
Presenting SWITCHaai here as a case study. Went into production October 2005. Their pilot operation started in mid 2002. More and more sub-projects now.
Roles in SWITCH federation:
- Federation Member (can operate one IdP and arbitrary SPs) - all Universities
Federation Partner (can operate only SPs - e.g. ScienceDirect e-journals, Microsoft - sofware downloads for students)
- Federation Coordinator (SWITCH - sets policies and standards)
2 committees in SWITCHaai fed:
- Advisory committee (legal framework, policies etc., trust)
- Operations committee (technical standards, metadata, security)
Federation members have a direct agreement between them and SWITCH
Federation partners, need a sponsor (to get involved) and then agreements between them and SWITCH and possibly bilateral agreements between themselves and Federation Members (where they offer services to a subset of Fed. Membs)
Users need 'Terms of Use' agreements technically between them and the FPs, but this must also be acceptable to SWITCH.
They only have 12 Federation Partners so far (and some of those are universities outside Switzerland). However they say there is over 110 resources available.
Attributes in SWITCHaai
Personal:
Mandatory:
- Unique ID
- Surname
- Given name
Recommended/optionsal:
- Address(es)
- Phone no.
- Preferred language
- Date of Birth
- Gender
Group membership:
Mandatory:
- Home org. name
- Home org type
- Affiliation (student, staff...)
Recommended/optional:
- Study branch
- Study level
- Staff category
- Group membership
- Organisation path
- Organisational unit path
ARP Viewer
Tool to show the users attributes released to particular resources. They see a "Digital ID Card".
User sees this the first time a resource is accessed.
A bit like the MAMS tool but possibly a bit less funky.
Frequently Encountered Problems
Political
- If there isn't any attractive resources, there's no incentive to set up an IdP
- Data protection concerns very from canton to canton
- Co-ordination with universities slows down development, but pays off later
Organisational
- Users without a home org - get to use the VHO
- but waht about data quality in the VHO?
- Missing human resources at some smaller universities
- For hands on support
Technological
- Federated IM is "new" technology
- Technical complexity
- lots of hands on support and manuals required
- Most universities didn't have a SSO
- Some didn't have a central directory
- Metadata refreshing
- Certificates, certificates...
Recommendations for deployment
Organisational
- Consider who is responsible for data quality, IdP admin/HR/Faculty?
- Who is allowed to set up new resources?
Technical
- Do you have a single user directory
- Are you going to use a redundant setup with load balancing (for IdP)
- SSO - do you have one in place and which do you choose?
- Have you basic (or int/advanced) knowledge of certificates
Legal
Do you have a decent use policy for the users?
Recommendations for IdP administrators
- Users should not see the word "Shibboleth"
- IdP login page sohould at least contain helpdesk link
- Tailor your look and feel for your users
- Do backups of setup
- Refresh metadata at least once per day
- Keep log files (but respect data protection)
Richard Dunning (MATU) - Developing a Business Plan
Richard is the MATU Service Manager.
He really means business case (and most of his slides said that). Keep Richard's slides (I have paper handouts). Fairly decent list of advantages of going for Shib at your institution. He ran through it in 5 mins, though.
Quite a major waste of time for me. Nothing in the day about institutional audits, really. The last (5 min) session got fairly close to being useful (for putting a business case to the University), but he spoke for only a few minutes, and the Q&A session was looking (briefly) that it could be useful, but everyone had to get their trains, really. It seems that MATU is being shut down at the end of December this year and a lack of morale there may be a factor - it's a shame as they really seem to have been gaining some momentum in recent months. Conclusion