Eduserv organised seminar on Institutional Audit (and a lot about Shibboleth) held at the Birmingham Metropole Hotel (right next to the NEC, nr. Birmingham International Station).

Before you read on... This seminar was billed as "...this half-day seminar will provide advice on how best to perform an institutional audit and plan the task in a logical manner". That's what I went for. Unfortunately, it was just a general presentation about aspects of Shibboleth. Nothing really about doing an audit at all. Interesting stuff about Shibboleth (which I'd heard a 1000 times before). Rubbish on audit. Pah.

If you're interested in any of this, the slides are supposed to appear on the MATU web site. At the time of writing they are not there. Check out http://www.matu.ac.uk/training/ to see if you can find them.


MATU = Eduserv's JISC-funded Middleware Assisted Take-Up (probably finishing in December 2006 and handing over to UKERNA for the support of Shibboleth etc.)

Arrived a bit late (trains)...

When I entered Lucas Hammerle from SWITCH was giving a presentation about Federated Identity Mangement and SWITCH/Shib in general.

Lucas Hämmerle from SWITCH

Nick Johnson, University of Exeter

What needs auditing?

Why do we need IAM?

Lots of different services (portals, e-learning, experiments etc.). An audit is useful in being able to (for example) remove all accounts for someone when s/he moves on from the institution.

Huge numbers of 'exceptions'. Alumni, friends of the library (friends of the chancellor!).

Campus wide policy creation - hopes to avoid departments etc. from creating their own identities and policies for identities.

Institutional Planning

He made a very big thing about retaining staff with Shib expertise. It isn't trivial and the org. can take a big hit when someone who understands the !IdP or Attribute Authority.

Need good resourcing for an Attribute Authority (it is expensive and difficult at first).

SWISh and Shibboleth

How we thought we were going to do it.. and how we really did it.

They may not have thought about it up front but Nick suggests that you really need a test SP installation to test your new !IdP against. Created their local SWISh federation!

The User trial came up with issues like "we need to solve problems like, if you use Athens to connect to a service and the web server is down, the user gets a message saying that s/he hasn't logged in properly (even though that isn't correct)" Shib wasn't really going to fix that.

However, when they got the trial system set up, people looked at it (with the SSO) and could visualise the calls to the help desk going down - that really helped.

Consider using NMI-EDIT and MACE technologies such as Grouper and Signet (for grouping and authZ facilities, including delegation rules within Signet).

Nick strongly recommends EuroCAMP for learning about technologies.

Shib Admin skill base

Recommends deploying on RedHat Linux - easier than anywhere else (Microsoft a bit of a nightmare in places).

Questions

I asked about ownership of data - in audit? There's something on building business plans on the Internet2 web site and good road maps about this.

Lucas Hämmerle from SWITCH - SWITCHaai

(again)

Presenting SWITCHaai here as a case study. Went into production October 2005. Their pilot operation started in mid 2002. More and more sub-projects now.

Roles in SWITCH federation:

  • Federation Member (can operate one IdP and arbitrary SPs) - all Universities
  • Federation Partner (can operate only SPs - e.g. ScienceDirect e-journals, Microsoft - sofware downloads for students)

  • Federation Coordinator (SWITCH - sets policies and standards)

2 committees in SWITCHaai fed:

  • Advisory committee (legal framework, policies etc., trust)
  • Operations committee (technical standards, metadata, security)

Federation members have a direct agreement between them and SWITCH

Federation partners, need a sponsor (to get involved) and then agreements between them and SWITCH and possibly bilateral agreements between themselves and Federation Members (where they offer services to a subset of Fed. Membs)

Users need 'Terms of Use' agreements technically between them and the FPs, but this must also be acceptable to SWITCH.

They only have 12 Federation Partners so far (and some of those are universities outside Switzerland). However they say there is over 110 resources available.

Attributes in SWITCHaai

Personal:

Mandatory:

  • Unique ID
  • Surname
  • Given name

Recommended/optionsal:

  • Email
  • Address(es)
  • Phone no.
  • Preferred language
  • Date of Birth
  • Gender

Group membership:

Mandatory:

  • Home org. name
  • Home org type
  • Affiliation (student, staff...)

Recommended/optional:

  • Study branch
  • Study level
  • Staff category
  • Group membership
  • Organisation path
  • Organisational unit path

ARP Viewer

Tool to show the users attributes released to particular resources. They see a "Digital ID Card".

User sees this the first time a resource is accessed.

A bit like the MAMS tool but possibly a bit less funky.

Frequently Encountered Problems

Political

  • If there isn't any attractive resources, there's no incentive to set up an IdP
  • Data protection concerns very from canton to canton
  • Co-ordination with universities slows down development, but pays off later

Organisational

  • Users without a home org - get to use the VHO
    • but waht about data quality in the VHO?
  • Missing human resources at some smaller universities
    • For hands on support

Technological

  • Federated IM is "new" technology
  • Technical complexity
    • lots of hands on support and manuals required
  • Most universities didn't have a SSO
  • Some didn't have a central directory
  • Metadata refreshing
  • Certificates, certificates...

Recommendations for deployment

Organisational

  • Consider who is responsible for data quality, IdP admin/HR/Faculty?
  • Who is allowed to set up new resources?

Technical

  • Do you have a single user directory
  • Are you going to use a redundant setup with load balancing (for IdP)
  • SSO - do you have one in place and which do you choose?
  • Have you basic (or int/advanced) knowledge of certificates

Do you have a decent use policy for the users?

Recommendations for IdP administrators

  • Users should not see the word "Shibboleth"
  • IdP login page sohould at least contain helpdesk link
  • Tailor your look and feel for your users
  • Do backups of setup
  • Refresh metadata at least once per day
  • Keep log files (but respect data protection)

Richard Dunning (MATU) - Developing a Business Plan

Richard is the MATU Service Manager.

He really means business case (and most of his slides said that).

Keep Richard's slides (I have paper handouts). Fairly decent list of advantages of going for Shib at your institution. He ran through it in 5 mins, though.

Conclusion

Quite a major waste of time for me. Nothing in the day about institutional audits, really. The last (5 min) session got fairly close to being useful (for putting a business case to the University), but he spoke for only a few minutes, and the Q&A session was looking (briefly) that it could be useful, but everyone had to get their trains, really.

It seems that MATU is being shut down at the end of December this year and a lack of morale there may be a factor - it's a shame as they really seem to have been gaining some momentum in recent months.

ESPGRIDwiki: EduservInstitionalAuditSeminar14Sept06 (last edited 2013-05-17 16:26:48 by localhost)