Security Solution Uses Open Source for Sharing
By Linda L. Briggs
Universities wishing to share protected resources without the need for multiple passwords and logon procedures can take heart from recent moves by the University of Washington, Penn State and Stanford, among others. Those universities are now using an open-source, single-sign-on technology called Shibboleth that makes academic life easier by removing the need for universities to set up passwords and accounts for each online resource it wants to share with other schools.
Shibboleth is standards-based, open-source software from Internet2 that acts as middleware, providing single sign-on access through the Internet across organizational boundaries. That can allow researchers, faculty, staff, and students from one university to use campus-issued credentials to access protected information at another school or business partner. Since logging on is different for every school, getting protected information from another university can be a time-consuming process under current systems, and requires keeping track of multiple passwords.
Because Shibboleth leverages a university’s existing sign-on and directory system to authenticate users, it removes the need for setting up multiple passwords and accounts for each online resource. Also, because it exchanges only agreed-upon and relevant identity information between the parties in a transaction, it is inherently more secure than systems that require the exchange of more information. And Shibboleth isn’t limited to university use—online service providers using Shibboleth in dealing with universities no longer need to build and manage complex systems for managing user accounts; Shibboleth can allow both sides to focus on what they do best.
Of the many US universities using Shibboleth, 30 or so
are members of InCommon, a federation of organizations working to create a common framework that research and education can use for access to protected information. By using the Shibboleth authentication and authorization standard, InCommon is helping to enable cost-effective, privacy-preserving collaboration among its community of participants, which also includes 14 service providers.
R.L. “Bob” Morgan is senior technology architect in the Computing and Communications department at the University of Washington. He is also chair of MACE, the Middleware Architecture Committee for Education, a steering committee for the Internet2 Middleware Initiative. According to Morgan, large universities are leading the way so far in using Shibboleth. That’s partly because the steps to set up interoperability through Shibboleth assume on an established Web-based system of Internet access. “A campus has to be reasonably well-organized” to take advantage of Shibboleth, Morgan says. “They need to have some way for doing sign-on with Web-based applications, at least.”
On the surface, a Shibboleth-based system can look like any other single-sign on system; one difference is that it can send specific sorts of information—things like whether the user is a faculty member or student, or is authorized in some way to access information. “That requires a bit more integration than with the usual simple sign-on system,” Morgan says.
Schools can also set up Shibboleth in a more basic configuration initially, to send only user IDs—in fact, that’s the default installation.
For schools with more Internet sophistication, “it’s possible to set up Shib as your single complete Web sign-on system,” Morgan explains, but schools must have the infrastructure in place to ask for a password, send a cookie as needed, and so forth.
A recent internal example of the use of Shibboleth at the University of Washington is a wiki for IT staff. The IT organization chose to use Shibboleth instead of its traditional UW-only Web sign-on system, Morgan says, “because we wanted to allow for the possibility of external partners coming in and using our wiki for project purposes.” Without Shibboleth, UW would have had to use a traditional access system, in which each colleague from another school would have to be assigned a UW user ID.
Another example is E-Academy, a company that sells discounted Microsoft software to students over the Internet. Rather than sending the university’s entire student list to E-Academy, UW was able to set up an arrangement with the company in which Shibboleth is used to verify that a purchaser is indeed a student. “It took a bit of work for E-Academy to redo their processes to work well with Shib,” Morgan says, “but I think they’ve come to appreciate the utility of it. For us, it was easy to add a new partner.”
Although one appeal of single sign-on technologies is simplified logon procedures for users, cost savings for university IT departments can also be significant. According to Kevin Morooney, Penn State’s vice provost for information technology, “creating online credentials for individual access to protected resources has traditionally resulted in a great deal of administrative overhead for campus IT departments.” A recent demonstration of Shibboleth with the National Science Foundation, Morooney says, “highlights how we can make research and academic life easier … as well as enable institutions and the NSF to save on operating costs.”
UW provides several
examples of how it’s using Shibboleth with service providers. Also, MACE and
EDUCAUSE are presenting a series of workshops in February on enterprise
authentication that will cover Shibboleth.
Linda L. Briggs is a freelance writer based in San Diego, Calif.