EPICS - North east regional collaboration around e-portfolio progression pathways with illustrative studies

EPICS - North east regional collaboration around e-portfolio progression pathways with
illustrative studies
Title
Shibboleth Component
Project Ref
JISC 07/04 Distributed eLearning
Programme
Issue Date
17th August 2005
WP Ref
WP 8 & 9
Review Date:
Starting January 2006
DOCUMENT COVER SHEET
Amendment Record
Issue
Version
Draft
Effective
Date
1.0
17-Aug-05
Pages
Reviewed
All
All
Description
Draft issue of work packages 8
(combined and replacing wp 9)
Published Work Package
Prepared
by
JW / LT
Authorised by
JW/LT
Lawrence
Taylor
Distribution List/Media
EPICS Partners List via JiscMail
EPICS Project Team via Projects in MEDEV
Programme Manager
Project File
Included Documents
JISC_eportfolio_template.doc is located in:
http://medev.grouphub.com/clients/epicsproject/1/files
http://www.jiscmail.ac.uk/files/EPICS/
Acceptance and Completion
Work package accepted
By:__________________
Completed work package
returned By __________
Work Package Acceptance:
Completed Work Package:
Signature
Institution & Title
Date
To be signed by those who are taking on the responsibility for completing
the activities in this work package.
To be signed off when all activities have been completed
Purpose
The purpose of workpackage 8 is to investigate the use of Shibboleth to authorise inter-institutional access
to resources (specifically eportfolios) in a regional context. It is sponsored and funded by the JISC Core
Middleware Programme as part of the Shibboleth Early Adopters initiative.
Background
The JISC Core Middleware initiative aims to improve the way in which users access resources throughout
the UK educational sector. Specifically, the goal is to allow users to access internal and external resources
seamlessly using a single, institutionally controlled identity. This will reduce substantially (if not eliminate
altogether) current problems in which users are required to maintain multiple passwords for multiple
resources in multiple domains.
For the last two years JISC has devoted a significant part of its development funding to access
management issues. Many different solutions and scenarios have been investigated and tested, alongside
research into supporting factors such as cultural change. The outcome is to base the strategy on
Shibboleth, a new standard in this area.
While the UK has been using Athens, other countries have been developing their own solutions to the
problem of accessing multiple resources with a single identity. Shibboleth, which is a product of the US’s
Internet2 initiative, has emerged as the front-runner for the most widely adopted standard. Australia and a
number of European countries, including Switzerland, Finland and the Netherlands have already adopted it
or are in the process of doing so. A number of commercial service providers are planning to create
Shibboleth interfaces to their services or already provide them.
The full JISC briefing paper Shibboleth: Connecting People and Resources is available at
http://www.jisc.ac.uk/pub_shibboleth.html.
About the IAMSECT project
IAMSECT - Inter-institutional Authorisation Management to Support eLearning with reference to Clinical
Teaching – is local to the region and is one of 16 Core Middleware development projects set up in 2004.
Its focus is to develop, test and disseminate a practical approach for implementing inter-institutional
authentication and authorisation management services for e-learning which can be replicated elsewhere in
the education sector. As such its outputs are of direct relevance to the partners in EPICS.
Aims
This work package outlines the activities required to install and use Shibboleth at partner institutions.
Support for these activities is available from IAMSECT (http://iamsect.ncl.ac.uk/) and the Middleware
Assisted Take-up Service (http://www.matu.ac.uk/). It is recognised that these installations may not be
feasible at all partners in the timescale available; in this case there may be a possibility of hosting the
infrastructure on behalf of these sites at Newcastle University under the auspices of IAMSECT. However, it
is expected that all partners will participate in scoping the management and data issues within their
institution with respect to identification, exchange and management of authorisation attributes.
The work package defines, in measurable terms, what must be done, by who and by when for the final
delivery of the work package to the project manager, the Advisory Board and to meet the quality
requirements of the project.
The overall aims of this work package are to:
• Scope the feasibility of installation at each institution.
The initial requirement for this is the establishment of a technical contact (probably within IT services) at
each partner site. The initial stage of the assessment is via a questionnaire covering facilities and
expertise available.
• Install Shibboleth infrastructure at partner sites
This consists of a Web initial signon (WebISO) and a Shibboleth Identity Provider (IdP, also known as
an origin). An overview of the way in which Shibboleth works and local requirements is given in sections
1 and 2 of Practical access to electronic journals via Shibboleth available at
http://iamsect.ncl.ac.uk/deliverables/. The technical skills required for the installation can, in the main,
be provided from within the IAMSECT project although close collaboration with partners is obviously
required. Funding for hardware, consultation and staff time is included within the Shibboleth component
of the EPICS budget
• Partners join a UK Federation as an identity provider
This will either be the SDSS development federation (www.sdss.ac.uk) or the incipient UK academic
federation (http://www.jisc.ac.uk/uploaded_documents/JISC_Fed_doc_full.doc). A Shibboleth federation
is an independent body which manages the trust relationship between identity and service providers –
an introduction and further information is available in An Introduction to Shibboleth Federations
(http://iamsect.ncl.ac.uk/deliverables/).
It should be noted that reaching this stage will be of considerable advantage to the partners. As noted
in Practical access to electronic journals via Shibboleth it will then be possible for them to access
electronic journals and similar resources without the administrative overhead of access via ATHENS.
• Identify a source of authorisation attributes at each partner site
More complex authorisation scenarios require the use of multiple authorisation attributes. A typical
source of these may be the Windows Active Directory or institutional data feeds from the Management
Information System or equivalent. This topic is covered in Attribute identification and storage for
Shibboleth at http://iamsect.ncl.ac.uk/deliverables/
It would be helpful if each partner could provide a suitable contact with respect to these issues.
• Pilot the use of existing ePortfolio products as Shibboleth resource providers (targets).
Partners hosting eportfolio products will need to join the federation as service providers. Adaptation of
the products as Shibboleth resource providers is an output of IAMSECT.
• Identify and agree set of attributes to be used to authorise access to ePortfolios.
The project will need to agree on a common set of suitable attributes for authorisation purposes, the
choice of which will primarily depend on which attributes can be collected in a timely and scalable
manner from each, and on institutional privacy policies.
• Scope the establishment of a regional managerial and legal framework for inter-institutional access.
This will essentially be a synthesis of requirements of the partners in this respect, lessons learned and
potential issues envisaged. IAMSECT has some funding for legal consultancy and will be able to make
input to this activity.
Outputs
This workpackage will produce two major outputs:
• Use of Shibboleth for authorisation at partners where it is feasible to install it, or a report detailing the
problems encountered at institutions where this has proved not to be the case.
• A managerial and legal framework which could potentially be extended to other services and
collaborations within the region.
Scope
The Work Package activities will vary in content, and indeed in degree of formality, depending on
circumstances. It is a working document and will change throughout its lifecycle as we learn by
investigating and completing the activities.
Where the work is being conducted by a team or an individual, they will define the activities at a sufficient
level of detail so that the project team have no doubt on what has to be done, by who and by when and
they will provide regular reports back to the project manager who will keep the documentation up to date.
This scope of this work package is to encompass the following:
• All partners in the EPICS project.
• To create a framework for the delivery of the work package activities listed under Aims above.
Responsibilities
All partners will be individually responsible for the production and delivery of this work package at their
institution. Participation in the work package is a requirement, even if the partner is not able to install the
hardware. See Outputs Section.
This work will be coordinated by the IAMSECT project management.
It is the responsibility of the EPICS Project Manager to ensure that staff affected by this process are
informed of its content and that they will agree to adhere to the processes identified.
All published documentation will be disseminated via the Project Management Web Site
EPICS - North east regional collaboration around e-portfolio progression pathways with
illustrative studies
Title
Shibboleth Infrastructure
Project Ref
JISC 07/04 Distributed eLearning
Programme
Issue Date
17-Aug-05
WP Ref
WP 8
Review Date:
Starting January 2006
Work Package Schedule
It is expected that this work package will take an elapse time of approximately 12 months.
WORKPACKAGES
Mth
1
2
3
4
8 Shibboleth Component
The work package has an official start date of: 25-04-2005 and will be completed no later than 31-03-2006
5
6
7
8
9
10
11
12
13
14
15
Work Package Outputs and Deliverables
These are the defined outputs and deliverables as identified in the project plan.
Duration:
Outputs
(clearly indicate deliverables
& reports in bold)
Earliest
start
date
Latest
completion
date
April 05
May 05
Project sub group established
April 05
Sep 05
Brief report. Determination of
hardware to be purchased
Aug 05
Oct 05
4. Produce reports for sites where implementation is
not feasible.
5. Purchase and install WebISO and IdP for partner
sites
Sep 05
Jan 06
Raise awareness within project;
disseminate technical
information
Report to JISC
Sep 05
Dec 05
6. Partners join Federation as Identity Providers
Nov 05
Jan 06
7. Identify authorisation attribute source at each
partner institution
8. Adapt existing ePortfolio products as Shibboleth
service providers (targets)
9. Partners hosting ePortfolio products join
Federation as service providers
10. Identify and agree set of attributes to be used to
authorise access to ePortfolio products
11. Develop and publish work package report and
lessons learnt
12. Work Package Review
May 05
Jan 06
April 05
Dec 05
Nov 05
Jan 06
June 05
Jan 05
Nov 05
Feb 06
Jan 06
Mar 06
Work package and activity
1. Establish a technical contact within each partner
institution
2. Assess feasibility of infrastructure installation at
each site via questionnaire covering facilities,
expertise, any existing WebISO, password store;
open ports.
3. Dissemination activities
Shibboleth infrastructure
established at partner
institutions
Access to Shibboleth-enabled
resources
Authorisation sources
established
Local access to ePortfolio
products via Shibboleth
Access to ePortfolio products
via WAYF
Defined authorisation data
agreed between all partners
Report on the project work
package
Review document
Milestone
Responsibility
IAMSECT