JISC

Introduction

Cardiff University, through its Directorate of Information Services, intends to implement Shibboleth at an early date and to record its experiences in doing so. It further proposes to test the applicability of Shibboleth on a range of managed resource areas: an e-Science Application Target, Access to Secure NHS Resources from Overlapping User Communities, and Improving upon Athens for Validating Access to On-Line Data. The information and expertise acquired will be made available to JISC for the benefit of all.

Aims and Objectives

Cardiff University is a major user of Identity Management systems and is actively engaged in upgrading its IDM procedures. It is particularly appropriate for it to be an early adopter site leading the way for Shibboleth users elsewhere.

Cardiff intends to implement Shibboleth in two stages: a working version as soon as possible, and then a fully resilient version for use with other applications. These will include an early determination of what is necessary and an evaluation of every component part, all within a HE environment that is atypical only in that it includes more users and more resources than most.

Currently there are nearly 10,000 Athens accounts at Cardiff, and thus considerable duplication of effort in managing separate local and Athens usernames. The proposed change to Athens DA will now be superseded, and the resources formerly allocated to it will be used instead to supplement the funding of an early Shibboleth implementation.

The University's strong connection with the National Health Service puts it in an excellent position to explore the application of Shibboleth for interworking with the NHS, which currently has multiple Athens domains.

Cardiff hosts the Welsh Science Centre, which has the capability to test leading edge applications of Shibboleth - in the context of this proposal includes Shibboleth enablement of the existing BBSRC-funded BioDiversity World project to test the applicability of Shibboleth to an e-Science application. As well as being a good candidate for testing Shibboleth mechanisms for authorization between administrative domains, successful deployment in BioDiversity Worldwill provide an incentive for related data providers to Shibboleth enable their own resources.

The success of this Project will enable improvements to be made to the Athens Shibboleth Gateway so that a high quality service can be made available to UK HE, and will quantify the efficiency gains that are possible for other institutions.

Methodology

The Project will be implemented as four Work Packages, the last three of which will depend critically upon the success of the first.

The first Work Package will implement Shibboleth in two stages: a working version as soon as possible, and then a fully resilient version. It will closely follow a planned timetable which allocates the first four months to the implementation of the working version on existing local hardware and the next three months to producing the resilient production system on dedicated equipment obtained for the purpose. The eighth month will be used to review the project, revise time scales and write the test plan, and the last four months will be given over to the remaining three Work Packages.

The second Work Package is intended to benefit from the early implementation of Shibboleth by reducing the duplication of effort required to manage multiple Athens accounts, of which Cardiff currently has nearly 10,000. These are a considerable administrative burden. The size of this operation means that Cardiff originally planned to move to Athens DA in summer 2005 but, given current international trends, an early Shibboleth implementation is now the more logical step. In addition to reducing staff workload, Shibboleth will simplify procedures for users by allowing them to access remote resources using their local network IDs. They currently have access to over 80 Athens protected resources that will provide a substantial test bed for the existing Athens Shibboleth gateway. Some subsets are restricted to specific user groups by means of separate permission sets, and this will provide an additional opportunity to test a mixed availability via the Shibboleth implementation.

Cardiff University provides a computing service to its students who may be placed in any of the National Health Service trusts in Wales, and hosts a common library system for students and all NHS workers in Wales. The ties between the University and the NHS are very close. In the third Work Package, examination will be made of the practical requirements of using Shibboleth for assuring secure access to essential resources from the various communities of users. Participation from the Cardiff and Vale NHS Trust will also be sought in determining access to permitted resources on the University network from the Trust network, and vice versa. The University already has permission from the Security Board of the NHS Information Authority for such a project. Guidelines and protocols will be developed to tackle the issue of multiple identities in this environment, and these will be extended to a pilot scheme using the existing technological infrastructure. Success in this process is expected to reap large benefits in terms of the ease of working which will be achieved.

The fourth Work Package will be concerned with Shibboleth enabling BioDiversity World (BDW), an e Science Application providing an extensible problem solving environment (PSE) for linking distributed resources together into managed re usable workflows. A resource is typically owned and managed by a particular community of researchers, and some contain large amounts of intellectual property to which their owners wish to regulate access. Historically this is achieved using traditional means such as passwords or IP addresses. The aim of this Work Package is to develop a proof of concept implementation for Shibboleth enabling the BDW portal and selected resources, which will allow access via portal users’ attributes as though they were accessing the resource directly. Cardiff is developing the "Spice" software for one of the BDW resources, the Species 2000 index project, and this in turn will act as a further portal to other databases. It is proposed to enable non production copies of these resources as Shibboleth targets, with the Welsh e Science Centre making their 4Tbyte storage facility available for hosting. It is further proposed to enable BDW to use Shibboleth for local users, and then investigate multi party authorization where user and various resources use different Shibboleth implementations. This will develop and test Shibboleth authorization in typical situations including a locally installed portal, a database server, and a set of remote resources implemented as a Web Service.

Implications / Deliverables / Stakeholders

The benefits derived from this project are expected immediately to spread beyond Cardiff itself by virtue of the University's heavy involvement in the wider academic community and the society in which it exists. Since the purpose of Shibboleth is to enhance the security of communication on a global scale it follows that remote sites communicating with Cardiff over the Internet will participate in the gain. Furthermore, in keeping with the JISC's role in making the best possible software applications widely available in the UK, it is also to be expected that any advances made locally will soon be implemented elsewhere.

Particular mention should be made of the close links between the University and local hospitals, where many medical staff have dual academic and NHS appointments. A proper implementation of Shibboleth will enable them and others to enjoy the benefits of access to two essentially different sets of resources while not being handicapped by artificial barriers placed between them. If such a benefit can be provided on an even larger scale then that alone will be worth the proposed expenditure.

Mention must also be made of BDW, a developing application with an access control problem that is attracting interest within the biodiversity community. The mechanism by which BDW gains access to a resource currently results in a loss of tracking information, so that the resource is only aware of a generic user rather than a specific individual. Providing a Shibboleth enabled proof of concept for BDW will demonstrate that solutions are available which do not lose tracking information, and thus present the whole community with a case study of a real system with specific requirements and encourage other resource providers to become Shibboleth targets.

For each Work Package and each step of the project, a set of Deliverables has been defined so as to match the objectives of the project as a whole and to enable it better to be monitored, evaluated and disseminated.

Email this page Bookmark & share this page