JISC

Cheshire 3 / Shibboleth

This project intends to implement Shibboleth within the Cheshire3 framework enabling Cheshire3 based services to interact with the home institutions of users in order to determine assigned access permissions.  Shibboleth provides the means of transporting assertions from a users home organisation, via a remote resource, thereby providing authorisations for actions upon a resource. Once authorisation has been established Cheshire3 provides a framework in which content based services can be deployed, this enables efficient information retrieval and text mining processes to be performed on the managed information.

Aims and Objectives

By implementing Shibboleth within the Cheshire3 framework we will enable services to interact with users home institutions in the following ways:

• Authorised Access to services
  The service contains information that must be restricted to only some class of user, for example only users currently registered at higher education institutions. Shibboleth support in Cheshire3 would enable the service to verify the user's registration, and thereby allow access to the information stored.
• Authorised Access to records
  The service may contain records that must be restricted. Shibboleth support would enable the service to perform its normal operations without authorisation until a restricted record was encountered, and only then prompt the user to authenticate and subsequently be authorised to access the record.
• Authorised Access to Operations
  The Service can perform operations that have an associated cost or licensing agreement, for example computationally expensive text mining operations. Support for Shibboleth would enable inter-institutional users to be authorised to request these operations be performed.
• Authorised Access to Content Maintenance
  The service may permit classes of users to update records remotely. For example, in an institutional repository, academic members of staff must be allowed to create new records and modify or delete their own records. Shibboleth would allow for the framework to do this in an authentication independent fashion. In an inter-institutional repository, perhaps subject oriented, Shibboleth would permit easy collaboration.
• Authorised Access to Service Definition
  The service may permit classes of users to define their own workflow definitions of operations to perform. This is particularly true for text mining, but is also possible in the information retrieval field. Shibboleth would allow the Cheshire3 Framework to authorise inter-institutional users to modify the services it provides.

Project Methodology

The implementation of Shibboleth is written as a module for the Apache web server. The Cheshire3 framework uses, by default, the Apache web server for all remote access. The initial deployment of Shibboleth on the same platform as Cheshire3 is therefore expected to be relatively straightforward. The development work required is, therefore, to integrate and enable configuration of Shibboleth within the Cheshire Framework.

In terms of Shibboleth/Cheshire3 integration, the technical steps are as follows:

• Determine the most efficient interface for linking the Cheshire3 and Shibboleth
• Develop a connection between Cheshire3 and Shibboleth
• Successfully isolate attributes from within the information received from Shibboleth
• Implement a system that allows Shibboleth authorised access to information held within the Cheshire3 Architecture.

Implications / Deliverables / Stakeholders

The outcome of this project will be a pilot implementation of a system that integrates the Shibboleth single sign on services within the Cheshire3 framework. This will enable Cheshire3 based services to interact with users home institutions in order to determine assigned access permissions. The access permissions can be used to access various information retrieval and text mining tools contained within the Cheshire3 Architecture.