LSIP: Liverpool Shibboleth Implementation Programme
The University of Liverpool Computing Services Department has made significant progress in making almost all of its user service systems use a single directory for user authentication. With the recent introduction of Athens DA our main computing services now authenticate using our Novell Netware e-directory (using LDAP). The contents of the e-directory itself is controlled by locally developed software that manages the user community, using the University’s Personnel and Student systems as the source for the required user information.
Our e-directory also contains identity information for a number of users who have rights to use some (or all) of our systems but who for a variety of reasons have no entry in either the Personnel or Student systems. The number of these entries is increasing as the University diversifies and broadens it activities. We now provide services to individuals, who whilst being registered as students, are following distance learning programmes offered jointly with and managed by external partners. We also provide services to a considerable number of individuals on short programmes and particularly to programmes that support practicing health care professionals. The University is working in partnership with The University of Lancaster for the provision of some medical education and training and we need to provide access to our systems to some medical students from Lancaster. The management of these devolved authentication realms is of some concern.
Shibboleth has been identified as the leading candidate for the next generation of user access control systems and will clearly be of importance to the University in the medium term. As Shibboleth provides an architecture for supporting federated access control with the potential for trusted independent organisations controlling the access of their 'members', Shibboleth potentially offers a more effective way in which we could manage the devolved user control that is become a more pressing problem.
Our present use of Novell’s e-directory (other than for Netware Services) is to provide only user authentication; we presently rely on information held in each individual system to hold the rights of the authenticated user on that system. This leads to duplication of information between our systems and requires systems management effort on each of these systems to maintain it. We are interested in making use of additional common attributes in our e-directory that can be used by many of our systems. We believe that Shibboleth can provide support for this mode of working provided that there is agreement between the systems on a common set of user attributes. We would be interested in working with others on evaluating the applicability of the EduPerson specification within the UK academic community.
The University of Liverpool is therefore very enthusiastic to take part in this JISC programme since the JISC’s desire to have institutions deploy Shibboleth coincide with the University’s desire to continue to provide a common access control mechanisms across its systems in an environment where users management is becoming increasingly more devolved. The University’s contribution to the project indicates its enthusiasm and engagement with this programme.