[Web4lib] Re: Shibboleth's implementation environment

Peter Murray peter at OhioLINK.edu
Thu May 29 12:00:11 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On May 28, 2008, at 11:57 AM, K.G. Schneider wrote:
> Thanks
> also to Ted Koppel for pointing me to the NISO best practices report.
> This is mission drift, but I'm curious to know if the report  
> influenced
> Shib development.


I'm assuming Ted is referring to the NISO Metasearch Initiative  
subgroup on access control.  I can't find the report on the new NISO  
website at the moment, but the DLib article discussing the report can  
be found at <http://www.dlib.org/dlib/june06/teets/06teets.html>

Did the report influence Shib development?  No.  Did SAML developments  
(the standard at the foundation of Shibboleth) influence the report?   
Yes.  The kind of "delegated authority" needed to put an agent (the  
metasearch engine, in this case) between the user and the restricted- 
access target resource was envisioned in SAML 2.0, which was coming  
out right about the time the metasearch initiative was in full swing.   
I haven't followed up with the Shibboleth group since Shib 2.0 came  
out two months ago, but I think Shib 2.0's support for SAML 2.0 means  
that "delegated authority" as envisioned in the NISO Metasearch report  
is now possible.


On May 28, 2008, at 10:33 AM, K.G. Schneider wrote:
> In other words, I'm not looking for an explanation of Shibboleth; I'm
> trying to grasp why institutions adopt it, why they don't adopt it,  
> what
> the perceptions are of Shib, some of the perceived challenges to
> adoption, etc.

The classic problem with Shibboleth can be summed up by something I  
heard Scott Cantor, one of the lead Shibboleth developers, say  
[paraphrased]:  "Shibboleth itself can be installed in an afternoon;  
it is the policy decisions that have to be made that take months."  It  
comes down to seemingly simple questions like:  Who is a "student"?   
Who is an "employee"?  Are there comprehensive, cohesive, and up-to- 
date lists of those groups?  Are you managing cases where a student  
can also be an employee, or does that person have to separate  
identities?

You may think you know who a student is, but do you know when they  
start and more importantly when they leave the institution?  Starting  
is somewhat easy; leaving is somewhat easy if they graduate.  What  
about those that leave but don't graduate?  Employees are the same  
way.  Adjunct faculty, visiting faculty, emeriti, contractors,  
temporary workers -- it is the boundary cases that can really  
frustrate you.

We're at the beginning of a comprehensive Shibboleth roll-out here in  
Ohio higher education, but we've been at that beginning for a number  
of years.  It has been a long, slow process but will be worth it in  
the end, I think, in ways that technologies like OpenID can't fulfill.


Peter
- --
Peter Murray                            http://www.pandc.org/peter/work/
Assistant Director, New Service Development  tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network        Columbus, Ohio
The Disruptive Library Technology Jester                http://dltj.org/
Attrib-Noncomm-Share   http://creativecommons.org/licenses/by-nc-sa/2.5/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFIPtMQ4+t4qSfPIHIRAjC1AJ4pMFCeEWn7VBaGTESsL0aus6bqCwCgy2sR
TQqDPGGq4KJQEgEMM3svzuo=
=d7na
-----END PGP SIGNATURE-----





More information about the Web4lib mailing list