[Web4lib] Re: Shibboleth's implementation environment
Peter Murray
peter at OhioLINK.edu
Thu May 29 12:00:11 EDT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On May 28, 2008, at 11:57 AM, K.G. Schneider wrote:
> Thanks
> also to Ted Koppel for pointing me to the NISO best practices report.
> This is mission drift, but I'm curious to know if the report
> influenced
> Shib development.
I'm assuming Ted is referring to the NISO Metasearch Initiative
subgroup on access control. I can't find the report on the new NISO
website at the moment, but the DLib article discussing the report can
be found at <http://www.dlib.org/dlib/june06/teets/06teets.html>
Did the report influence Shib development? No. Did SAML developments
(the standard at the foundation of Shibboleth) influence the report?
Yes. The kind of "delegated authority" needed to put an agent (the
metasearch engine, in this case) between the user and the restricted-
access target resource was envisioned in SAML 2.0, which was coming
out right about the time the metasearch initiative was in full swing.
I haven't followed up with the Shibboleth group since Shib 2.0 came
out two months ago, but I think Shib 2.0's support for SAML 2.0 means
that "delegated authority" as envisioned in the NISO Metasearch report
is now possible.
On May 28, 2008, at 10:33 AM, K.G. Schneider wrote:
> In other words, I'm not looking for an explanation of Shibboleth; I'm
> trying to grasp why institutions adopt it, why they don't adopt it,
> what
> the perceptions are of Shib, some of the perceived challenges to
> adoption, etc.
The classic problem with Shibboleth can be summed up by something I
heard Scott Cantor, one of the lead Shibboleth developers, say
[paraphrased]: "Shibboleth itself can be installed in an afternoon;
it is the policy decisions that have to be made that take months." It
comes down to seemingly simple questions like: Who is a "student"?
Who is an "employee"? Are there comprehensive, cohesive, and up-to-
date lists of those groups? Are you managing cases where a student
can also be an employee, or does that person have to separate
identities?
You may think you know who a student is, but do you know when they
start and more importantly when they leave the institution? Starting
is somewhat easy; leaving is somewhat easy if they graduate. What
about those that leave but don't graduate? Employees are the same
way. Adjunct faculty, visiting faculty, emeriti, contractors,
temporary workers -- it is the boundary cases that can really
frustrate you.
We're at the beginning of a comprehensive Shibboleth roll-out here in
Ohio higher education, but we've been at that beginning for a number
of years. It has been a long, slow process but will be worth it in
the end, I think, in ways that technologies like OpenID can't fulfill.
Peter
- --
Peter Murray http://www.pandc.org/peter/work/
Assistant Director, New Service Development tel:+1-614-728-3600;ext=338
OhioLINK: the Ohio Library and Information Network Columbus, Ohio
The Disruptive Library Technology Jester http://dltj.org/
Attrib-Noncomm-Share http://creativecommons.org/licenses/by-nc-sa/2.5/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFIPtMQ4+t4qSfPIHIRAjC1AJ4pMFCeEWn7VBaGTESsL0aus6bqCwCgy2sR
TQqDPGGq4KJQEgEMM3svzuo=
=d7na
-----END PGP SIGNATURE-----
More information about the Web4lib
mailing list