Authentication

This 41 minute podcast features a session from the EDUCAUSE 2007 Annual Conference entitled, "Extending Enterprise Authentication and Authorization in Higher Education: Building on the Success of Project METEOR". A PowerPoint slide show is also available for this session.

Enterprise authentication, authorization, and federated trust are increasingly important in enabling access to a wide swath of applications that use campus-based credentials. Their use makes access easier and more secure. A review of the successful METEOR federation and the EA2 Task Force work offer insight on how to move forward.

This session features:

• Timothy Cameron, Project Manager, The METEOR Project, NCHELP
• Charles F. Leonhardt, Principal Technologist, Georgetown University

 

The CAMP workshop, "Charting Your Authentication Roadmap," February 7-9, in Tempe, Arizona, is now open for registration. Participants will learn more about how to position campus authentication and related identity management processes to support secure access when working with sister institutions, research collaborators and other external partners, industry, and the federal government. Read more about the program scope. Peruse other resources on authentication and identity management.

A security vulnerability has been found in the Shibboleth from the Internet2. If you are running Shibboleth in anger, update to the latest version immediately. From the wiki page:

The cause of the bug is the many-to-one mapping of header names to CGI variable names due to upcasing and replacement of some separator characters with underscores. It's exacerbated by the fact that different web servers use different rules, particularly with regard to how non-alphanumeric characters are handled. Some are turned to underscores, and some are left alone, resulting in strange or even technically invalid CGI variable names.

The unpredictability makes it difficult to prevent a client from sending a creatively malformed header that will map to an expected CGI variable reserved by an application for a particular user attribute. The techniques used to "clear" client-sent headers that might conflict were inadequate.

Tune in June 1 to hear about a PKI deployment at the University of Wisconsin–Madison from the university's PKI project manager, Nicholas Davis. This event is free, but registration is required.  Unable to tune in? Listen later by visiting the archives.

Identity Management in Higher Education: A Baseline Study, by Ronald Yanosky with Gail Salaway, is the latest research study from ECAR. Key findings and a roadmap are publicly available; the full study is accessible to ECAR members and through purchase.

This 47 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Leveraging Guest Accounts for Ubiquitous Web Sign-On System Acceptance.

This 44 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled 802.1x: Adapting Wireless Authentication to the Wired World.

This 46 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Delivering Shared, Authenticated, Ubiquitously Accessible Storage via WebDAV.

Shibboleth is an authorisation standard from internet2, built on existing standards, it's key strengths are that it allows institutions and resource or service providers to be completely decoupled. A number of important players have rolled out Shibboleth, including Athens which already provides access services access the board in UK higher education and to significant numbers in the NHS (the National Health Service).

The National Science Foundation (NSF) and the Joint Information Systems Committee (JISC) are also funding a number of trial resource and service providers, such as Digital Anthropology Resources for Teaching (DART) and Spoken Word Services to ensure that both the institutional end and the provider end of the system reach critical mass and are adopted in the real world.

Shibboleth is great because it enables students and academics easy access to resources they need, while preserving the types of reader anonymity that librarians are traditionally concerned with; it allows resource holders to make available resources while tracking the type and manner of access and billing as necessary; it allows institutions to trace which resources are being used by which types of staff and student; and it provides funding bodies with the detailed statistics on which of the resources they funding are being used, by which institutions.

Shibboleth is the next wave of authentication and authorisation software from the Internet2 crowd. To be clear, Shibboleth isn't a silver bullet, it is a large and complex system which will be non trivial to roll out for. But it is becoming clear to me that there are some institutions in which the business case for Shibboleth (or something like Shibboleth) is very strong. These include:

 

1. Institutions in consortia with a tension between sharing information (student records, staff records, course materials, etc) and hiding information (to prevent rival institutions "poaching" staff and students). Shibboleth allows fine-grain control over which groups of people have access to what information, and because it can be truly distributed, without a "main server," no institution has to hand over unnecessary data to another institution.
2. Educational institutions with embedded medical, military or similar institutions wanting integrated systems. It's very hard to imagine how you can balance the legal requirements of medical records and case notes (which are now digital and which need to be used in training doctors) with the requirements of an educational institution one, without the flexibility of Shibboleth.
3. Large institutions which function as a single entity but which are actually several legal entities whose activities are technically and financially separate. The most obvious candidates here are collegiate universities (such as Oxford and Cambridge in the UK) and institutions with religious affiliation which preserve a separation of interests.