Authorization

This 41 minute podcast features a session from the EDUCAUSE 2007 Annual Conference entitled, "Extending Enterprise Authentication and Authorization in Higher Education: Building on the Success of Project METEOR". A PowerPoint slide show is also available for this session.

Enterprise authentication, authorization, and federated trust are increasingly important in enabling access to a wide swath of applications that use campus-based credentials. Their use makes access easier and more secure. A review of the successful METEOR federation and the EA2 Task Force work offer insight on how to move forward.

This session features:

• Timothy Cameron, Project Manager, The METEOR Project, NCHELP
• Charles F. Leonhardt, Principal Technologist, Georgetown University

 

The CAMP workshop, "Charting Your Authentication Roadmap," February 7-9, in Tempe, Arizona, is now open for registration. Participants will learn more about how to position campus authentication and related identity management processes to support secure access when working with sister institutions, research collaborators and other external partners, industry, and the federal government. Read more about the program scope. Peruse other resources on authentication and identity management.

Register for the Nov. 7-9 CAMP Workshop in Denver to learn about implementing a distributed access management infrastructure to support enterprise authorization services.

A security vulnerability has been found in the Shibboleth from the Internet2. If you are running Shibboleth in anger, update to the latest version immediately. From the wiki page:

The cause of the bug is the many-to-one mapping of header names to CGI variable names due to upcasing and replacement of some separator characters with underscores. It's exacerbated by the fact that different web servers use different rules, particularly with regard to how non-alphanumeric characters are handled. Some are turned to underscores, and some are left alone, resulting in strange or even technically invalid CGI variable names.

The unpredictability makes it difficult to prevent a client from sending a creatively malformed header that will map to an expected CGI variable reserved by an application for a particular user attribute. The techniques used to "clear" client-sent headers that might conflict were inadequate.

newsforge are carrying an excellent (and not too geeky) guide to LDAP.

Identity Management in Higher Education: A Baseline Study, by Ronald Yanosky with Gail Salaway, is the latest research study from ECAR. Key findings and a roadmap are publicly available; the full study is accessible to ECAR members and through purchase.

This 46 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Delivering Shared, Authenticated, Ubiquitously Accessible Storage via WebDAV.

Shibboleth is an authorisation standard from internet2, built on existing standards, it's key strengths are that it allows institutions and resource or service providers to be completely decoupled. A number of important players have rolled out Shibboleth, including Athens which already provides access services access the board in UK higher education and to significant numbers in the NHS (the National Health Service).

The National Science Foundation (NSF) and the Joint Information Systems Committee (JISC) are also funding a number of trial resource and service providers, such as Digital Anthropology Resources for Teaching (DART) and Spoken Word Services to ensure that both the institutional end and the provider end of the system reach critical mass and are adopted in the real world.

Shibboleth is great because it enables students and academics easy access to resources they need, while preserving the types of reader anonymity that librarians are traditionally concerned with; it allows resource holders to make available resources while tracking the type and manner of access and billing as necessary; it allows institutions to trace which resources are being used by which types of staff and student; and it provides funding bodies with the detailed statistics on which of the resources they funding are being used, by which institutions.

Shibboleth is the next wave of authentication and authorisation software from the Internet2 crowd. To be clear, Shibboleth isn't a silver bullet, it is a large and complex system which will be non trivial to roll out for. But it is becoming clear to me that there are some institutions in which the business case for Shibboleth (or something like Shibboleth) is very strong. These include:

 

1. Institutions in consortia with a tension between sharing information (student records, staff records, course materials, etc) and hiding information (to prevent rival institutions "poaching" staff and students). Shibboleth allows fine-grain control over which groups of people have access to what information, and because it can be truly distributed, without a "main server," no institution has to hand over unnecessary data to another institution.
2. Educational institutions with embedded medical, military or similar institutions wanting integrated systems. It's very hard to imagine how you can balance the legal requirements of medical records and case notes (which are now digital and which need to be used in training doctors) with the requirements of an educational institution one, without the flexibility of Shibboleth.
3. Large institutions which function as a single entity but which are actually several legal entities whose activities are technically and financially separate. The most obvious candidates here are collegiate universities (such as Oxford and Cambridge in the UK) and institutions with religious affiliation which preserve a separation of interests.

 

"[...] The Apache Foundation has hit a roadblock in implementing WS-Security - one of the many Web services specifications that the WS-I made a priority and that was subsequently produced under the auspices of OASIS' patent policy. Wrote report author Paul Krill, "Although WS-Security is available for implementation royalty-free, it still must be licensed from Microsoft and IBM. Apache has raised concerns about this, mostly pertaining to a non-transfer clause that appears incompatible with Open Source licenses that allow for uninhibited transfer of technologies, Apache officials said.""

Full Story

tags: opensource uk patents ipr tntellectual property rights apache oasis