EDUCAUSE | Authorization

E07 Podcast: Extending Enterprise Authentication and Authorization in Higher Education

gbayne — Thu, 04 Sep 2008 18:30:43 -0500

This 41 minute podcast features a session from the EDUCAUSE 2007 Annual Conference entitled, "Extending Enterprise Authentication and Authorization in Higher Education: Building on the Success of Project METEOR". A PowerPoint slide show is also available for this session.

Enterprise authentication, authorization, and federated trust are increasingly important in enabling access to a wide swath of applications that use campus-based credentials. Their use makes access easier and more secure. A review of the successful METEOR federation and the EA2 Task Force work offer insight on how to move forward.

This session features:

Timothy Cameron, Project Manager, The METEOR Project, NCHELP
Charles F. Leonhardt, Principal Technologist, Georgetown University

February CAMP to Focus on Authentication and Related Identity Management Processes

cluckett — Tue, 21 Nov 2006 11:06:58 -0600

The CAMP workshop, "Charting Your Authentication Roadmap," February 7-9, in Tempe, Arizona, is now open for registration. Participants will learn more about how to position campus authentication and related identity management processes to support secure access when working with sister institutions, research collaborators and other external partners, industry, and the federal government. Read more about the program scope. Peruse other resources on authentication and identity management.

CAMP Workshop: Distributed Access Management Infrastructures--Register Now

cluckett — Thu, 31 Aug 2006 11:13:08 -0500

Register for the Nov. 7-9 CAMP Workshop in Denver to learn about implementing a distributed access management infrastructure to support enterprise authorization services.

Shibboleth security vulnerability

StuartYeates — Tue, 27 Jun 2006 10:43:30 -0500

A security vulnerability has been found in the Shibboleth from the Internet2. If you are running Shibboleth in anger, update to the latest version immediately. From the wiki page:

The cause of the bug is the many-to-one mapping of header names to CGI variable names due to upcasing and replacement of some separator characters with underscores. It's exacerbated by the fact that different web servers use different rules, particularly with regard to how non-alphanumeric characters are handled. Some are turned to underscores, and some are left alone, resulting in strange or even technically invalid CGI variable names.

The unpredictability makes it difficult to prevent a client from sending a creatively malformed header that will map to an expected CGI variable reserved by an application for a particular user attribute. The techniques used to "clear" client-sent headers that might conflict were inadequate.

Shibboleth an authentication and authorisation framework and is most commonly presented to web surfers as some variant of "single sign on." I'm lucky that the project I'm using Shibboleth on (the Sakai VRE demonstrator project) is not yet in production mode and because we're not actually protecting any resources or serving any real users we can just shut it down until we have time to upgrade. Even though it doesn't let anyone access anything, we can't leave it up because Shibboleth presents user attributes (or properties) thus potentially leaking user information.

Non-geeky guide to LDAP

StuartYeates — Thu, 27 Apr 2006 07:42:26 -0500

newsforge are carrying an excellent (and not too geeky) guide to LDAP.

Identity Management Study Released by ECAR

ecoghlan — Wed, 19 Apr 2006 10:27:18 -0500

Identity Management in Higher Education: A Baseline Study, by Ronald Yanosky with Gail Salaway, is the latest research study from ECAR. Key findings and a roadmap are publicly available; the full study is accessible to ECAR members and through purchase.

E2005 Podcast: Delivering Storage via WebDAV

podcaster — Wed, 25 Jan 2006 18:08:45 -0600

This 46 minute recording provides coverage of the 2005 EDUCAUSE Annual Conference Session entitled Delivering Shared, Authenticated, Ubiquitously Accessible Storage via WebDAV.

Cross-border Shibboleth systems gain traction

StuartYeates — Mon, 26 Dec 2005 04:19:18 -0600

Shibboleth is an authorisation standard from internet2, built on existing standards, it's key strengths are that it allows institutions and resource or service providers to be completely decoupled. A number of important players have rolled out Shibboleth, including Athens which already provides access services access the board in UK higher education and to significant numbers in the NHS (the National Health Service).

The National Science Foundation (NSF) and the Joint Information Systems Committee (JISC) are also funding a number of trial resource and service providers, such as Digital Anthropology Resources for Teaching (DART) and Spoken Word Services to ensure that both the institutional end and the provider end of the system reach critical mass and are adopted in the real world.

Shibboleth is great because it enables students and academics easy access to resources they need, while preserving the types of reader anonymity that librarians are traditionally concerned with; it allows resource holders to make available resources while tracking the type and manner of access and billing as necessary; it allows institutions to trace which resources are being used by which types of staff and student; and it provides funding bodies with the detailed statistics on which of the resources they funding are being used, by which institutions.

Of course, all this power and flexibility comes at a cost, Shibboleth is substantially more complex than some other systems and implemented in such a way as to loose much of its flexibility, particularly in the providers demand detailed information on individuals.

The case for Shibboleth

StuartYeates — Mon, 19 Sep 2005 02:58:16 -0500

Shibboleth is the next wave of authentication and authorisation software from the Internet2 crowd. To be clear, Shibboleth isn't a silver bullet, it is a large and complex system which will be non trivial to roll out for. But it is becoming clear to me that there are some institutions in which the business case for Shibboleth (or something like Shibboleth) is very strong. These include:

Institutions in consortia with a tension between sharing information (student records, staff records, course materials, etc) and hiding information (to prevent rival institutions "poaching" staff and students). Shibboleth allows fine-grain control over which groups of people have access to what information, and because it can be truly distributed, without a "main server," no institution has to hand over unnecessary data to another institution.
Educational institutions with embedded medical, military or similar institutions wanting integrated systems. It's very hard to imagine how you can balance the legal requirements of medical records and case notes (which are now digital and which need to be used in training doctors) with the requirements of an educational institution one, without the flexibility of Shibboleth.
Large institutions which function as a single entity but which are actually several legal entities whose activities are technically and financially separate. The most obvious candidates here are collegiate universities (such as Oxford and Cambridge in the UK) and institutions with religious affiliation which preserve a separation of interests.

Once such institutions have blazed a trail, Shibboleth should "just work" with a significant number of educational systems, making it an logical choice for the less motivated institutions in the next round of upgrades (or even the round after next for the very conservative).

It should also be remembered that the librarians love Shibboleth because it can enable return to anonymous reading and uphold other parts of the ALA's The Freedom to Read Statement. Unfortunately, I'm unaware of any institutions in which librarians, or civil-rights arguments, are taken sufficiently seriously as to motivate broad changes in internal business systems.

Shibboleth should also be welcomed because it is an open standard, allowing diverse applications and systems to communicate effectively. By enabling competition between application and system vendors, open standards drive effectiveness interoperability, lower prices and enable open source applications to talk to proprietary ones.

Apache falls victim to OASIS patent shelter

StuartYeates — Mon, 18 Jul 2005 02:46:00 -0500

"[...] The Apache Foundation has hit a roadblock in implementing WS-Security - one of the many Web services specifications that the WS-I made a priority and that was subsequently produced under the auspices of OASIS' patent policy. Wrote report author Paul Krill, "Although WS-Security is available for implementation royalty-free, it still must be licensed from Microsoft and IBM. Apache has raised concerns about this, mostly pertaining to a non-transfer clause that appears incompatible with Open Source licenses that allow for uninhibited transfer of technologies, Apache officials said."

Full Story

tags: opensource uk patents ipr tntellectual property rights apache oasis