Identity Management and Shibboleth

Leading change across distributed IT service providers requires extensive engagement. Implementing identity and access management (IAM) changes requires involvement of a broad spectrum of constituents. Using techniques developed during ERP and other large-scale change initiatives, we engage the university community in developing requirements and architecture for successful IAM changes.

This presentation will describe the identity management infrastructure of the UAB grid computing project, known as UABgrid. Its development is based on accomplishments of two NSF middleware projects at UAB, which focused on building NMI-enabled, open source tools for support of collaboration within virtual organizations that span institutional boundaries, are autonomous, and are collections of attributes. The middleware solution is known as myVocs and uses Shibboleth for identity management and attribution distribution, Globus for distributed computations, and GridShib to bind Shibboleth and Globus. UABgrid is now expanding its grid computing components to include metascheduling of jobs across multiple HPC clusters across the Internet.

Hear from one of Shibboleth's developers how USC is using Shibboleth to provide web-based services to federated guests and secure access to Google Apps. Additionally, this presentation will describe the Shibboleth test environment at USC that provides a quicker, easier, and more secure means for departments to integrate their applications.

More and more institutions are using Shibboleth to address both their on-campus and third-party access requirements. This case study will provide information about federated identity management (specifically, Shibboleth and the InCommon Federation) and how you can get started.

Institutional directory service architects and designers face a number of unique technical challenges in higher education. Directory architects from the University of Southern California and the University of Maryland, Baltimore County, will share lessons learned while developing and implementing directory services at their institutions.

Topics will include designing access controls and institutional object classes; using federation identities, Shibboleth, and administrative tools; managing multiple data sources, members, accounts, and guests; mapping data sources to standard object classes; handling interactive and bulk updates; optimizing and monitoring performance, replication, and integration with external authentication systems; and managing groups and privileges.

The solutions offered are based on 14-plus years of practical experience working with the Netscape/iPlanet/Sun directory products. This seminar will focus on intermediate to advanced issues, and most information will be widely applicable to and suitable for any institutional directory effort.

"OpenID is a single sign-on system for the Internet which puts people in charge. OpenID is a user-centric technology which allows a person to have control over how their Identity is both managed and used online. By being decentralised there is no single server with which every OpenID-enabled service and every user must register. Rather, people make their own choice of OpenID Provider, the service that manages their OpenID. "

This session will provide an overview of the Shibboleth System software, its role within an IdM infrastructure, related concepts, the value it provides, and typical implementation sequences. Shibboleth deployment can be separated into three phases: Web SSO authentication, attribute delivery for authorization, and federated authentication/authorization. This session will explore the effect on existing infrastructure and business processes during each phase.

Many applications (even intracampus) derive benefit from “knowing” something about the browser user. This session will provide an overview of Shibboleth as an option for managing the process of making user attribute information available to distributed applications within a campus. We will also review management and technical topics such as developing a governance process for attribute release, creating appropriate policy and business practices, managing attribute release, and using different data sources for the attribute store. Attendees who are not familiar with identity management are encouraged to attend the preworkshop seminar "Introduction to Identity Management: The Big Picture."

Whether you're implementing your first WebSSO or transitioning to a new one, this session will provide a brief introduction to the concept and business case for intra-campus WebSSO, and an overview of Shibboleth as an option for WebSSO technology and what it does. In addition, the presenters will review technical and management topics such as the minimum IdM services required to get started, an introduction to the Shibboleth architecture and flows, an overview of the installation process, bringing the software from pilot to production, the basics of connecting in applications, required skill sets and resources, deployment costs, as well as policy and business processes.Whether you're implementing your first WebSSO or transitioning to a new one, this session will provide a brief introduction to the concept and business case for intra-campus WebSSO, and an overview of Shibboleth as an option for WebSSO technology and what it does.

For those campuses that have deployed Shibboleth, this technical session will cover advanced topics such as using campus-wide Web SSO, managing metadata for the Web SSO service, avoiding single points of failure, running in a load-balanced environment, and using multiple replicated LDAP servers. It will also explore advanced Shibboleth configuration recommendations and 2.0 features.