Meeting with Shibboleth's Steven Carmody

Owned by Former user (Deleted)
Last updated: Nov 04, 2009Version comment
3 min read

2009-09-30 phone meeting with Steven Carmody (Shibboleth project manager; Brown U. IT)

There are a couple of recent developments Steve thinks I should look at: a UK study of federated access UX issues, the Kantara Initiative for identity management, and an ID management toolkit, also from the UK. In follow-up email, he also pointed to these EMC2 discussions.

Most Google Apps services now seem to support integration via SAML. Exceptions still include Chat and POP-based email access.

He's seen a definite trend at Brown. Three years ago, perhaps 90% of classes relied solely on the campus LMS (WebCT). Today, classes are supported by about 15 different services. One is the LMS; others are campus-hosted (Fedora, the library reserves system); still others are external (iTunes U). Instructors and students want a stable experience across all these services, and don't expect to be disrupted when an existing piece of functionality becomes outsourced. In other words, the LMS is no longer a one-stop shop but part of a bigger distributed system.

The distribution isn't just a matter of software; it's also a matter of community. More courses (meaning the human experience of participating in a course rather than "a line item for the local registrar") now include students from other universities or countries. A higher-level French course, for example, may include more "students" from France than from Brown.

This sort of "combined community" is also very common among institutions which are geographically close. There are 6 institutions in Worcestor, MA, for example, which allow for cross-registration. The old real-world approach of issuing short-term "affiliate" IDs or giving access by informally accepting another institution's ID card doesn't scale to multiple online services.

COmanage has been active lately. In a few weeks, Steve expects a development version to be running "in the cloud," allowing organizations to instantiate federating containers ("Virtual Organizations", or "VOs"). "Domesticated" services within the container then become accessible to VO members. (E.g., use iCal to subscribe to a particular Bedework "family" calendar. Also working on "Foodle", AKA federated Doodle, to improve group support.) The main focus is to support collaborative work when members come from multiple campuses, but the same mechanisms could be used within a single campus. The big national and international research organizations (such as many of the NSF-funded projects) have special needs here – Steve knows of one group which is still handling "authorization" via a single system-wide "user" and password. A research need which is coming up more often is the ability to determine different privileges in services depending on group memberships within the VO or home organization. It's becoming more important to work from a composite set of groups and memberships. (As Steve says, the job is even more complex for an LMS, with its context-specific roles.)

In May, Atlassian announced that it would be providing "Shibboleth support" (i.e., SAML integration) in Crowd. That work's ongoing.

As part of making public resources more accessible, the federal government is looking into OpenID. But NIST's framework for assessing "level of assurance" has OpenID failing at level 2. SAML is certified at level 2. In the higher ed world of the LMS, a similar example might be using OpenID-level authentication to comment on a blog vs. insisting on registrar-controlled authentication to take an online test. In either case, to support a unified UX we need to support layered federation of IDs and sources.

I asked about InCommon. Steve explained that SAML was originally aimed more at commercial corporate partnerships, where ad hoc agreements on attribute vocabularies and personal data were easiest. Shibboleth aimed at higher education, which needs to support both wider sharing and more selective sharing. Federations have been used to bring some sanity to the space. There are about 25 federations organized by country, and InCommon is the USA federation. (Naturally, this makes it more difficult to connect across countries, and there's growing interest in inter-federation.) When you join InCommon, your metadata enters the common pool and other institutions' metadata is kept up to date for you; in return, you agree to follow the rules (by sending correct EduPerson attributes, for example).

MACE-Dir (which brought us EduPerson for LDAP) has been working more on SAML attributes lately.

This month EduCause gave a Catalyst Award to a group of federated identity projects: InCommon, Internet2 Middleware, JISC, and the Swiss SWITCH Federation.

Steve's main message for us and for IMS is that we need to stop thinking about the LMS as a single-institution affair. The online version of a course (or a research project) will include "students", "instructors", "tutors", and so on who aren't necessarily known to the institutional business system.