JISC

Start date: 1 April 2007

End date: 31 March 2009

Funding programme: e-Infrastructure programme

Project website: http://www.kidderminster.ac.uk/cuckoo

JISC theme(s): Access management, e-Research

Committees: JISC Support of Research committee

Background

Core middleware services such as identity management, directory, and authentication provide a foundation for secure, manageable applications throughout an institution/federation. However, with most institutional community collaborations, user confidentiality is a concern which presents a real problem to Virtual Organisations (VO’s).  Members could belong to more than one real organisation; such as Foundation Degree students within the HE-FE environment, who would move in and out of the federated structure. Wishing to share resources across these HE-FE institutional boundaries often raises problematic security difficulties as VO membership may be more (or indeed less formal) in a HE-FE environment. CardiffUniversityand KidderminsterCollegehave been very active over the past three years in Shibboleth development and research.

Aims and Objectives

The aim of the project is to research implement/demonstrate Shibboleth Virtual Organisations ( VO’s) and on-line collaboration tools. The project will build on and incorporate work already done, such as attribute release policy mapping that has been highlighted in the ShARPE and MyVOCS projects.

The project will research into how Shibboleth 2.0 will affect these tools and solutions. Within Virtual Organisations creating, managing, and supporting groups can be challenging. An open source toolkit such as Grouper is designed to function as the core element of a common infrastructure for managing group information across integrated applications and repositories. The project will research and report on these authorisation and service provisioning decisions, issues such as allowing portals to personalise content and provide role information to applications.

The project will have a number of key objectives:

• Review VO tools and concepts in place by other projects and catalogue the relevant data and findings of these projects, such as ShARPE’s whose aim was to manage the creation and maintenance of user's attributes by Attribute Release Policy (ARP) mechanism bolted on to Shibboleth.
• To investigate good privacy protection for users, which in the Shibboleth Identity Provider (IdP) and Service Provider (SP) architecture, is based on individual access to a resource based on their role rather than their identity. How will this affect the HE-FE environment regarding the mapping of attributes from different schemas which can be problematic and complex? 
• Review the selection of Virtual Organisation Tools and if there is a single tool or site that can satisfy all requirements and maintain the quality of collaboration.  Will users suffer and collaborations be hampered if the wrong tools are selected.
• Highlight the difficult problems of tool selection, identity management and access control in both Shibboleth 1.3 and Shibboleth 2.0
• Investigate the management of permission and access control in a HE-FE environment with Signet tool, which provides a framework for transforming process and polices into rules that govern access to systems.
• Create demonstrators for JISC related events and documentation for both HE & FE

 Project Methodology

 The project will have two distinct phases:

Phase one of the project will consolidate and review existing national and international tools for the establishment and developments of Virtual Organisations (VO’s), such as myVocs,Grouperand Signet. This will be achievedby researching, demonstrating, and producing papers/reports on how these tools and developments work in the real world of HE – FE. This will involve working with the community who would really benefit from the UK Federated Access Management structure – students and institutional staff.

The second phase will deal with t he arrival of Shibboleth 2.0and the potential new capabilities of Shibboleth 2.0 within Virtual Organisations; not forgetting that the UK Federated Access Management will stay with Shibboleth 1.3 for some time. 

With the Shibboleth mantra of “open source, open standards, and open architectures”, we will explore how these new VO tools and developments aid or hinder these cross-collaborative HE-FE environments. Will they provide the most compatible, secure, and flexible access regarding shared collaborative resources, sharing via portal entrances (SSO) and Federated Access?

 Previous research from phase one of the projects will be vital in accessing and reporting back to the HE-FE lead bodies, having compared VO tools within Shibboleth 1.3 and Shibboleth 2.0 plus the various requirements and scenarios to provide solutions for institutions.

Anticipated Outputs and Outcomes

The main project deliverables will be as follows:

• Review of current VO Tools and their effect in the HE-FE communities; this will be highlighted in a report
• Installation of Shibboleth 2 IdP and SP and the associated lessons learnt and documentation
• The testing and reporting on how the current VO tools work with Shibboleth 2
• Report on Signet and Grouper combination and the components with Shibboleth 2
• The creation of project demonstrators and the dissemination to HE-FE & JISC/RSC’s
• Feedback to  SWITCH, MAMS and other projects with Shibboleth 2.0
• Project paper and report on findings
• Project Website, which will be maintained for three years after project completion
• Feedback to the UK  FAM

The primary benefit to the JISC community will be the improved understanding of VO tools and their interaction with Shibboleth 2.

Technology briefings will help those who wish to find clear and impartial information about the benefits and drawbacks of technical solutions for VO tools.

Other benefits such as user privacy and security will unlock an even broader range of benefits for the JISC community and contribute both to the aim of this call and to other related JISC development programmes and projects.

Additional benefits from the project outcomes (associated with the project deliverables) will be the projects involvement with the wider VO community in Europe.

Project demonstrators will be useful for support purposes and as an aid to implementation, thereby increasing the growth of the UK FAM community of UK HE-FE institutions who will be aware of the strategic and technical issues of identity management and VO tools.

Technology/Standards Used