Jim Temple Library Manager for Trafford College and Chrissie Turkington from the RSC NW discuss the Shibboleth system of authentication for online resources.
Jim and Chrissie explain how Shibboleth provides the opportunity for a single sign on to resources such as Britannica online. They explain some of the issues such as what is the UK Access Management Federation and dispel some of the myths including how much does it really cost.
Follow the following link for a full list of our podcasts and details of how to subscribe;
Find a full transcript of the podcast below
Kevin Hickey and Chrissie Turkington form JISC RSC NW talking with Jim Temple from Trafford College about Shibboleth system of authentication
00:03 Kevin Hickey: Hi, and welcome to the November 2009 Edition of JISC Regional Support Center in Northwest e-learning best practice podcast.
00:16 KH: I am here, on a horrible Tuesday in October, I am here in Trafford College and I am here with Jim Temple as well as Chrissie Turkington. So first of all would you like to introduce yourselves.
00:29 Jim Temple: Right. Well I am Jim Temple so I am the library manager for this cyber technology center site and hopefully I am going to tell you about Shibboleth today.
00:43 Chrissie Turkington: And I am Chrissie Turkington I am the Senior Advisor of JISC Regional Support Center in the Northwest.
00:49 KH: Okay. So Jim as you said we’re going to talk about something called Shibboleth. So first of all what is Shibboleth?
00:58 JT: Well, my understanding of the origin of the name Shibboleth comes from Greek mythology I believe, with one tribe wanting some password that the opposing tribe couldn’t use and the word Shibboleth cannot be pronounced correctly by the opposing tribe so that when they were approached by one of their enemies that they would demand they give the password and because they wouldn’t able to pronounce it. So that’s my – I think that’s my understanding f the origin of it
01:34 CT: Then I think you might have got beheaded or something like that. [Laughter] So a primitive form of authentication.
01:41 JT: Exactly.
01:42 KH: So what is the meaning in this context first of all.
01:47 JT: Okay. [chuckle] I’ll give my interpretation first Chrissie you can clear when I go wrong. So it means authentication that rather than the host, the provider having to have the full details of an individual who is going through to access the resource. The Institution there authenticating from, they hold the full details, not the any detail like they having to release is the fact that they are a valid member of that Institution. And that’s kind of the main difference that I understand between access via things like The Athens System that we used to use. Do I know there’s anything else on top of this Chrissie.
02:39 CT: That’s it in a nutshell really.
02:40 KH: So just to clarify so you’re talking about students accessing resources such as online…
02:49 CT: Online subscription results.
02:50 KH: Online subscriptions. You mentioned Athens previously which is something that was used before Shibboleth? And still is used. So what’s the difference between the two. So you mentioned Shibboleth is basically one sign on… Is that right?
03:11 JT: So that again enables… Because the institution or the individual comes from the place holds all the details they use their authentication they would use to sign on to the local network. And then when they access these resources externally that would be the proof of their status that they give. And then the only thing that has to then feed through the resource is the fact that they are a valid member, a student or a member of staff of that institution.
03:46 CT: Yeah. The credentials are owned by the institution in essence. They are a authority on those credentials. If they change on the network they can no longer access the resources with the previous username and password. Its all tied into a single sign on system. Whereas in Athens we were actually giving away username details to [04:04] eduserve to actually act as the authority on behalf of the many providers, which would be different username and password completely. So the whole game is single sign on and to actually give sort of power and authorizing rights to the institution.
04:18 KH: Okay. So thats a good explanation of what Shibboleth is. So how is it being used here at the college?
04:25 JT: Well the main use we have for it is obviously to access our subscription resources. So the resources they access through the JISC collections. So Online Encyclopedia such as Britannica Online, online journals and magazines and general one file databases and access to the new E-Books for FE collection. There is also a number of the… JISC collections which are, although we don’t pay subscription fee to buy Shibboleth, we authenticate to those get access for our students. So things provided by Mimas, Edina and Services like that.
05:20 CT: Yeah. Have you integrated it with your Moodle or have any plans to?
05:26 JT: I believe there are plans in hand. And I’m not privy to how far on they are. But yes, I mean its been very useful here at the college that we have in house, we have recently appointed a new web designer who is kind of brining together the students intranet along with the Shibboleth access for the resources and tying that all into Moodle as well.
05:57 KH: And so why did you decide to use Shibboleth for this then?
06:00 JT: Right. Well, we had been obviously looking at Shibboleth when the agreement with Athens was coming to an end. Now all this was happening here in the college at the same time as the two colleges were merging together, we came from being North Trafford College and South Trafford College to Trafford college. So in that initial phase, because so much was going on for our first kind of year after the agreement with Athens had finished we actually went with Open Athens. And were then looking to go over to Shibboleth. Now as it transpired one of our COVEs that was being arranged, part of that was included, and an amount of monies that we could use for implementing Shibboleth. So we decided to, at the end of the last academic year to kind of jump straight on to using Shibboleth. So the end of the last academic year we were actually running Open Athens and Shibboleth in parallel. Which, although there were some complications in that swap over, it meant that our current students were still able to use the Open Athens they were familiar with to continue accessing it and gave us some period of time to sort of bed in the Shibboleth access that was up and running for this academic year.
07:32 KH: So how is it affected the way Online Subscriptions have been used?
07:37 JT: Well the main thing is that obviously it makes it easier that you can give one clear message to students that when they want to access a resource its the network username and password they will use and you don’t have to go through explaining that if its an external resource and you have to use the Athens password which is this. And also it meant that each, well how we used to deal with the Open Athens accounts was that our MIS people would provide me with a spreadsheet for the enrolments that had occurred that month and then I would have to upload those to Athens and create the accounts each month. So whereas us with the Shibboleth access as soon as they got their network account they are up and ready to go on to the Shibboleth enabled resources.
08:40 KH: Have you noticed that there has been any change in the amounts of these resources being used at all?
08:46 JT: Its kind of early days yet to say for sure. The thing is I mean there is obviously a general trend which anyway we’re sort of engaging students more with using these resources and obviously things like the FE, the Ebooks FE, you know its given me a huge resource which is pertinent to our students. In the past one of the problems have been with a lot of the online resources that they’ve been much more focussed on rather than FE, and getting much more resources that are more appropriate for our students, for our students.
09:36 KH: So do you have any advice for anyone using Shibboleth?
09:41 JT: [chuckle] Advice. Well, a very good advice is keeping strong contact with your local JISC RSC, Very helpful. [laughter] I hope you’re going to approve that. [chuckle] The maze of sorting out authentication. I mean yes, seriously they are very helpful, your local JISC RSC should have full contact of, for each of those resources that you’re likely to want to authenticate through Shibboleth which is very useful for getting contact and explaining that you’re swapping over. I mean as I say, there’s extra complication in that we were running Open Athens alongside Shibboleth. So there was often some kind of elongated that discussions about, “Oh, you’ve got Athens and you’ve got Shibboleth!”.
10:39 CT: Its quite difficult.
10:40 JT: Its slightly complicated. Its good to have some sort of people within the organization who have some knowledge of it. As I said its very useful having a web developer who is able to set up all our WAI-Fless links.
10:58 KH: So WAIF less links. What are they then?
11:01 JT: So when you authenticate via Shibboleth, the usual process is when you navigate to the resources that you come to, what is known as a Where Are You From link page, or WAIF. So you can using that link, when you arrive at this page what you then do is choose your institution by creating a way for this link, using the WAIF-less link you cut out that step. Because within the link you put the relevant details to take you through to you institution and then it will go straight into the resource ready for authentication.
11:40 CT: The problem with the WAIF at the moment is that there are so many people signed up to the federation, the Where Are You From dropdown list is absolutely massive. Its full of hundreds of Colleges, Universities, Institutions, Service Providers etcetera. And the problem that students will have is if they go in and actually use the Where Are You From, getting down to Trafford College towards the bottom of that list, will take tem a long time. So the idea is WAIF link is not to have the students specify that but actually have it embedded in the link. So all they see even though the process still goes forward is to go through the WAIF, all students see is just a box saying please enter your username and password.
12:14 KH: You mentioned something there, you mentioned federation.
12:18 CT: Yeah.
12:18 KH: What is the federation?
12:20 CT: The UK Access Management federation is managed by Janet, UK. I’m gonna sound like a market inspector. [chuckle] They are the people in whom we trust in essence. And the whole idea of Shibboleth is trust agreement between the service provider and the identity provider. The service provider is the provider of the resource. Now that could be the online subscriptions, or that could be the institution that’s providing the resource such as Moodle. The identity provider is the other side of things who’ll provide the identity, the username and password. The UK federation is what both sides sign up to to fulfill the trust agreement to say we will trust, and from a service provider point of view, that the identity provider will provide the information we require and will keep it in a timely fashion and a authoritative fashion. Whereas the service provider argues that that they will provide the resources provided this information. So federation is sort of the middle man, through which all this happens. So the UK Access Management federation is doing it on behalf of UK Education. And there’s nothing to stop anybody setting up many federation across you know, different areas of the country. And I believe sort of Bolton has been looking at one. And we’re looking at one across Cumbria as well, the Cumbrian federation so that they can share resources through the federation.
13:35 KH: Okay. And so have you got any ideas on how Shibboleth could be improved? Either of you?
13:43 JT: Oh. [chuckle]
13:45 CT: I think there’s lots of questions about statistics. You know finding a useful piece of software that will analyze the… I can never say that one, statistics in a useful way. Thats what I’m getting at the moment. So I’m trying to find out piece of software that is available or I know a very good manager at a nice sixth form college that might help. I don’t know what you think.
14:13 JT: I’m not sure of I can think of something off the top of the head. But…
14:20 CT: Its not the [14:20] ____.
14:20 JT: I mean there are… Yeah. I mean I think what I found was some of the actual resource providers that they are a bit hazy about exactly what Shibboleth is what’s involved, Shibboleth. And that can obviously make it slight difficult at times if things don’t go quite to plan when you’re setting up the WAIF less links or whatever it might be. If the person their end isn’t quite kind of with what Shibboleth is all about. So it will perhaps there was kind of more support for the actual resource providers as well as for ourselves as they institute accesses those resources.
15:06 CT: Yeah. There are still a lot of sort of mystery around Shibbolith along with a lot of myths about Shibbolith as well. I still hear a lot from colleges outside our region. We’ve been very good and very successful and that an awful lot of colleges now have Shibbolith in the northwest. Outside of the region what we’re hearing more and more is people saying it takes a lot to put in place. It’s expensive. And from an FE point of view, it’s not necessarily so. And like you say, you found funding from the Cove to actually get it implemented. Yeah, these things are available. They managed to get licensed all through Cove funding so it is possible today. With it baing an Open Source piece of software like I said before. You can change it however you want. You can change graphics on that. You can, you know, customize it however you wish. It’s just getting in place in first place.
15:57 KH: So Is it cheaper than Athens? Or is it not that clear cut.
16:05 CT: There are different cuts, are they.
16:06 JT: Yes. I mean but with Athens You got the ongoing cost, you know, a new subscription. I mean with Shibbolith in theory, you your really real cost should be from cost of buying box to put it on and then…
16:25 CT: And the time.
16:26 JT: And obviously…
16:27 CT: Yeah.
16:27 JT: The time with the your technical people to configure that and support it but once it’s in place, it should be very straight forward.
16:37 CT: If you decided, a third party be wise to install and support that, there’s a cost there but yeah [16:43] ____. So it’s a very difficult question to answer, is it very expensive or not.
16:46 KH: Yes.
16:46 CT: Yeah, where the biggest come from.
16:48 KH: Yeah. That’s [16:48] ____ source. It’s never quite that clear cut…
16:52 JT: It’s not, it’s not. But if it fits into your college plan for single sign on and the plan for the where IT is going to go then, actually, the few costs that are involved with Shibbolith could be beneficial and could actually meet more gains
17:10 CT: Yes, I mean, yeah, I know they certainly are IT directories kind of came to me down the route of single identity and obviously shibbolith will be powerful.
17:25 JT: Yeah.
17:27 KH: Okay. Well, do you got any other comments or anything you’d like to say about Shibolith?
17:42 JT: I’ve got nothing to say, no really. No. There’s plenty of plugs we can say that me and Keith could come out and talk to people . But no we’ve been really pleased and… There’s been a few issues as we’ve gone along but teething troubles I think
18:00 KH: Well, Chrissie, Jim, thanks for speaking to us today. Thank you.
This podcast was edited using Audacity with music by Connor O’Brian which is used of the creative common license.