Notes of a Meeting the David Yakimishak

Notes of a Meeting with David Yakimishak Chief Technology Officer, JSTOR New York City, March 31, 2004

Purpose

JSTR is a principal supplier of electronic journals to higher education. Because more than one thousand U.S. colleges and universities use JSTOR, the technologies selected by JSTOR are significant both to the college or university and, because of “critical mass,” the information technology industry.

The purpose of this brief visit was to learn about JSTOR’s implementation of Shibboleth authentication. Originally developed for higher education, Shibboleth offers “attribute” authentication rather than individual identity. This preserves some level of anonymity and privacy for the journal reader. In February 2004 the U. S. government made a commitment to commercial implementations of SAML single signon that has a similar capability, though pseudo-anonymity was not considered a federal requirement.1

The issue for the Sakai and uPortal communities is whether and if so, when, to implement Shibboleth and, similarly, for federal eAuthentication.

JSTOR and Authentication

David said JSTOR now supports Shibboleth and some universities are beginning implementation. However, JSTOR will continue to support IP authentication where access from sites with verified IP address is permitted. (Most colleges and universities have fixed blocks of IP addresses). He said he expected the use of Shibboleth to increase, especially if Shibboleth were used for other applications.2

He said JSTOR supports the current “browser based” implementations of Shibboleth. JSTOR would be interested in supporting portal-based authentication when it becomes available. I commented that Yale University is currently developing an implementation, in conjunction with Yale’s Central Authentication Service (CAS). CAS is the most widely used authentication system in uPortal implementations.3

In discussing the federal e-Authentication initiative, David said JSTOR had federal subscribers and if e-Authentication became widely implemented, JSTOR would support

1 Federal authentication is based on OASIS’ SAML (Security Assertion Markup Language) 1.0 and 1.1 specifications. Staff members from the University of Washington and Ohio State University have made major contributions to the Technical Committee’s work. OSU’s Scott Cantor heads the OpenSAML initiative. 2 At the forthcoming Spring 2004 Internet2 meeting, the on-line program states: “Over the last year, Shibboleth, the inter-institutional authorization system, has progressed from advanced testing to widespread deployment.” 3 Based on a presentation by Howard Gilbert at the December 2003 JA-SIG Winter Conference and documents he subsequently provided. These have now been provided to JSTOR.

Jim Farmer 1 11 April 2004 e-Authentication as well. (Because e-Authentication is based on commercial software products, corporate users of JSTOR may also prefer e-Authentication to Shibboleth).

UK’s Joint Information Systems Committee (JISC) has developed a central authentication service known as Athens, and is considering possible future extensions or replacement.4 David said Athens is supported by JSTOR and is available at both the UK and US server sites. He also pointed out that Shibboleth is also supported at both sites. UK universities could use Shibboleth with JSTOR currently.

We also briefly discussed search channels.5 JSTOR continues to contribute to this community effort.

Observation

Likely Sakai and uPortal will need to follow JSTOR’s lead. University users will likely want to have both Shibboleth and the US e-Authentication (and its commercial SAML implementation) to access the full range of information services they will need as students and faculty.

Discussions have begun in the uPortal community about a JSTOR channel that would automatically authenticate the user to JSTOR. This could be a “thin” channel or a “fat” channel.6 One of the issues is whether authentication would be channel-specific or would rely on the framework. This is an important architectural issue since Sakai expects to implement the OKI authentication OSID. If accommodated, then the JSTOR channel could use the OSID.

Based on David’s comments, uPortal should continue to follow Shibboleth (and e- Authentication), to ensure current architectural decisions supports Shibboleth authentication, and expect to develop and deploy a JSTOR channel.

4 According to the Athens Web Site, “In August 2000, Athens were awarded the JISC (Joint Information Systems Committee) contract for the Provision of Authentication Services to the UK Higher Education and Further Education community. This contract has now been extended to the end of July 2006. The Athens Access Management System provides users with single sign on to numerous web-based services throughout the UK and overseas. Athens was initially deployed in the Higher Education sector in 1996 and has firmly established itself as the de facto standard for secure access management to web-based services. for the UK education and health sectors.” 5 The CREE proposal was subsequently provided to JSTOR. JA-SIG Director Ian Dolphin in the principal investigator for this project. 6 These terms come from Paul Browning at the University of Bristol. Rather than have all “channels” in the layout, selecting from a list could present the single channel in the window. uPortal now has a detached mode that renders the single channel in the window. When the user is through with that channel, it reverts to the portal’s multi-channel layout. Indiana University has a requirement for a “detached” channel that also includes all of the navigation information from the basic portal presentation.

Jim Farmer 2 11 April 2004