Shibboleth - a strategic approach to school web content authentication and authorisation Shibboleth – a strategic approach to school web content authentication and authorisation Shibboleth is a trademark of Internet2 http://shibboleth.internet2.edu/ September 2005 http://www.becta.org.uk Page 1 of 41 © Becta 2005 Technical standards and policy team Becta | Shibboleth - a strategic approach to school web content authentication and authorisation Contents Executive summary..................................................................................................................................4 Strategic context – why a unified authentication and authorisation infrastructure matters......................5 Priority 1 – An integrated online information service for all citizens .................................................5 Priority 2 – Integrated online personal support for children and learners.........................................5 Priority 3 – Develop a collaborative approach to personalised learning activities............................6 Priority 6 – Build a common digital infrastructure to support transformation and reform .................6 Becta and AAI ..........................................................................................................................................7 Shibboleth ................................................................................................................................................9 Introduction...........................................................................................................................................9 The Shibboleth model...........................................................................................................................9 Single sign-on .................................................................................................................................10 Standards........................................................................................................................................10 Attributes.........................................................................................................................................10 Individual privacy ............................................................................................................................10 Federation.......................................................................................................................................10 Service Provider..............................................................................................................................11 Identity Provider ..............................................................................................................................11 The Shibboleth authentication and authorisation process..............................................................11 The benefits of Shibboleth..................................................................................................................12 User and institutional benefits.........................................................................................................12 Benefits for Service Providers ........................................................................................................13 Becta’s Shibboleth pilots........................................................................................................................15 Issues and recommendations ............................................................................................................15 The federation.................................................................................................................................15 Attributes and schemas ..................................................................................................................17 Namespaces ...................................................................................................................................20 Data.................................................................................................................................................21 WAYF..............................................................................................................................................22 Political issues ................................................................................................................................23 Security issues................................................................................................................................24 Limitations.......................................................................................................................................24 Advice for LEAs and RBCs ....................................................................................................................25 Advice for industry partners ...................................................................................................................26 Appendix A – Becta’s Shibboleth pilots .................................................................................................27 LGfL project scope and deliverables......................................................................................................27 Build specifications.............................................................................................................................27 Identity Provider build specification ................................................................................................28 Service Provider build specification ................................................................................................28 Federation interface requirements..................................................................................................29 WAYF specification.........................................................................................................................29 Security requirements.........................................................................................................................30 Interoperability requirements..............................................................................................................31 Contractual agreements .....................................................................................................................31 Acceptance tests ................................................................................................................................31 Evaluation...........................................................................................................................................31 National strategy.................................................................................................................................32 LGfL project conclusion......................................................................................................................32 September 2005 http://www.becta.org.uk Page 2 of 41 © Becta 2005 Technical standards and policy team Becta | Shibboleth - a strategic approach to school web content authentication and authorisation WMnet project scope and deliverables ..................................................................................................33 Pilot details .........................................................................................................................................34 Identity Provider documents...............................................................................................................34 Service Provider documents ..............................................................................................................35 Pilot demonstration.............................................................................................................................35 National issues ...................................................................................................................................36 WMnet pilot conclusion.......................................................................................................................37 Appendix B – possible federation model................................................................................................38 Service provision.............................................................................................................................38 Federation members.......................................................................................................................38 Registration Bases..........................................................................................................................38 Federation partners.........................................................................................................................39 Operations Manager .......................................................................................................................40 Federation Service Team................................................................................................................40 Federation Steering Group .............................................................................................................40 Costs ......................................................................................................................................................40