Shibboleth at Stanford
In an academic environment, there is frequently a need to share resources and research across institutional boundaries. Researchers collaborate with colleagues from other universities, students take classes that are taught by faculty from other places, and journals and academic resources are available across many colleges, research institutes, and libraries. Our current IT environment doesn't make these kind of interactions easy. The only way to access restricted (i.e. WebAuthed) Stanford materials is by creating sponsored SUNetIDs for everyone who needs access. Similarly, accessing resources at our peer institutions requires creating accounts in their local authentication structure. This is doesn't scale well, requires remembering lots of passwords, and figuring out how to sign up (and get sponsored) for all of these authenticators is frequently a pain.
Shibboleth is an Internet2 consortium project that solves this problem by creating a concept of federated identity management. Any set of parties who use Shibboleth can create a trust relationship between their authentication systems, and service providers (websites that require authentication) can allow access not only to users with local authenticated credentials, but can trust users with credentials from federated authentication services as well.
Stanford is looking to join a couple of large (dozens of participating institutions), general-purpose federations as part of the Shibboleth project (InCommon and InQueue), and will set up a process for joining other federations, many of which are special-purpose and may only have a few members.
Down the road, there's an opportunity for Shibboleth to unite the various authentication systems at Stanford, including the stanford.edu kerberos realm and win.stanford.edu active directory domain in a locally maintained federation. Other authentication entities at Stanford could also choose to participate. Shibboleth may also turn out to be the best answer for providing WebAuth-like service to Windows servers running IIS, as Shib has a more mature Windows presence than WebAuth does.
There are 6 main deliverables for the Shibboleth project:
Build and package a Shibboleth identity provider that will allow Shibboleth to interface with Stanford's Kerberos realm.
Package a client Shibboleth-interface kit similar to Stanford's webauth packages
Bring up at least one service provider at Stanford that uses Shibboleth, and enable Stanford users to use at least one remote Shibboleth-authenticated service.
Join Stanford to the InCommon and InQueue shibboleth federations
Create a ongoing process by which Stanford can join new federations.
Modify Stanford policy to allow the IT Services Kerberos 5 realm to assert stanford.edu identity to federated service providers.
The Shibboleth project team is Bruce Vincent, in charge of policy and process, Scotty Logan, who has written extensions to our LDAP infrastructure to support Shibboleth-based directory access, Quanah Gibson-Mount and Russ Allbery, packaging and production readiness, Digant Kasundra, client deployment, and Jon Pilat, project manager. Lois Brooks from SULAIR has been instrumental in getting this project moving, and John Freshwaters is the project sponsor.