A brief introduction to Shibboleth
Strictly speaking, 'Shibboleth' is a set of policies and protocols designed "to support inter-institutional sharing of web resources subject to access controls" developed by Internet2 in the US. In practice, it's a system providing an access control system for web-based resources similar to that currently provided by Raven, but extended to support users from multiple organisations accessing web resources provided by other independent organisations.
These extensions make Shibboleth more complex than the current Raven service, but from a user perspective there is little difference. On initially accessing a Shibboleth-protected resource, a user is asked to select a service willing to identify them (an 'Identity Provider', or 'IdP'). For University users this is a service operated by the Computing Service as part of Raven. Having selected the University's IdP, the user sees a standard Raven login screen and on completing the login process sees the resource they wanted, providing they are authorised to access it. Access to further resources, even if provided by different organisations, uses information already gathered and the existing Raven login to speed the process.
Shibboleth-protected resources make access control decisions based on attributes supplied by the user's IdP. These attributes may include a user's real-world identity but this may not be necessary. For example, access to some resources is available to any current member of the University. Using only an attribute that asserts this relationship helps to preserve the user's privacy, and reduces the Data Protection issues surrounding the operation of IdPs and protected services. Where necessary, Shibboleth also supports release of non-anonymous attributes where required. For University users, attribute values will be derived from information in lookup.
An initial application for Shibboleth will be the control of access to on-line journals and databases. In the UK, access to many such resources is currently managed by Athens, but the current central funding for this by JISC will cease in July 2008 (though the service will remain available on a subscription basis). It is JISC's intension that current Athens use will transition to Shibboleth. In the short term, JISC have sponsored a 'Gateway' that allows current Athens resources to be accessed via Shibboleth.
Beyond this initial use, groups such as the e-science community are actively investigating using Shibboleth in their particular areas. It is already being adopted for various purposes in the US, Europe and Australia. Shibboleth is being developed in an open collaborative fashion and is itself based on open standards such as SAML. A significant benefit of this open approach is that built-in support for Shibboleth is already appearing in commercial and open source software products. It is likely that in due course we will want to support its use within the University in parallel with the current Raven service.
Shibboleth can be deployed in many ways. At its simplest the necessary trust relations can be established by bilateral agreements between IdPs and a corresponding 'Service Providers' ('SPs'). However this scales badly, so it is usual to establish 'federations' of IdPs and SPs who mutually agree technical and policy issues to enable all their members to inter-work. In the UK, the UK Access Management Federation for Education and Research fulfils this function and is supported by JISC and Becta. The University joined the federation in January 2007. It is likely that a less formal 'University of Cambridge' federation would prove useful to support Shibboleth deployments contained entirely within the University.