GOVERNMENT
Internet2 Community Releases Shibboleth Version 2.0
New Major Release of Open Source Federated Authentication Suite Provides Enhanced Functionality; Enables More Seamless Installation and Operation: Internet2 today announced that it has released Shibboleth 2.0, the latest major version of the most widely-deployed federated authentication implementation. Developed by the Internet2 community and its partners around the world, the latest release greatly enhances several key elements of Shibboleth in an effort to ensure interoperability with other commercial and open-source federated identity solutions; to improve personalization and security; as well as to ease installation, management and operation processes. The goal is to provide a more robust and interoperable platform that will help catalyze the worldwide growth of higher education and research federations like the InCommon Federation which serves the U.S. higher education sector and provides a framework for participating organizations to collaborate and share resources using Shibboleth technology. "Shibboleth aims to help our community meet the increasing demand for access to protected online applications and resources as well as to support the growing need for campus-based researchers to use online collaboration tools to support work with peers at other institutions. Shibboleth 2.0 provides an improved platform for exchanging information in a secure and privacy-preserving manner while at the same time reducing the administrative burdens for institutions and their service provider partners," said Ken Klingenstein, Internet2 senior director of middleware and security. "We are grateful for the tremendous collaboration in developing this important new release and look forward to working with the worldwide Shibboleth community to further roll out and refine this technology." Shibboleth 2.0 adds an open source implementation of the OASIS SAML 2.0 standard to the suite of protocol implementations available in previous releases. The software provides a secure, single-sign on mechanism for institutions to enable their users to access protected online resources within their campuses and from their external service provider partners while at the same time protecting individual user privacy. Shibboleth leverages an institution's login and directory systems to authenticate users at their home institution (or "identity provider") and then passes only the relevant information, or "attributes," to the service provider to enable the user access to its online resources. Attributes can include a wide range of information that characterize the user, e.g. identity, permissions at the service provider, employee or student status at the university, class enrollment, age, graduating class, etc. The service provider and institution make agreements on which attributes are needed to make that user eligible to access specific resources. Shibboleth 2.0 enhances the ability for identity providers to use and manage "anonymous identifiers" to protect user privacy but still allow for personalization. The identity provider assigns a persistent unique identifier to a specific user which allows service providers to tailor and improve services based on the needs of that user without knowing their specific identity. For instance, a medical student searching for articles on a specific disease or treatment via an online medical journal could save his or her searches using the anonymous identifier and then build on their research over time. For the user, this is a transparent process; no knowledge of the identifier is needed. "Library users are frustrated with having to remember multiple passwords in order to get their research done. The ability to use Shibboleth to access personalized resources with a single user name and password greatly simplifies the user's experience. Shibboleth's unique anonymous identifier gives the user control over what additional identifiable information (if any) they choose to provide to a vendor, and assures the user's privacy across services," said Holly Eggleston, Assistant Department Head, UC San Diego Library Acquisitions. Shibboleth 2.0 also adds new security features to ensure additional protection of user information. It includes encryption technology specified in the SAML 2.0 standard and provides an improved method for usage logging at the home institution to better track abuse or inappropriate use of the system. From an operational perspective, the new version of Shibboleth makes it easier for IT staff both at the identity provider institution and service provider to install, operate and manage the software. For instance, to participate in a federation, institutions typically are required to implement a directory schema which provides a consistent set of user attributes among the federating organizations. Shibboleth 2.0 allows institutions to utilize their legacy directory schema by translating the data into the federation-specific attributes as needed in real time. In doing so, Shibboleth 2.0 greatly decreases the resources needed to implement the solution. Penn State University, an early adopter of Shibboleth technology and a participant in InCommon, has had much experience in the implementation and operation of the technology and sees many benefits to the new version. "Shibboleth has provided us the unprecedented ability to deliver both improved security and privacy for our users while at the same time greatly enhancing collaboration opportunities," said Kevin Morooney, CIO, Penn State University. "Shibboleth 2.0 removes several implementation barriers from an administration and management standpoint providing a more seamless path for institutions large or small to migrate to a federated environment. Because of this, we believe we will see even more rapid adoption of federations like InCommon." As organizations continue to deploy identity management solutions like Shibboleth, the vision is to move these institutions and their service providers into "trust federations." Federations bring together multiple organizations with common needs into one group or association to leverage the use of a common set of attributes, practices and policies to exchange information about their users and resources to simplify the management of collaborations and transactions. The InCommon Federation which serves the U.S. higher education sector now has close to two million users at close to 80 institutions as well as service providers and continues to rapidly expand. In addition, there are a growing number of state level Federations that include state and municipal governments and the K-12 sector. To support the continued growth of federations, Shibboleth 2.0 enables organizations to seamlessly comply with a federation's policies and practices without changing campus directory infrastructures, and extends automated support for federation processes. For instance, as new service providers or institutions are added to a federation, new "metadata" is required to setup the technical exchange for collaboration. In the past, adding new metadata required IT staff to develop their own methods to update the information. Shibboleth 2.0 automatically downloads the metadata as often as the organization specifies. In addition, as federations continue to proliferate, it becomes increasingly important to support multiple protocols to ensure interoperability between federations. Using Shibboleth, federations and partners that utilize any authentication architecture built on popular standards such as SAML 2.0 and Active Directory Federation Services specifications will have the ability to interoperate and interfederate with any federation or partner utilizing those standards. Beyond the multi-protocol support, Shibboleth offers additional features for the higher education and research communities: management of attribute release policies on a site, group and user basis; policy-based management of attribute acceptance; real scalable support for large-scale federations; and strong support for application integration. Klingenstein added, "Shibboleth 2.0 will play a critical role in helping to realize the vision of creating interconnected trust communities for seamless and secure access to information and services. Over the last year, Shibboleth has moved from being an open source project to a community source project; increasingly, the community is supporting itself and participating in the software development process." Internet2 and its partners announced the release of Shibboleth 2.0 at the annual Internet2 Spring Member Meeting held in Arlington, VA from April 21-23, 2008. Meeting sessions on middleware technology like Shibboleth and InCommon, include: www.internet2.edu/middleware/2008SMM-MW.html For more information on Shibboleth, visit: its Web site. For more information on InCommon, visit: its Web site.