The USMAI libraries offer a host of different web services. Each of these services require some authentication for use. These services each have separate authentication mechanisms. To better serve the libraries' patrons, it is desirable to have a single-sign-on (SSO) across these products, so that patrons can log into any of these services once, and have access to all of the services without having to log in again.

Furthermore, institutions within the USMAI consortium are at varying levels of reviewing their identity management. Some institutions are providing portals or SSO at the campus level, with a single log in that faculty, students, etc. are familiar with. It would be beneficial for the libraries and their patrons, if the libraries were coordinating with the efforts at the campus level, in order to be integrated into the institutions' portal/SSO and identity management plans.

The libraries have implemented an authentication infrastructure to help achieve these goals. Enter Shibboleth.

The Shib Project

About Shibboleth

Shibboleth is an open source project that provides an architecture and policy structures for managing access to resources. It provides a standard protocol for managing access to resources. It requires the coordination of identity providers and service providers. When a user attempts to access a resource served by the service provider, the identity provider manages the authentication of the user and gives the service provider the proper amount of information about the user for the service provider to authorize access to the resource. All of this communication can be handled in a secure manner. More information is available on the shibboleth open source project at http://shibboleth.internet2.edu.

Shibboleth in the Libraries

How can the libraries benefit from shibboleth?

• The most obvious and immediate benefit that the libraries could have from a shibboleth implementation is a single sign on between their services. These services include, but are not limited to, Researchport, EZProxy, SFX, ILLiad, and Aleph (the library catalog). Other services that may be included in the future are fedora, digitool and drum.
• Secure method of authentication. All communication is over SSL, secured channels.
• Patron privacy protection. Shibboleth has the ability to control the amount of information that the identity provider releases to the service provider about the patron. For instance, in order for EZProxy to authorize a user, the identity provider only has to provide that the user is a member of the institution without any personal information about the end user.
• Future integration with institutional portals and SSO. Shibboleth provides standard protocols of communications that could be implemented at the institutional level. This would allow patrons not to have to learn a separate log in for library services.
• Access control to online databases. This would require online databases to implement shibboleth as service providers, but some online resources are doing this already.

Implementation overview for USMAI libraries

Library services will be implemented as shibboleth service providers. The first services to be shibboleth-enabled will be Researchport and EZProxy, with others to follow.

Library services will initially authenticate against an identity provider built upon the Aleph patron database. This will ask for patrons to authenticate using their library barcode and last name.

If and when instutions within USMAI implement shibboleth identity providers at their institutions, library services will authenticate the institutional identity providers.

Implementation Phases - What to Expect

• Phase I: Researchport, SFX, EZProxy

  Phase I involves configuring Researchport and EZProxy to use shibboleth for authentication. In Phase I, there is a single sign on between these three products (RP, SFX, and EZP). Previously, there were some workflows for which users were asked to log in twice when navigating between Researchport, SFX, and EZProxy. Now that Phase I is complete, users are no longer asked to log in twice between these services.

  (NOTE: This phase only applies to ezproxy instances run by ITD, and for campuses who use Aleph patron database as authentication source for Researchport.)

  This phase was completed April 20, 2006.

• Phase II: ILLiad

  Phase II involves configuring consortial ILLiad (8 campuses), and ILLiad instances that use Aleph for auth (2 campuses), to use shibboleth for authentication. Once Phase II is complete, there will be a single sign on between ILLiad and Phase I services.

  Example workflow once this phase is complete: User logs into Researchport. User clicks on 'Find It' button. From SFX menu, user clicks to request item from ILL. User enters ILLiad request screen without having to log in again.

  (NOTE: This phase only applies to ILLiad sites in consortial ILLiad purchase, UM and UB.)

  UM ILLiad instance was shibboleth-enabled on May 24, 2006.

  This phase was completed May 31, 2006.

• Phase III: Aleph catalog

  Phase III involves configuring Aleph to use shibboleth for authentication. This phase requires Aleph to be version 18. Once Phase III is complete, there will be a single sign on between the catalog and the Phase I and II services.

  Example workflow once this phase is complete: User accesses the catalog from off-campus. User signs in to the catalog. User then clicks on a 'Find It' button in the catalog. User then clicks to Full Text without being prompted a second time for a username and password.

  This phase was completed July 15, 2007.

• Future Phases:

  ITD plans to work with institutions who have implemented ILLiad on their own and would like to integrate their ILLiad implementation with our shibboleth single sign on solution.

  ITD is open to work with institutions who have implemented ezproxy on their own and would like to integrate their ezproxy instance with our shibboleth single sign on solution.

  ITD will also be working with institutions within the consortium who are implementing shibboleth identity providers at the institutional level. This would provide for a single sign on between library services and campus services, such as WebCT and institutional portals.

Project Status

• July 15, 2007 - Aleph was shib-enabled
• October 9, 2006 - Access to EBSCO alumni portal is now Shibboleth-enabled. More info on the service is available at Friends of the Libraries
• August 30, 2006 - USMAI ILLiads are now able to take advantage of user attributes during registration and to control access. More info here
• May 31, 2006 - USMAI ILLiads are now Shibboleth-enabled.
• May 24, 2006 - UM ILLiad now Shibboleth-enabled: http://docdel.umd.edu/illiad.
• April 20, 2006 - Phase I completed. Shibboleth-enabled PDS and EZproxies are in production.
• February 17, 2006 - Shibboleth-enabled PDS is available for testing with Researchport: http://soejuk.umd.edu.
• February 6, 2006 - Shibboleth successfully integrated with consortial ILLiad implementation. ILLiad not yet able to take full advantage of shibboleth attributes, but is able to accept one ID attribute from shibboleth to identify patron.
• January 17, 2006 - Beginning investigation to shibboleth-enable consortial installation of ILLiad.
• January 6, 2006 - Completed development with ExLibris to shibboleth-enable PDS. Initially configured development version of Metalib to use the shibboleth-enabled PDS. Shibboleth-enabled PDS will be generally released by ExLibris in February, at which point we will install on our test instance of Metalib.
• November 8, 2005 - Met with Oren Beit-Arie (ExLibris). Agreed to be development partners with ExLibris to develop 'shibbolized' PDS.
• November 4, 2005 - Shibboleth identity provider for all USMAI institutions installed on ITD test server (soejuk).
• June 1, 2005 - Shibboleth service provider, EZProxy, configured to use ITD-developed identity provider.
• May 28, 2005 - Shibboleth identity provider installed and configured to use Aleph patron database for authentication. Proof of concept.
• February 4, 2005 - ITD downloaded and began investigating shibboleth

Documentation

• Shibboleth Definitions
• Shibboleth diagrams - overview of shib architecture and view of shib at USMAI
• Shibbolizing PDS - documenting shibbolizing PDS from the customer perspective
• Multiple Identity Providers - technical description of how we implemented virtually separate identity providers
• ILLiad - documentation on how to shibboleth-enable ILLiad

Presentations

• Shibboleth for Real.ppt - Presentation at CNI Spring Task Force Meeting, April 3-4, 2006, Arlington, VA. Presenters: Thomas Wilson, Oren Beit-Arie, David Kennedy, James Mouw
• Internet2_kennedy_shib.ppt - Presentation at Internet2 Spring Meeting, April 24-26, 2006, Crystal City, VA.
• ITCC_kennedy_shib.ppt - Presentation of Libraries' Shibboleth project to ITCC
• ELUNA_shib.ppt - ELUNA presentation
• Shib4Lib_cni.ppt - Presentation at CNI Fall Forum, December 10-11, 2007, Washington, DC

Resources

Internet2 Shibboleth open source project web presence: http://shibboleth.internet2.edu
USM Middleware Resources

Information Technology Division College Park, MD 20742-7011
Please send comments and suggestions to ITD's Webmaster.
Content questions should be directed to Dave Kennedy.