OIT Staffer Helps Develop Internet2 Shibboleth Project

Article by Richard Wofford
Originally published in a different format

Scott Cantor, senior Web data access developer for the Office of Information Technology, is coauthoring the architecture specification and helping to implement the Internet2 Shibboleth project. Shibboleth is investigating technology to support inter-institutional authentication and authorization for Web pages and services.

Shibboleth lets users choose how much, if any, of their profile information is shared with other participating sites by creating a profile and determining how much of their authorization data is shared. It is a form of peer-to-peer collaboration where both user and site determine who gets access and how much data is exchanged or needed for authorization.

The word shibboleth in ancient Hebrew dialect meant "ear of grain" (or, some say, "stream"). A shibboleth is a kind of linguistic password: a way of speaking (by pronunciation or the use of a particular expression) that identifies one as a member of an "in" group.

The Shibboleth project began in 1999 and received additional support from IBM in 2000. Cantor joined the project last May and through his involvement became a member of the Internet2 Middleware Architecture Committee for Education (MACE). Funding for Shibboleth is through Internet2, with IBM providing staffing and implementation help.

MACE forms working groups as needed to explore specific issues. These working groups are open to broad membership from the higher education and research communities, but overall size is restricted to facilitate group operations.

Shibboleth is focusing on a relatively "simple" need to share a Web page (or CGI service) with individuals or groups from various institutions, using the credentials and directories of their respective institutions.

This project will prototype or complete an implementation that satisfies this "simple" need. For example, if user@osu.edu tries to authenticate to a Web page at the University of Michigan, the Michigan server will send the user’s information back to an OSU server, where the information is challenged for credentials and e-mail address, Kerberos principal, or X.509 certificate, along with related material (password, tickets, etc.). The Michigan server will then use Shibboleth technology to obtain authorization attributes for the OSU user to grant or deny access.

Shibboleth is similar to Microsoft’s .NET Passport. It provides federated authentication instead of requiring accounts at other institutions, partitioning the work of authenticating users. The Shibboleth team expects to release alpha code in early 2002 and a demo version by spring. Shibboleth is browser- and platform- independent and based on an XML standard from OASIS called SAML (Security Assertion Markup Language), which Cantor and others on the Shibboleth team are helping to develop.

OSU is not necessarily an initial test site since it does not have an immediate application to deploy. However, Cantor feels parts of the project can be implemented at OSU.

"I greatly enjoy working on this project," he said. "It can be frustrating working by committee, but still enjoyable. It is a gateway to other things which would not have happened had I not gotten involved with Shibboleth."