tidBiTS
Informs and engages the UNB community on IT developments and news

Shibboleth a Key Piece to the Student connectEd Puzzle

Author: ITS

Posted on Jan 19, 2012

Category: General Interest , Geek Speak

Geek Speak Warning

Last year, UNB student email was migrated from Webmail to the new connectEd environment, a fully integrated and supported suite of productivity tools for email, calendaring, messaging, collaboration, and more.

In order to integrate students’ connectEd services with UNB’s existing IT environment and to ensure single sign-on access to those services through the myUNB Portal, ITS had to enlist the help of a product known as Shibboleth.

What is Shibboleth?

Shibboleth is an open-source product that provides an authentication and authorization mechanism to services, as well as single sign-on capabilities.  It can provide these capabilities to services located within UNB, as well as services located outside the organization’s infrastructure (eg: cloud services).

Authentication and Authorization

Shibboleth can provide not only authentication services, but authorization services as well.  What is the difference?  Authentication proves access based on credentials such as your UNB login ID and Password.  Authorization provides access based on information contained on the person’s record in the directory service (see the tidBiTS article “What is LDAP” for more on this).  For example, a student may have access to certain portions of the eServices menu, but a staff member, or maybe a researcher, would have access to other options.  Based on the user’s affiliation, they would be “authorized” to view certain menu options, or gain access to certain services.  We refer to these as “Entitlements”.

Single Sign-on

Single sign-on allows a user to authenticate (log in) to one service like the myUNB Portal, and be automatically authenticated to all other authorized services such as eServices, without having to enter login credentials again.  Shibboleth provides this functionality via a) a special HTTP cookie (see the tidBiTS article “Cookies for Everyone! – Demystifying HTTP Cookies” for more on cookies) which houses certain information about a user’s login session, and b) relationship information stored on the Shibboleth server regarding the service being accessed.  Whether or not the user can gain access to the system is determined behind the scenes, and as such is transparent to the user.

Shibboleth  @ UNB

The University of New Brunswick currently has a shibboleth server in place to authenticate students to their connectEd Mailbox, and ITS will be moving more and more services over to authenticate via Shibboleth in 2012. Other departments at UNB are already planning on rolling out new software and services that authenticate against Shibboleth, specifically UNB Library Services.  This new service, authenticating against Shibboleth, will give the library the ability to provide service to UNB faculty, staff and students, but also deliver those same services to faculty and students visiting from other institutions, such as Saint Thomas University or Dalhousie University, and those visitors can gain access to the services by logging into the UNB Library system using their own login credentials from their home institution.

Federation

One of the interesting aspects of using Shibboleth is the concept of “Federation”. UNB (along with several other Universities across Canada) is a member of the Canadian Access Federation (CAF).  Being a member of CAF has several perks, including gaining immediate access to cloud services that support the Federation, such as Microsoft Dreamspark or ProQuest.com.  These services pass authorization requests to the Federation, who in turn passes the request down to the appropriate institution.