Internet2
Site Index |
Membership | Communities | Network | NET+ | Research | Events | News | About
| Internet2 Home > Middleware

Middleware
>Home
>Middleware
   Overview (PDF)
>Mailing Lists


Shibboleth-based Federations within Higher Education

The approach that is being developed is intended to address Shibboleth usage by both enterprises and researcher/developers within the broad higher education community, including the international community, and address the needs of those business partners who provide services to this community.

The approach leverages the capabilities within Shibboleth 1.0 to configure two sets of control data, one for more operational Shibboleth settings and one more oriented towards trust and privacy issues. The approach also includes establishing the standard values that are transported between enterprises using Shibboleth.

The model is one of a “cluster” of distinct federations within higher education, with each federation setting a set of independent standards, but subscribing as well to a cluster-wide set of agreements. The assumption is that federations will correspond to national higher ed networked communities, with one or more federations per nation. By participating in national federations, universities can customize trust and privacy rules and establish particular sets of common attributes, entitlements and other services for distinctive national needs. By that federation participating in the cluster of higher ed, interactions can operate across national borders and global providers for digital content, Grid computing, etc. can deploy effective services. The model also permits limited-purpose federations, for example Shibboleth research testbeds, to coexist with production services.

Within a Shibboleth-based federation, agreements are typically established around the following issues:

  • a list of the operational metadata for each of the sites in the federation (a signed sites.xml)
  • a list of the trust values for each of the sites in the federation (a signed trust.xml)
  • attributes and entitlements that will be exchanged (e.g. eduPerson, urn:mace:InCommon:licensed1)
  • operational procedures and/or legal understandings, both at the enterprises and for the federation, to address security, privacy, and data integrity concerns.

Several federations are already apparent within the cluster of higher ed. One is InCommon, which is intended to be a long-term, general purpose federation among US institutions. A second is ClubResearch, intended to support Shibboleth-based researchers who do not represent enterprises. The SWITCH network in Switzerland in intended to be a Swiss equivalent to InCommon. Other countries using Shibboleth as a national infrastructure for sharing are expected to establish similar federations.

There is one additional, somewhat special federation required within the cluster, at least as a transitional service. That federation is called InQueue and represents a staging federation where institutions can join that want to participate in the use of Shibboleth but have not yet identified an approriate federation to join. This may occur for institutions whose countries have not established national federations yet, or campuses can not comply with the trust and privacy issues of existing federations. It is unclear at this point whether the institutions can stay permanently in InQueue or whether InQueue itself is a long-term requirement.

The following picture illustrates the above.

© 1996 - 2010 Internet2 - All rights reserved | Terms of Use | Privacy | Contact Us
1000 Oakbrook Drive, Suite 300, Ann Arbor MI 48104 | Phone: +1-734-913-4250