Attributes and Security Drive U. Florida's Choice of Shibboleth for SSO
The University of Florida used Shibboleth to replace their own existing single sign-on system to address developing security concerns. During the implementation, Florida was able to use Shibboleth's capabilities to establish new policies for including departments in the administration of identity attributes.
- The University of Florida
Products & Services
Since 1997, the University of Florida has operated, with great success, a home-grown single sign-on (SSO) system to provide access to web services and all of the main enterprise systems on campus. Security concerns began showing up in 2006, causing IT professionals to think about the next step in single sign-on.
“Rather than completely rearchitect, redesign and rewrite the home-grown system, we decided to implement Shibboleth,” said Mike Conlon, associate CIO, IT architecture, at the University of Florida. Conlon and his implementation team spent eight months in public discussions, meeting with small groups and holding larger town-hall discussions to provide the rationale for replacing the legacy system. “We had to convince people that, despite the fact that this thing was working great for them, there were significant problems and it had to be replaced,” Conlon said. Florida’s primary interest in Shibboleth was as a robust SSO solution. “What we get with Shibboleth is a secure, controlled release of attributes,” Conlon said. “We did not have that in the old system.”
Shibboleth® Single Sign-on and Federating Software is a standards-based, open-source system providing individual access to protected online resources while preserving individual privacy through the use of attributes. Attributes carry information about an individual – whether the person is a student, or is in a certain major, or even in a specific course. If a resource is limited to biology students, for example, attributes allow the authorization decision to be made without manual intervention and without necessarily releasing personally identifiable information. By carefully crafting policies for the exchange and release of attributes, identity providers and service providers can provide very fine-grained access control.
Florida staff members spent considerable time defining the ways in which Shibboleth would be used, then creating attribute release policies (ARPs) to cover 90 percent of those cases. “We involved a group of 20 people, representing all of our enterprise system groups, as well as identity and access management thought leaders,” Conlon said. “We were expansive in our thinking about attribute release policies, to make sure to cover our use case territory.”
We plan to use Shibboleth to access PeopleSoft, our course management system and our legacy student system. We made sure Shib could handle the capacity of all of our enterprise systems running together.
“We have gotten very good reactions from a wide variety of people across campus,” Conlon says, “such as distance education, the health center, our research community, and the library.” Florida has a large Active Directory implementation and, much to the delight of departments across campus, included an attribute release policy related to their local groups. “One of the ARPs is to determine a person’s local groups,” Conlon explained. Such groups include such things as classes and majors. A system administrator can manage groups in Active Directory and, because of SSO, a user will have access upon signing in.
Conlon said Florida plans to provide Shibboleth integration with all future software and enterprise systems. “We plan to use Shib to access PeopleSoft, our course management system, and our legacy student system,” he said. “We made sure Shib could handle the capacity of all of our enterprise systems running together.”
Florida has also begun taking advantage of the federating aspects of Shibboleth. “We were not interested in being SSO innovators,” Conlon points out, “and it turns out our timing was very good for our Shib implementation, in terms of federating.” That’s because of the growth in the number of vendors joining the InCommon Federation. The university has started working with several InCommon participants.
“All of this has really come about in the last 12 months,” Conlon said. “When I go to the InCommon list and see the participants, I’m interested in that right-hand column (where the sponsored partners appear). “These are people that provide services to us and wouldn’t it be cool if they just took our credentials. And they do.”