Tuesday, August 9, 2011

That's All She Wrote

Somewhat delayed by my involvement in the transition of UK federation operations on 1st August 2011, the WSTIERIA project web page has now been updated to include the project's deliverables, including the final report.

The main direction of the project since previous posts progressed from the "facade" approach to investigating the delegation features in Shibboleth. These allow a web application to invoke web services on behalf of a logged in user without the user having to authenticate directly with those web services.

With a little hand-holding from the project's consultant (Chad La Joie from the Shibboleth team), we managed to deploy and configure a complete minimal system, a kind of "hello, world!" delegation example: a Shibboleth identity provider with the delegation plug-in, a Shibboleth service provider controlling access to a test web application, and another Shibboleth SP protecting a test web service. We were able to demonstrate a user logging in to the web application and viewing output from the protected web service, without the user having to log in separately to the web service. (In fact, we demonstrated this "live" to the project's JISC programme manager on a site visit).

The test system, and our experience of setting it up, is described in the WSTIERIA project's final report. The software is functional, altough at this stage still somewhat challenging to configure correctly. Because of the dependence on SAML2 support at all the entities involved, and also because all users' identity providers must be specially configured with the entity IDs of both the web application that will perform delegation, and the entity IDs of the web services that the web application will log in to on the user's behalf, there is a question mark over whether the technology can yet be practically deployed in applications where users from many different institutions are expected. Where the user base is more constrained, and in particular for intra-institutional applications such as the original student portal use case for which the software was developed, it should be more immediately deployable in the field.

The Shibboleth team is looking at ways of simplifying delegation configuration in several ways that could make cross-organisational scenarios much more tractable (for example, by allowing the identity provider to trust a given web application to delegate without requiring knowledge of the entity IDs of all the target web services).

Application of those future possibilities is likely to fall to others though, as after several years of working on access management at EDINA, I will be moving on in September. This will therefore probably be my last blog post here.