Info Grid 2005 - Tuesday 27th, 2:25 - Shibboleth and ScienceDirect

2:25
Shibboleth adoption by content providers (Shibboleth and ScienceDirect)
Ale de Vries, Elsevier Product Manager, Science Direct

[Elsevier marketing stuff...]

[background on authentication]

Federated Authentication

Pros:
* Allows access to remote services using campus login credentials
* No extra admin overhead for customer
* Simpler for users
Cons:
* Complex to implement
* Requires agreement on "rules of the game" between all vendors and institutions

Elsevier's view

* Shared / Federated
- fulfills customers needs
- win/win (less admin)
* we will continue to anonymous, campus-wide access whatever the tech
* we will continue to offer PZN in exchange for basic end-user registration

Shib benefits as Elsevier sees them

* replacement for IP authN
- removed admin burden of IP maint
- removes dependencies on network arch
* allows PZN based on local creds
* removes need to remember multiple user/pass
* avoids problems of proxy servers
* helps us provide the broadest possible access to our customers

Shib and SD: ramp-up

* April 2002 - workshop
* May 2004 - Shib release
* based on Shib 1.1
* held workshops to involve customers and Internet2
* Findings
- anon non-personal a must
- provide option to PZN with opaque unique ID
- needed support for deep linking (need to authenticate no matter where on the site the user enters)

Shib and SD: ... testing...

* Dartmouth, Georgetown, NYU, UCSD, Penn State
* no major problems
* none of the pilot participants rolled out access to broad user community

Shib and SD: production

* Fed 2005: Moved to InCommon
* July 2005: multi-federation support due to release
- main issue is branding and IdP discovery in a multi-federation world

Current Status

* University of Southern California: up and running in May
* Working with SUNY Buffalo and Georgetown
* in discussion with JISC (UK), SWITCHaai (CH - Swiss), SURFnet (NL)

WAYF issue

- multifederation: no one runs a WAYF of WAYFs

:( end users don't understand federation concept
:) but federations are geographically oriented

[example of Shib login to SD - recorded live in production]

uses a cookie to remember your organizational affiliation

Open Issues

* Tech new, complex and rapidly changing
* Federations are in very early stages
* Uptake is key... we are at a critical point
* need to make implementation easier for smaller customers and vendors
* Elsevier is committed to making access easier for users and will continue to support Shibboleth

Tech: c.shillum@elsevier.com

Q (from AA of Google Scholar): do you see a lot of IP spoofing?
A: no

Q: assuming that you are planning to offer Web Service access to Science Direct... do you have plans
to offer access control
A: Web Services... well... not yet.

Q: what do you log? user path through site?
A: yes we log, analysis is on aggregated basis, we have to log path to do reporting to customers,
and for product improvement

Q: to what detail do you know the user when they login using InCommon - e.g. student from university X?
A:
1. can come in using provider ID - identifies institution
2. can come in using target ID - identifies individual - dependent on federation - if not wanted for
personalization, Science Direct discards this ID

Q: do you see a lot of use of personalization in your product?
A: quite some - between 5 to 25%